Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About untieshoe
untieshoe
Path Finder
Member since:
12-22-2014
06-26-2025
Community Statistics
| Posts | 31 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 0 |
| Member Since | 12-22-2014 |
Activity Feed
- Posted Re: How to forward csv data files from sharepoint online to splunk cloud on Getting Data In. 06-26-2025 01:44 PM
- Posted How to forward csv data files from sharepoint online to splunk cloud on Getting Data In. 06-25-2025 09:27 AM
- Posted Re: Is there a bug with clicking to scroll chart legend? on Dashboards & Visualizations. 03-03-2023 07:11 PM
- Posted Re: Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? on Knowledge Management. 10-07-2022 08:51 PM
- Karma Re: Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? for richgalloway. 10-07-2022 08:47 PM
- Posted Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? on Knowledge Management. 10-07-2022 02:25 PM
- Tagged Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? on Knowledge Management. 10-07-2022 02:25 PM
- Tagged Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? on Knowledge Management. 10-07-2022 02:25 PM
- Tagged Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product? on Knowledge Management. 10-07-2022 02:25 PM
- Posted Re: Splunk Cloud 90-day searchable retention configuration isn't deleting old data. on Splunk Cloud Platform. 09-20-2022 03:14 PM
- Karma Re: How to trigger second search based on first search where condition for niketn. 05-12-2022 09:54 PM
- Karma Re: How to split a multi-line _raw to a multivalue with one line of text per element? for somesoni2. 05-12-2022 01:48 PM
- Karma Re: After running a "stats count by fields" search, is there a way to search on the tabled results? for koshyk. 10-06-2020 04:13 PM
- Posted Why isn't Splunk Cloud 90-day searchable retention configuration deleting old data? on Splunk Cloud Platform. 08-12-2020 12:46 PM
- Karma Re: How abort a search based on a condition? for mmol. 08-09-2020 05:21 PM
- Karma Re: This saved search cannot perform summary indexing because it has a malformed search. for kunalmao. 06-05-2020 12:49 AM
- Karma Is there a way to convert a scheduled report to an alert? (6.6.3) for twinspop. 06-05-2020 12:49 AM
- Karma Has anyone seen this Error message: Monotonic time source didn't increase; is it stuck? for tywhite. 06-05-2020 12:49 AM
- Karma Re: How to extract Target Account Name or Subject Account Name Security ID field from Windows Security Log? for jtitus3. 06-05-2020 12:49 AM
- Karma Re: Why am I getting "Socket error communicating with splunkd" when I try to reload my deployment server to push out new configurations? for mookiie2005. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-26-2025
01:44 PM
Yes, that looks like a viable approach. Thank you. Too bad Power Automate is tricky and I'm not a programmer. I'll leave this discussion open for a few in case anyone has already achieved the goal and wants to share.
... View more
06-25-2025
09:27 AM
I don't mean SharePoint activity, admin or audit logs. I mean actual data files (that will be converted later to lookup files in Splunk Cloud). Basically, do I need to extract the CSV files from SharePoint first (eg to a traditional on-prem file share by way of Power Automate) and use a UF to forward the files to Splunk Cloud, or is there some other nifty way to forward CSV data files directly from SharePoint Online to Splunk Cloud, or some other intermediary method? Thank you.
... View more
03-03-2023
07:11 PM
I think this issue even pre-dates version 9. I see this issue with ALL of my charting visualizations where there are multiple 'pages' of legend items. It's infuriating, and it's a very obvious bug. I've tried Chrome, Edge. Makes no difference. Splunk Cloud, Splunk Enterprise - makes no difference. My older visualizations didn't used to have this problem with the legend pages, but now they do.
... View more
10-07-2022
08:51 PM
I have subscribed to MaxMind and will use their MMDB instead. Seems like I can even upload the file to Splunk Cloud. I guess this will work. Thank you.
... View more
10-07-2022
02:25 PM
Did Splunk Inc just get rid of Maxmind's free iplocation database and replace it with a different free product (dbip-city-lite.mmdb)?
Am I the only one who thinks the accuracy of the IP lookups has gotten much worse with dbip-city-lite?
