Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About splunkreal
splunkreal
Motivator
Member since:
05-26-2016
Friday
Community Statistics
| Posts | 563 |
| Solutions | 29 |
| Karma Given | 795 |
| Karma Received | 47 |
| Member Since | 05-26-2016 |
Activity Feed
- Posted Re: Does props.conf support wildcards? on Getting Data In. Friday
- Got Karma for Re: How do I renew an expired Splunk Certificate?. 3 weeks ago
- Karma Re: Disable visibility of app on Search Head Cluster for lroynsky. 3 weeks ago
- Karma Re: Disable visibility of app on Search Head Cluster for somesoni2. 3 weeks ago
- Karma Re: Can Splunk be served from a different endpoint? for sh4kesbeer. a month ago
- Posted Re: Accuracy of metadata command in large environments? on Splunk Search. a month ago
- Karma Re: Accuracy of metadata command in large environments? for martin_mueller. a month ago
- Karma Re: BUG: tstats not displaying latest time modifier correctly for the_wolverine. 04-19-2025 10:52 AM
- Posted Re: Inconsistency between search results between Splunk UI and Rest API & REST API itself on Getting Data In. 04-18-2025 09:14 AM
- Karma Re: Inconsistency between search results between Splunk UI and Rest API & REST API itself for efavreau. 04-18-2025 09:02 AM
- Karma Re: Inconsistency between search results between Splunk UI and Rest API & REST API itself for jkat54. 04-18-2025 08:59 AM
- Karma Re: Inconsistency between search results between Splunk UI and Rest API & REST API itself for jkat54. 04-18-2025 08:59 AM
- Karma Re: Metadata showing wrong last Indexed time for woodcock. 04-18-2025 08:55 AM
- Posted Re: Hide specific notables from IR (Incident review) in ES on Splunk Enterprise Security. 04-18-2025 12:51 AM
- Karma Re: How to add cryptography or other python lib to Splunk python own environment for scripted input on HF? for livehybrid. 04-08-2025 06:16 AM
- Posted Re: How to add cryptography or other python lib to Splunk python own environment for scripted input on HF? on Splunk Dev. 04-08-2025 05:26 AM
- Karma Re: How to add cryptography or other python lib to Splunk python own environment for scripted input on HF? for richgalloway. 04-08-2025 05:25 AM
- Posted How to add cryptography or other python lib to Splunk python own environment for scripted input on HF? on Splunk Dev. 04-08-2025 03:17 AM
- Posted Re: Change index based on source and index from different environments on Getting Data In. 04-07-2025 08:34 AM
- Karma Re: Change index based on source and index from different environments for livehybrid. 04-07-2025 01:41 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Friday
Hello @dshpritz looks like this is "officially" documented at https://splunk.my.site.com/customer/s/article/How-To-Use-Wildcards-with-Sourcetype
... View more
a month ago
metadata is not reliable compared to tstats, with tstats I get accurate lastTime field info.
... View more
04-18-2025
09:14 AM
@jkat54 Hello, I find out I get lastTime tstats metadata from export api endpoint ran from CLI and not getting this lastTime field on web search with same query, even if lastTime info is from last year from offline UF. I guess there is maybe web filtering. This only applies to single result though. Results can be different I guess due to different user/role, app context, api endpoint which may be my case. Thanks.
... View more
04-18-2025
12:51 AM
Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!
... View more
04-08-2025
05:26 AM
Hi @richgalloway thanks, how do you add library to custom app? In bin folder with .py file?
... View more
04-08-2025
03:17 AM
Hello guys, how to add cryptography or other python lib to Splunk python own environment for scripted input on HF? Preferred solution is to put beside my app in etc/apps/myapp/bin/ folder. Thanks for your help!
... View more
Labels
- Labels:
-
add-on
-
app
-
Python
-
scripted input
04-07-2025
08:34 AM
Hello, we found solution, there was metadata index source key that was possible to use. Thanks for your help guys.
... View more
04-03-2025
11:28 PM
Hello yes UF is already setup on secondary environment. On first environment we use _TCP_ROUTING as we also have two Splunk platforms...
