Old post, but just wanted to mention I'm also still seeing this (Splunk 8.2.6 to Splunk 9.0.0). The message implies this might cause a conflict/issue... we might want to either improve it or document what needs to be corrected/checked from the user's part?
... View more
The collect command is used to send data to a summary index, not a metrics index. Have a look at the mcollect and meventcollect commands. They can be used to send event data to a metrics index.
... View more
@fedejko You should be able to join the two sets together, like this, for example (reusing your two queries): | rest /services/saved/searches
| search title="*Rule" action.notable=1
| fields title
| eval has_triggered_notables = "false"
| join type=outer title [
search index=notable search_name="*Rule" orig_action_name=notable
| stats count by search_name
| fields - count
| rename search_name as title
| eval has_triggered_notables = "true"
] That adds a field has_triggered_notables which will indicate if a rule has triggered notable and you can then filter out the results to your liking, for example, to show only the rules which did trigger notables: | where has_triggered_notables = "true"
... View more
Could you please try using the Splunk management port (default: 8089) as in the example here? All the REST API endpoints are exposed over that port and not the default Splunk UI Web port (8000).
For example:
// Create a Service instance
var service = new Service(Scheme.Https, "localhost", 8089, new Namespace(user: "nobody", app: "search"))
// Log in
await service.LoginAsync("admin", "yourpassword");
... View more
You could use eval tokens:
https://docs.splunk.com/Documentation/Splunk/7.2.3/Viz/tokens#Define_token_filtering_and_formatting
For example:
<eval token="new_token">replace('mac_address_token', ":", "")</eval>
... View more
This is mentioned by a colleague here:
https://answers.splunk.com/answers/716685/splunk-universal-forwarder-suddenly-stop-receiving.html
I've also checked internally, and this issue was reported as SPL-155042 and might have had to do with Symantec Endpoint protection blocking the process. If you use that, it might be worth disabling it via a rule to whitelist the UF input executables. It was confirmed that upgrading to the versions listed below fixed the issue.
The fix to restart the various Windows inputs on a UF was SPL-144368 , included in versions 6.5.8+, 6.6.7+. That should also be in any 7.x versions.
... View more
You can't use a variable as the regex parameter in the rex command.
There are alternatives using map and sub-searches mentioned in various Splunk Answers post for which you can search if you want to go that route.
Here's an example: https://answers.splunk.com/answers/386488/regex-in-lookuptable.html
But, do you really need to?
Also, why use sed mode here? Don't you want to simply extract the product and company values?
For example:
| rex field=API_URL "api\/Company\/(?<company>.*?)(\/Product\/|$)(?<product>.*)"
BTW, https://regex101.com/ is a great resource to work with and test your regexes.
... View more
Then this should do it:
<base search>
| stats values(uri_path) as uri_path by src
| where mvcount(uri_path) = 2 AND isnotnull(mvfind(uri_path, "^account\/logon$")) AND isnotnull(mvfind(uri_path, "^member\/savedcard"))
| stats count by src
You can substitute stats with tstats if uri_path is an indexed field. YMMV.
... View more
I assume you've already checked things like Antivirus & Firewalling?
Reading elsewhere it would seem the newer versions (6.6.7+ of the UF) have a fix to restart the winhostmon.exe based input after such a failure, so your solution would likely be to upgrade your UFs.
... View more
You might want to have a look at online MIB validators. For example: https://www.simpleweb.org/ietf/mibs/validate/.
Google is your friend. 😉
... View more
This answer post might help if you haven't seen it already: https://answers.splunk.com/answers/590013/db-connect-inputs-data-timestamp-is-in-est-but-spl.html
If not, we'll need more details to help you (DB Connect version, DB Connection/Session/Query TZ settings, what you tried exactly, etc...).
... View more