If this new database is to be believed, all my IP6 connections are coming from Texas, New York or Illianois and I work in Chicago (I don't).
Maxmind (free version that came with Splunk) was not 100%, but seemed to be much more accurate throughout the years I used it.
Anyone agree or disagree?
... View more
Labels
- Labels:
-
lookup
09-20-2022
03:14 PM
It turned out to be a software bug. It does work now (sort of). I set the index size to 0 (no limit) and retention to 2 days. I can actually search 3 days, but that's close enough for my needs...
... View more
08-12-2020
12:46 PM
Hello,
I have Splunk Cloud 90-day searchable retention set for all indexes by default.
I created a new index with only 2-day retention (intentional). The index filled with data as intended. But data older than 2 days did not get deleted. The index continues to grow regardless of the "Searchable Retention = 2 days" configuration. What's up with that? This is a new Splunk Cloud environment, although at v7.2.10.1. From the 'Data Quality' Monitoring Console, I see the data is currently in 6 buckets and I have 1,730,000 events in the index. 1.2 GB of data.
Any advice on why this is happening would be appreciated.
... View more
Labels
- Labels:
-
configuration
-
using Splunk Cloud
01-13-2020
05:30 PM
Ultimately the problem turned out to be caused by a previously undiscovered props.conf file, buried within an app on an upstream heavy forwarder, complete with conflicting and over-riding configurations.
The props file on the heavy forwarder contained (among other things):
TZ=US/Pacific
which is problematic for my purpose. Pacific is my local time zone, but this does not correspond to the time fields within the forwarded events (all in UTC). So the solution was to alter the props.conf file in the app on the heavy forwarder so we have:
TZ=UTC
This causes the UTC heavy forwarder data to be correctly indexed in my local Pacific time zone. Problem solved.
As for the other issue (wrong field used as the basis of index-time extraction), this too was caused by a conflicting setting in the props.conf file on the heavy forwarder. Again, fixed in the heavy forwarder's props.conf file.
I thank MuS for setting me on the right track for a solution, and especially for the regex structure suggestion which was correct:
TIME_PREFIX=LAST_VM_SCANNED_DATE="
... View more
01-09-2020
05:26 PM
Not parsed or not applied? I'm not quite sure what you mean. The data is definitely ingested with the correct sourcetype, and the ingested data is searchable from the search head. Splunk is extracting fields within the data at search time....
I will admit to being new at props.conf, so there may yet be something basic I'm overlooking that you might take for granted, or assume I'm aware of... But I appreciate your help.
... View more
01-09-2020
05:03 PM
I have completed a rolling restart of the Index cluster, but there has been no change in the behavior. The time zone is still incorrect and the wrong time field in the data is being extracted for timestamping.
On a side note, out of curiosity I was prompted to go searching for 'future data' after implementing the datetime.xml patch in December 2019 to fix the 'Splunk year 2020 bug'. I had not expected to find any future data and was surprised to find three sources with similar but different timestamp issues. This one I'm struggling with is the last one I have to fix and is very similar to one of the others I fixed. The other simply needed TZ=UTC in props.conf for the affected sourcetype. This one is a bit trickier in that the wrong time is being extracted from the raw data. But my dilemma is whether the new datetime.xml (file) has actual introduced this problem. I can't prove it one way or the other without a lot of work...
... View more
01-09-2020
04:20 PM
I've implemented your props suggestion MuS. Again, no joy unfortunately.
Sourcetype matched? Yes, including case.
Are the Indexers the ones that parse the events? I only have two Indexers in the cluster. They both received the same bundle with the props.conf file.
Indexer restart? No. I did not do that (for two reasons). 1. Cluster Bundle validation said no need to restart. 2. I've seen Splunk documentation stating that use of Cluster Bundle to deploy props will automatically cause the Indexers to reload props. HOWEVER, I will try a rolling restart later today.
Thanks for the suggestions!
... View more
01-09-2020
12:28 PM
Thank you MuS for the suggestions. The suggested regex did not affect the outcome in any way, unfortunately. Btool indicates that the props.conf stanza is being included at the indexer(s).
