Activity Feed
- Posted Re: create index field on Getting Data In. 07-21-2023 02:48 PM
- Posted Re: create index field on Getting Data In. 07-21-2023 12:58 PM
- Posted How to create index field? on Getting Data In. 07-20-2023 01:24 PM
- Posted How to upload large json format data into kv-store? on Knowledge Management. 07-25-2022 02:58 AM
- Posted Re: How do you remove a header from JSON? on Getting Data In. 12-14-2021 03:53 AM
- Karma Re: How can I configure indexes to replicate data with each other in a Splunk deployment? for ssadanala1. 06-05-2020 12:49 AM
- Got Karma for reputation for posting question. 06-05-2020 12:48 AM
- Karma Re: Is there a code example to add a drilldown for a column chart to display a table? for nfilippi_splunk. 06-05-2020 12:47 AM
- Karma Re: Passing selected time range to drilldown in Simple XML for somesoni2. 06-05-2020 12:46 AM
- Karma Re: Send Drilldown Search to a New Window for Lowell. 06-05-2020 12:46 AM
- Got Karma for Re: Splunk for Exchange: Not indexing message tracking logs. 06-05-2020 12:46 AM
- Posted Indexer Peer status Down in CM consloe on Getting Data In. 08-07-2019 03:56 AM
- Tagged Indexer Peer status Down in CM consloe on Getting Data In. 08-07-2019 03:56 AM
- Posted extract multi valued field on Splunk Search. 07-25-2019 02:41 AM
- Tagged extract multi valued field on Splunk Search. 07-25-2019 02:41 AM
- Posted SAP ETD integration with Splunk with hTTP event collector on Splunk Search. 07-24-2019 12:39 AM
- Posted NFS share for frozen data on Getting Data In. 07-10-2019 05:12 AM
- Tagged NFS share for frozen data on Getting Data In. 07-10-2019 05:12 AM
- Posted Re: "No possible srcs for replication" on Deployment Architecture. 07-02-2019 10:22 PM
- Posted Glass Table icron permission on Splunk Enterprise Security. 07-02-2019 03:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-21-2023
02:48 PM
hi @meetmshah below are my props and transform. Still index field is not showing. I have fresh Splunk AIO instance. and I am uploading example log file named access.log below is sample event Jul 20 2023 09:37:08 www1 sshd[1654]: Failed password for happy from 2.229.4.58 port 2111 ssh2 Props.conf [newfield] TRANSFORMS-test = test_newfield transforms.conf [test_newfield] REGEX = sshd\[(\d+)\] FORMAT = request::"$1" INGEST_EVAL = splunk_orig_fwd=host_test WRITE_META = true
... View more
07-21-2023
12:58 PM
Yes, you are right, i recreate the config but still it is not working. Only missing part is updating fields.conf file let me try again shortly. please note that i have test splunk AIO server and i am uploading sample access.log file.
... View more
07-20-2023
01:24 PM
Hi
we want an indexed field called ‘actual_server’ to indicate the hostname of the forwarder that passed us the data.
My initial thought process is there are might be two options to achieve this
1- hostname available in the logs. which I think is not correct
2- write the system hostname in transforms.conf
I will create an app on CM and roll out this props.conf and transforms.conf against sourcetype=testlog
[testlog]
TRANSFORMS-netscreen = example
[example1] WRITE_META=true FORMAT = actual_server::FORWARDER1
and on search head
ields.conf
Add the following lines to fields.conf:
[actual_server]
INDEXED=true
Is this correct ?
... View more
Labels
- Labels:
-
transforms.conf
07-25-2022
02:58 AM
Hi, everyone,
The customer shared one last JSON formatted file. there are more than 1000 records. Customers want it as a lookup. my thought process is saying that I should use the kV-store approach. but how can I upload a large amount of data into the kV store?
... View more
Labels
- Labels:
-
kvstore
08-07-2019
03:56 AM
Dear Members,
One of the VM-indexer server out of total 6 indexers Cluseter environment filesystem goes readonly. after solving the issue, there is an error message on VM splunkd.logs.
ERROR CMMaster - event=addPeer guid=Exxx3-FFE9-xx03-9xx7-2D6xxxF1 site=site1 status=failed err="bucket already added as clustered, peer attempted to add again as standalone. guid=Exxx3-FFE9-xx03-9xx7-2D6xxxF1 bid= _internal~2865~Exxx3-FFE9-xx03-9xx7-2D6xxxF1"
How to solve this issue.
