Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About benlc
benlc
Path Finder
Member since:
09-22-2015
11-24-2021
Community Statistics
| Posts | 28 |
| Solutions | 3 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-22-2015 |
Activity Feed
- Posted Custom Command does not provide all fields from REST on Splunk Dev. 11-12-2021 12:52 PM
- Karma Re: Why is my distsearch.conf replicationBlacklist configuration not being applied? for jkat54. 06-05-2020 12:47 AM
- Karma Re: Splunk Support for Active Directory: Why does ldapsearch command result in "ERROR Missing required value for alternatedomain in ldap/default."? for tlelle_splunk. 06-05-2020 12:47 AM
- Posted JMS_TA: Possible to use wildcards? on All Apps and Add-ons. 04-07-2020 11:43 PM
- Tagged JMS_TA: Possible to use wildcards? on All Apps and Add-ons. 04-07-2020 11:43 PM
- Tagged JMS_TA: Possible to use wildcards? on All Apps and Add-ons. 04-07-2020 11:43 PM
- Posted Re: Upgrade von McAfee EPO to 5.10 breaks integration on All Apps and Add-ons. 08-08-2019 01:53 AM
- Posted Upgrade von McAfee EPO to 5.10 breaks integration on All Apps and Add-ons. 08-08-2019 01:26 AM
- Tagged Upgrade von McAfee EPO to 5.10 breaks integration on All Apps and Add-ons. 08-08-2019 01:26 AM
- Tagged Upgrade von McAfee EPO to 5.10 breaks integration on All Apps and Add-ons. 08-08-2019 01:26 AM
- Posted Re: timeline custom visualization - Increase the width of labels in left (resource_field) on All Apps and Add-ons. 03-06-2019 05:33 AM
- Posted Re: Timecharts and how to avoid "no results found inspect" on Splunk Search. 11-28-2018 04:02 AM
- Posted Re: Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:59 AM
- Posted Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:56 AM
- Tagged Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:56 AM
- Tagged Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:56 AM
- Tagged Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:56 AM
- Tagged Why do I get an error when trying to start TCP input with SSL? on Security. 08-07-2018 03:56 AM
- Posted Re: Import from Splunk Tenable data takes long on All Apps and Add-ons. 01-30-2018 01:58 AM
- Posted Import from Splunk Tenable data takes long on All Apps and Add-ons. 01-15-2018 07:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-01-2022
01:44 AM
1 Karma
This Worked for me as well. No need to give admin_all_objects permission! Splunk V. 8.2.5
... View more
11-24-2021
08:32 AM
Thanks for reporting this, we believe the issue has been addressed in version 1.6.18 of the Python SDK. After some discussion with the community on how to release the fix the consensus was to allow developers to opt-in to the fix (see https://github.com/splunk/splunk-sdk-python/issues/401). Here's more details on how to opt-in to the fix by calling self.add_field within the search command: https://github.com/splunk/splunk-sdk-python#customization
... View more
04-18-2021
04:39 PM
bit of an annoyance this one - hopefully there will be a new panel for the new dashboard emulation
... View more
01-13-2021
05:45 AM
Improvement... | makeresults 1
| timechart count span=1h
| eval count=0
| append
[ search YourSearchHere
| timechart count span=1h]
| timechart sum(count) as count span=1h
... View more
04-07-2020
11:43 PM
We would like to use Wildcards in Consuming JMS Queues. As for example all queues starting with AQ* should be browsed:
[jms-tst]
activation_key = xxxxxxyyyyyyyy
browse_mode = stats
browse_queue_only = 1
durable = 0
hec_batch_mode = 0
hec_https = 0
index = jms
index_message_header = 0
index_message_properties = 0
init_mode = jndi
jms_connection_factory_name = ConnectionFactory
jndi_initialcontext_factory = org.apache.activemq.jndi.ActiveMQInitialContextFactory
jndi_provider_url = failover:ssl://<hostname1>,ssl://<hostname2>:61617
output_type = stdout
strip_newlines = 1
jndi_pass = xx
jndi_user = xx
destination_pass = xx
destination_user = xx
browse_frequency = 600
[jms-tst://queue/dynamicQueues/AVQ.TO.FTX.MKDI.AVAST11]
sourcetype = jms:ftx
[jms-tst://queue/dynamicQueues/AVQ*]
sourcetype = jms:ftx
Is this possible? Or is there another way to achieve this without adding all the queues?