... View more
01-09-2020
10:44 AM
A typical Event (which has no line breaks):
HOSTVULN: HOST_ID=109436564, IP="10.1.40.106", TRACKING_METHOD="AGENT", OS="Windows 10 Enterprise 64 bit Edition Version 1803", DNS="410-dt-12345-04", NETBIOS="410-DT-12345-04", LAST_SCAN_DATETIME="2020-01-09T18:06:05Z", LAST_VM_SCANNED_DATE="2020-01-09T17:59:24Z", SEVERITY=4, QID="372286", TYPE="CONFIRMED", SSL="0", STATUS="FIXED", FIRST_FOUND_DATETIME="2019-12-14T02:23:09Z", LAST_FOUND_DATETIME="2019-12-19T20:16:45Z", TIMES_FOUND="36", LAST_TEST_DATETIME="2020-01-09T17:59:24Z", LAST_UPDATE_DATETIME="2020-01-09T18:06:05Z", LAST_FIXED_DATETIME="2019-12-20T00:39:31Z", IS_IGNORED="0", IS_DISABLED="0"
Splunk is currently extracting the index time based on LAST_SCAN_DATETIME="2020-01-09T18:06:05Z". I assume this is because this is the first date/time in the event. Fair enough.
I have two issues to fix.
1. I would prefer Splunk to extract the index time based instead on the second date/time LAST_VM_SCANNED_DATE="2020-01-09T17:59:24Z" so I have written a regex for props.conf to account for this which is destined for the index cluster search peers.
2. All of the times in the events are GMT, (my local time is Pacific) and the events are currently being indexed 8 hours "into the future". I want the event indexed to my local time. Again, I have tried to correct for this in props.conf which is destined for the index cluster search peers.
My overall problem is that, although the props.conf is successfully pushed to the index cluster search peers (via a cluster bundle), the configuration is being completely ignored by Splunk. I'm unsure whether the props.conf configuration is invalid, or it's in the wrong location, or whatever.
Here is the props.conf that is on the indexers:
[qualys:hostDetection]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = ^.+LAST_VM_SCANNED_DATE="
TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ
TZ = GMT
MAX_TIMESTAMP_LOOKAHEAD = 22
category = Custom
pulldown_type = 1
I was particularly concerned about the line:
TIME_PREFIX = ^.+LAST_VM_SCANNED_DATE="
and whether either of the last two characters needed to be escaped with a \ but no combination I tried has worked.
Advice would be much appreciated. Thank you.
... View more
10-19-2016
10:25 AM
Thanks lukejadamec.
So I split the problem into two parts:
Deliver the source binary (in my case my_prog.msi) to the target as part of the app, and copy the binary to a non-app location (c:\temp) using a script (in my case a BAT file) that runs only once (interval = -1):
###### Scripted Input
[script://.\bin\Copy_VSC.bat]
interval = -1
That works fine.
Install the software binary and ensure the install script (in my case a BAT file) runs only once:
Scripted Input
[script://.\bin\Install_VSC.bat]
interval = -1
The problem is with the command in the Install_VSC.bat file. I have:
c:\windows\system32\msiexec.exe /i "c:\temp\my_prog.msi" /q CONN_INTG_SVC=TRUE INTG_SERVERS=VM301:29522
This appears to work, but the result is imperfect, compared to if I install manually as a local admin using the exact same command. Using the deployment server method, files are installed, a service is installed and it launches, and all the options (switches) appear to be used during the install, but the installed program fails in a critical way when installed using the deployment server method.
I am wondering whether I should use a .path file in inputs.conf in order to reference the out-of-app locations and executables such as msiexec.exe.
Or maybe I need "start_by_shell = true" in the inputs.conf.
Any suggestions/experience with this? Thank you.
... View more
10-14-2016
12:28 PM
I'm not just being 'cheap'. I have my reasons for wanting to do this...