... View more
04-03-2025
02:10 PM
Hello, we have Windows servers from two environments, we want WinEventLog source (Windows Events logs) to go in "windows" index from main environment and secondary environment to go to "sec_windows". On UF from secondary environment we have setup inputs.conf with index = sec_windows but this doesn't work : all goes to windows index, could you help ? Thank you very much. props.conf
[source::WinEventLog:*]
TRANSFORMS-set_index_sec_windows = set_index_sec_windows
TRANSFORMS-set_index_windows_wineventlog = set_index_windows_wineventlog
transforms.conf
# Windows
[set_index_windows_wineventlog]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog
DEST_KEY = _MetaData:Index
FORMAT = windows
[set_index_sec_windows]
SOURCE_KEY = _MetaData:Index
REGEX = sec_windows
DEST_KEY = _MetaData:Index
FORMAT = sec_windows
... View more
Labels
- Labels:
-
index
-
other
-
source
-
sourcetype
-
universal forwarder
-
Windows
03-07-2025
07:26 AM
Hello @NoSpaces did you report to support as this looks like splunk init shcluster-config bug?
... View more
03-07-2025
07:24 AM
Hello, thanks for your help, had similar issue due to splunk init shcluster-config, secret key wasn't correctly encrypted in server.conf apparently, as seen with help of splunk show-decrypted
... View more
02-27-2025
02:24 PM
Hello, is it solved? Did you check splunkd.log for warnings/errors?
... View more
01-31-2025
09:08 AM
@JLange you're welcome 🙂
... View more
01-24-2025
06:53 AM
Hello, as best practise you should create and deploy an app from deployment server with your inputs.conf and script. Also make sure you include a valid timestamp at the beginning of the output in US format. Follow these instructions : https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/scriptedinputsexample/
... View more
01-24-2025
06:48 AM
Solution from support : "Yes, it is still recommended to use the Deployment Server for centralized management and consistency across Heavy Forwarders. However, if local customizations are required, ensure those changes are synced back to the DS (etc/deployment-apps/<app_name>/local) to prevent overwrites. Alternatively, use 'excludeFromUpdate' in serverclass.conf to protect specific files or directories. For better scalability, avoid making direct changes on HFs and manage all configurations via the DS whenever possible."
... View more
01-21-2025
12:49 PM
Hello, if you have specific app conf (like after configuring it using HF web gui for a specific site), is it still recommended to use deployment server as this requires to sync / copy HF app/local conf back to deployment server etc/deployment-apps/app/local to avoid any deletion when reloading deployment server/app update from DS? I guess using DS is good for centralizing (same) configurations across HFs? https://docs.splunk.com/Documentation/Splunk/9.3.0/Updating/Createdeploymentapps "The only way to allow an instance to continue managing its own copy of such an app is to disable the instance's deployment client functionality. If an instance is no longer a client of a deployment server, the deployment server will no longer manage its apps." Thanks.
... View more
- Tags:
- app
- Deployment Server
Labels
- Labels:
-
heavy forwarder
01-16-2025
09:14 AM
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source) in a search combining a query joined with tstats 🙃
| tstats min(_time) as firstTime max(_time) as lastTime values(source) as source WHERE index=* by host,index provides ALL sources
| tstats min(_time) as firstTime max(_time) as lastTime WHERE index=* by host,index,source provides only 1 source
... View more
01-16-2025
08:14 AM
You may use /opt/splunk/bin/genRootCA.sh to regenerate ca.pem & cacert.pem
... View more
12-23-2024
07:59 AM
Hello, if this can help, found out another user indicated "this setting was not enabled on our deployer hence the ES upgrade still proceeded without it's enablement."
... View more
12-19-2024
11:19 AM
Hello, in case you can't use SSL certificate, you may modify cybereason python script.
... View more
Labels
12-05-2024
10:43 AM
Hello guys, We are getting on one heavyforwarder this message in splunkd.log, we are using TCP-SSL inputs.conf : “11-14-2024 16:59:44.129 +0100 WARN SSLCommon [53742 FwdDataReceiverThread] - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate A', alert_description='unknown CA'.” How do you identify the sourceHost ? Is it blocking incoming data or just warning? Maybe this can help? index=_* host=myhf1 source="/OPT/splunk/var/log/splunk/metrics.log" tcp_Kprocessed="0.000" Thanks for your help.
... View more
Labels
- Labels:
-
data
-
heavy forwarder
-
inputs.conf
11-21-2024
03:42 AM
yes that's the case "to differentiate between different inputs would be if you had clients authenticating with certs issued by different CAs to different inputs." thanks
... View more
11-21-2024
03:37 AM
Hi @PickleRick we have already tested it's ok with 100 gb/day. Do you have sample configurations (inputs.conf / server.conf) to receive syslog over TLS? I found this doc : https://support.checkpoint.com/results/sk/sk122323 Thanks for your help.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Friday
|
Karma given to
