cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cybermonday
Explorer
Member since: ‎12-19-2018
‎04-13-2023
Community Statistics
Posts 10
Solutions 0
Karma Given 10
Karma Received 0
Member Since ‎12-19-2018
Activity Feed
View All

Re: How to route a monitor input to specific index...

by in Getting Data In
‎04-14-2023 11:40 PM
‎04-14-2023 11:40 PM
Hi @cybermonday, as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input you have to apply this configuration to the system that you're using to ingest data: outputs.conf [monitor:///var/log/splunk/Checkpoint/*/*.log] disabled = 0 Sourcetype = cp_log index = index1 host_segment = 5 _TCP_ROUTING = isolationGroup [monitor:///var/log/splunk/Checkpoint_sys/*/*.log] disabled = 0 Sourcetype = cp_log index = index1 host_segment = 5 inputs.conf [tcpout:my_indexers] clientCert = /opt/splunk/etc/auth/my_certs/my_serverCert.pem indexerDiscovery = MyIndexersDiscovery useACK = true [tcpout:isolationGroup] server = 10.20.30.40:9998 you don't need of props and transforms, they are used to modify some values after inputs, on Heavy Forwarders or Indexers. Ciao. Giuseppe ... View more

Re: AbuseIPdb_check syntax and usage- Help with A...

by in All Apps and Add-ons
‎10-26-2022 04:17 PM
‎10-26-2022 04:17 PM
I am having the same issue. Can't seem to find a solution for this one yet.  ... View more

Re: Metadata TRANSFORMS- not being applied after s...

by in Splunk Search
‎07-29-2022 10:51 AM
‎07-29-2022 10:51 AM
transform.conf  [vmware:uag:admin] REGEX = :\d\d\s+\w{5}\w{4}\suag-admin\:(.+)\n FORMAT = sourcetype::vmware:uag:admin DEST_KEY = MetaData:Sourcetype [vmware:uag:audit] REGEX = :\d\d\s+\w{5}\w{4}\suag-audit\:(.+)\n FORMAT = sourcetype::vmware:uag:admin DEST_KEY = MetaData:Sourcetype [vmware:uag:esmanager] REGEX = :\d\d\s+\w{5}\w{4}\suag-esmanager\:(.+)\n FORMAT = sourcetype::vmware:uag:esmanager DEST_KEY = MetaData:Sourcetype   Props.conf [source::/var/log/$hostname$/syslog] TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager [source::/var/log/$hostname$/syslog] TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager [source::/var/log/$hostname$/syslog] TRANSFORMS-sourcetype = vmware:uag:admin, vmware:uag:audit, vmware:uag:esmanager @harsmarvania57  can you see anything wrong on any of .conf file?  it's not working.  I see no error too on splunkd.log   ... View more

Re: Is there a way to modify alert url $results.u...

by in Alerting
‎03-30-2022 09:20 PM
‎03-30-2022 09:20 PM
@the_wolverine  This answer is old. but its still valid as of today.  ... View more

Critical System Physical Memory Usage

by in Monitoring Splunk
‎07-14-2020 04:24 AM
‎07-14-2020 04:24 AM
Oracle Linux 7.5 Splunk Core 7.2.5 Alert Name -- DMC Alert - Critical System Physical Memory Usage The alert works on below rest command which pulls 2 fields from systems --- mem and mem_used.  | rest splunk_server_group=dmc_group_* /services/server/status/resource-usage/hostwide we have learned that this alert is giving false value after confirming from oracle support.  as per them, when running "free -m" command - "In Oracle Linux 7/8, the focus should be on the "available" column. The available column estimates how much memory is available for starting new applications without swapping. If, the system still has 28G available memory and you see 26G  in "used" - that is because this is how Linux behaves. Linux treats the memory that can be made available upon request as "used"."  also see - -   https://www.redhat.com/sysadmin/dissecting-free-command So, I am interested to fetch the "available memory" field from hosts.  So that I can do some eval and then optimize the existing alert to suit fit to our needs.  Is there any way, how to pull the "available memory" field from hosts? ... View more
Labels

How to integrate oracle idam suite with Splunk ?

by in Splunk Enterprise Security
‎12-19-2018 02:28 AM
‎12-19-2018 02:28 AM
How to integrate oracle idam suite with Splunk ? Any pointer would be highly appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎04-13-2023 12:01 PM
Karma given to