... View more
10-14-2016
12:27 PM
Can I piggy-back (insert) a Win32 setup.exe (windows program) onto a Splunk App, and use Splunk Deployment Server to deploy the Splunk app, and have the deployed Splunk app run a script that performs an unattended installation of the setup.exe on the target system, using SYSTEM privileges?
... View more
04-20-2016
04:01 PM
After realizing I'd mis-stated the problem, found my own solution that was adequate. Needed to use fillnull to populate an AD attribute (securecomputingCom2000_SafeWord_UserID) that was missing from most user accounts. Then used dedup to locate user accounts that have more than one value for securecomputingCom2000_SafeWord_UserID. Here is the result which works:
index=msad sourcetype=ActiveDirectory | fillnull securecomputingCom2000_SafeWord_UserID | dedup displayName, securecomputingCom2000_SafeWord_UserID | stats count by displayName | where count > 1 | sort displayName | table displayName, count
... View more
04-13-2016
10:00 AM
That search results in only multiple copies of the AD schema, with all attributes in alphabetical order. For the specific case of the securecomputingCom2000_SafeWord_UserID attribute, the value shown is: securecomputingCom2000-SafeWord-UserID=OptionalProperties
... View more
04-12-2016
02:43 PM
You are very patient with me, and I appreciate that...
This last search only delivers several copies of the entire AD schema. In the results, the only references to securecomputingCom2000_SafeWord_UserID relate to the fact that securecomputingCom2000_SafeWord_UserID has "OptionalProperties".
... View more
04-12-2016
02:28 PM
Oh, that's a good point. It appears that in AD the attribute is blank (not set) when a token has not been assigned to a user. (I may have been misusing the term "NULL"; I apologize).
When Splunk pulls AD data for each user account it seems to leave out the blank attributes, including securecomputingCom2000_SafeWord_UserID when that attribute is not set.
Then after the attribute is assigned a value for a user account, the attribute is included in the pulled attribute set for that account.
So I think I incorrectly stated my initial requirement. Instead of seeking the change from blank to something for the securecomputingCom2000_SafeWord_UserID attribute, what I should have requested was "how to detect the addition of an attribute (and its value) that was previously not present".
... View more
04-12-2016
02:08 PM
That one produces hundreds of non-relevant results: All users with their token values.
... View more
04-12-2016
01:23 PM
Nothing was missing from query 1.
I'm not interested in the current status of all the accounts; I'm only interested in the status of user accounts where the attribute has just changed (from NULL to something).
The dynamic serial number example worked only until I removed jsmith from the search criteria. When I remove jsmith from the search, I end up with data on all users who have some value in securecomputingCom2000_SafeWord_UserID.
The bottom (3rd) search code produced something quite amazing and unexpectedly useful, and is a keeper!! When I remove the specific user (jsmith) from the search (and I also filter out the AD machine accounts '*$'), what results is a list of user account where the securecomputingCom2000_SafeWord_UserID attribute has changed over time and ended up as NULL. So the output represents staff who no longer have tokens assigned to them. This is useful, and is sort of the exact opposite of my original quest: to find all users where the securecomputingCom2000_SafeWord_UserID value starts as NULL and changes into something else! Thank you for your persistence!
... View more
04-12-2016
12:30 PM
Thank you for contacting others, sundareshr.
And thank you for taking a look at this, somesoni2.
Your first suggestion does result in locating the one event that is the indicator that the attribute has just changed from null to the value 01234567, so that is encouraging.
The second suggestion results in all events before, during and after the change in attribute.
The only problem with the first suggestion is that it is tailored to work for a particular value of securecomputingCom2000_SafeWord_UserID (i.e. 01234567). In real life this value will always be a unique alphanumeric, representing the serial number of the SafeWord token issued to the user account. If I try to use a wildcard ...| where securecomputingCom2000_SafeWord_UserID="*" AND (isnull(changedFrom) OR changedFrom="NULL") then the search finds no results.
... View more
04-12-2016
08:45 AM
That yields zero results.
... View more
04-11-2016
01:48 PM
It does not do that.
In fact, if I try only | where changedFrom!="01234567" then I end up with no results instead of the NULL results.
There are no spaces.
... View more