... View more
07-25-2019
02:41 AM
HI everyone,
the filed containst two values. one in each line.
fieldname = value1
value2
How can we exlude the results with the fieldname contains value2.
... View more
07-24-2019
12:39 AM
we receive error 400 when we try to send the logs from SAP ETD over HTTP event collector to splunk.
Does any one have experience to integrate SAP ETD with SPlunk over HEC.
... View more
- Tags:
- splunk-enterprise
07-10-2019
05:12 AM
we have soft link for Fronzen data which link to NFS share.
Now storage team just want to change to other IP/hostname with same directory sturcture.
how can we achieve this without loosing archieve data.
... View more
- Tags:
- nfs
- splunk-enterprise
07-02-2019
10:22 PM
@harsmarvania57 , I am seeing
Current status: Missing enough suitable candidates to create searchable copy in order to meet replication policy. Missing={ site1:1, site2:1 } and fixup readon is unmet rf. how can I fix this.
... View more
07-02-2019
03:45 AM
While trying to access the icons from glass table, I got permission error as shown below:
Error reading icon collection. Please check permissions.
... View more
06-30-2019
07:09 AM
Answering to myself:
the naming convention for splunk apps to be appear in Splunk ES.
Referrence URL: https://docs.splunk.com/Documentation/ES/4.1.0/Install/InstallTechnologyAdd-ons#Import_add-ons_with_a_different_naming_convention
... View more
06-30-2019
05:53 AM
In continuation of above, I install the TA_officescan TA on search head and on ES.
on search Head I can see the proper field extration and tags assosication. whereas In ES i cant see field extration NOR tag association.
am i missing something.?
... View more
06-30-2019
01:21 AM
Maily I have three sourcetypes
sourcetype=Officescan ( workstation logs( signature update, malware etc)
sourcetype = deepsecurity ( servers, malware logs)
sourcetype = trendmicro ( TrendMicro Control centre logs)
I can see the sourecetype=trendmicro with tag=malware. but other I can't see although they have also tag=malware.
secondly how can I made the app CIM compliant.
... View more
06-27-2019
03:48 AM
we create new partition(LVM) as it is not recoverable. On new partition we install splunk package( same version that we have on other splunk instances). then follow the same guide provided by splunk consultant to back into Operations.
Thanks david.
... View more
06-27-2019
02:29 AM
and If we dont have pass4SymmKey then.... 🙂
what is the workaround
... View more
06-27-2019
01:22 AM
we have distributed clustered environment. on DR site one of the server get crashed and not rebooting. if we deattach /opt/splunk LVM then server reboots properly. OS admin is saying that the /opt/SpluK VM crashed.
... View more
- Tags:
- splunk-enterprise
06-18-2019
02:09 AM
How to extract the field values between two same characters.
Event
Axxtalled=xrxnx xx Client\;**12.0.5294**\;15.179.00\;3x/x/2xx\;,
I want to extract 12.0.5294
... View more
05-28-2019
12:58 AM
Hi David,
I follow that document as almost all the FMC's are updated to version 6.x.
for 1x.2x.6.x8, I reinstall the latest TA and I can see the logs for crosspoinding sensors but these logs does not make any sense to me as compare to logs from other FMC's.
I will send you log snapshot seperately.
... View more
05-25-2019
10:07 AM
although connection is successful but still I am not seeing the logs from eStreamer. whereas in DR I am getting continuously logs.
can anyone share the troubleshooting steps.
... View more
05-25-2019
10:04 AM
I am seeing some interesting information from cisco Iogs. for example, user name, hostname name, mac address, location, connected switch port.
so
how can I add user information to identities lookup table.
furthermore how to preserve today login IP( the IP OR workstation name from where the user login) -
next day it will become yesterday data
and then compare it with today login as the stored data become yesterdays data.
... View more
05-21-2019
02:09 AM
different devices are appearing under the authentication data model.
for windows sourcetype I can see the user name, but for cisco_ise there is different data uner the user field. how can i unified both.
... View more
- Tags:
- splunk-enterprise
05-18-2019
02:18 PM
Referring above and against malware correlation rules.
most of the time the triggered notable events have dest="unknown".
Upon investigation, i found that the unknown value events belong to sourcetype= symantec:ep:risk:file
how to fix this problem.
... View more
05-18-2019
01:36 PM
hi lakshman,
I am facing the same issue for user and dest field. most of the time either dest OR user filed is unknown. when I drill down further I found that those "unknown" field events belongs to sourcetype=symantec:ep:risk:file.
interestingly, for some events the dest field ( i think which is being extracted from "Computer name") is present there.
please support here to conclude this.
... View more