Thanks
Ben
... View more
08-08-2019
01:53 AM
A possible solution is described here:
https://community.mcafee.com/t5/ePolicy-Orchestrator/Splunk-integration-broken-after-ePO-5-10-upgrade/m-p/621130#M63380
The query needs to be changed to the correct FROM table.
... View more
08-07-2018
03:59 AM
My CA-Certificate startet with
-----BEGIN TRUSTED CERTIFICATE-----
and ended in:
-----END TRUSTED CERTIFICATE-----
As soon as I deleted "TRUSTED" and made the CA-Cert look like the examples:
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
It finally worked. There is not much more info to link to.
... View more
01-30-2018
01:58 AM
Thanks for your answer and very sorry for my delay.
We don't use the security center, we use the api of the Nessus Professional v6.
Do you have any idea why we get all the Events every time..? Is there some kind of option?
The second problem does not occur, I guess because we only get 1000 Events per 15 min ;-).
... View more
12-07-2017
12:38 AM
Added | fields _time tet lowerBound upperBound isOutlier and it worked.
... View more
10-14-2019
12:04 PM
if you want to track over time, collect the timestamp and size fields on some regular basis and output to a lookup or csv file
... View more
05-23-2019
04:52 AM
The same issue just started with our tenable add-on.
we were receiving data and now it stopped
I restarted the Splunk service on the DCN but still doesn't work
Anyone have any additional recommendations?
... View more
07-25-2017
12:45 AM
The message shows that the data is indexed. Maybe you forgot to create the index?
Did you search in all the indexes for the sourcetype?
Do you have any errors?
... View more
02-23-2017
06:31 AM
I figured that KV_MODE = xml for any XmlWinEventLog is not working somehow. Maybe it is not prober XML. I could not find something in answer. But as I have the same problem I found a lot of suggestions using KV_MODE = xml. But it just does not work ;-).
https://answers.splunk.com/answers/302711/how-to-configure-splunk-to-extract-xml-fields-from.html
https://answers.splunk.com/answers/402872/how-do-i-parse-applocker-windows-event-log-renderx.html
I personally would use Splunk_TA_windows Transforms. They do extract the fields perfect. But the stanza in the splunk App [(?::){0}XmlWinEventLog:*] does not work for me.
So I copied the Transforms directly to the sourcetype and created a local/props.conf:
e.g.
[XmlWinEventLog:Microsoft-Windows-WindowsUpdateClient/Operational]
KV_MODE = none
REPORT-0xml_block_extract = system_xml_block,eventdata_xml_block,userdata_xml_block,debugdata_xml_block,renderinginfo_xml_block
REPORT-0xml_kv_extract = system_props_xml_kv,system_props_xml_attributes,eventdata_xml_data,rendering_info_xml_data
Maybe somebody can comment on this issue? But the above solution works perfectly for me.
Have a good day.
Ben
... View more
07-26-2016
07:26 AM
Thanks, as you see in the tags i specifically asked for the packaged visualization https://splunkbase.splunk.com/app/3218/
... View more
12-13-2016
02:31 AM
1 Karma
In my case the issue "vanished"
After I rolled out 6.5 and made a rolling restart of the cluster it did not show up any more.
... View more
09-23-2015
07:54 AM
Like this:
... | rex max_match=0 "(?<message>(?:first message string)|(?:second message string)|(?:third message string)|(?:fourth message string)|(?:fifth message string)|(?:sixth message string)|(?:seventh message string))" | stats count by message
Tack on | fields - count to get just the list of messages.
... View more
09-25-2015
10:57 AM
As a best practice, you should put the inputs.conf in one of the apps, not the system level directory.
if there is an app that is appropriate, then clearly that works. For example, if you are talking about an F5 log input and you have the F5 app installed, the inputs.conf should clearly go in the local directory of the F5 app.
If the input is not directly associated with any app, you might create an app, just as a place to house general configuration files. Or people sometimes choose to use the "search" app for that purpose.
... View more
09-22-2015
07:54 AM
See the answer from this link for the same
http://answers.splunk.com/answers/310401/volume-used.html#answer-310985
... View more
12-16-2016
12:30 PM
i believe he wanted a wild card in there somewhere benic
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-24-2021
12:15 PM
|
