Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About splunkreal
splunkreal
Motivator
Member since:
05-26-2016
07-29-2025
Community Statistics
| Posts | 568 |
| Solutions | 29 |
| Karma Given | 806 |
| Karma Received | 48 |
| Member Since | 05-26-2016 |
Activity Feed
- Got Karma for Re: How to troubleshoot why we are getting "appserver port: already bound" on startup of Splunk 6.2.x after re. 2 weeks ago
- Posted Re: oracle:audit:unified Parsing Issue on All Apps and Add-ons. 07-25-2025 09:09 AM
- Karma Re: oracle:audit:unified Parsing Issue for kiran_panchavat. 07-25-2025 06:43 AM
- Karma Re: oracle:audit:unified Parsing Issue for kiran_panchavat. 07-25-2025 06:43 AM
- Karma Re: Moving Cluster to new subnet for esix_splunk. 07-21-2025 08:51 AM
- Karma Re: Where to perform field extraction in Splunk cluster for PickleRick. 06-30-2025 11:49 PM
- Karma Re: Where to perform field extraction in Splunk cluster for FrankVl. 06-30-2025 11:48 PM
- Posted Re: Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-26-2025 08:36 AM
- Karma Re: Splunk HEC/kafka raw logs parsing / addons for livehybrid. 06-26-2025 08:35 AM
- Karma Re: Extract fields from RFC5424 syslog with nested json field for PickleRick. 06-25-2025 05:54 AM
- Karma Re: Extract fields from RFC5424 syslog with nested json field for tej57. 06-25-2025 05:53 AM
- Posted Re: Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-18-2025 05:44 AM
- Karma Re: Splunk HEC/kafka raw logs parsing / addons for livehybrid. 06-18-2025 05:43 AM
- Posted Splunk HEC/kafka raw logs parsing / addons on Getting Data In. 06-18-2025 05:14 AM
- Karma Re: Submitting events over HEC to an index other than main? for PickleRick. 06-18-2025 04:45 AM
- Posted Extract fields from RFC5424 syslog with nested json field on Getting Data In. 06-05-2025 07:45 AM
- Karma Re: How to get the nested objects from my JSON data field? for PickleRick. 06-01-2025 05:13 AM
- Posted Re: Does props.conf support wildcards? on Getting Data In. 05-16-2025 12:24 AM
- Got Karma for Re: How do I renew an expired Splunk Certificate?. 05-02-2025 11:58 AM
- Karma Re: Disable visibility of app on Search Head Cluster for lroynsky. 04-30-2025 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-25-2025
09:09 AM
Hello @kiran_panchavat @Rhidian maybe we could filter special characters with REGEXP_REPLACE(sql_text… in the SQL query? Thanks.
... View more
06-26-2025
08:36 AM
Hello @livehybrid looks like the json is from Vector agent to Kafka, that's why we may end up with json or is it possible to convert json to raw log in Splunk?
... View more
06-18-2025
05:44 AM
Thanks @livehybrid then Splunk should parse correctly fields for addons? Do you mean _raw will be the original event from source host and sending to targered index/sourcetype?
... View more
06-18-2025
05:14 AM
Hello, is it possible in Splunk HEC from Kafka to receive raw events on HF in order to parse fields with addons? It seems we can only receive json data with "event" field and may not be able to extract fields within standard addons? The HEC event may also contain target index and sourcetype. Thanks.
... View more
Labels
06-05-2025
07:45 AM
Hello, I put this regex on SHC inline extraction : "<(?<pri>\d+)>1\s(?<timestamp>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:\.\d+)?[+-]\d{2}:\d{2})\s(?<hostname>[^\s]+)\s(?<appname>[^\s]+)\s(?<procid>[^\s]+)\s(?<msgid>[^\s]+)\s(?<structured_data>\S+)\s(?<json_msg>\{.*\})" however json_msg needs | spath input=json_msg Is it possible to auto extract fields contained in json_msg to avoid adding | spath input=json_msg at search time? Thanks.
... View more
Labels
- Labels:
-
inputs.conf
-
props.conf
-
syslog
-
transforms.conf
05-16-2025
12:24 AM
Hello @dshpritz looks like this is "officially" documented at https://splunk.my.site.com/customer/s/article/How-To-Use-Wildcards-with-Sourcetype
... View more
04-22-2025
02:30 AM
metadata is not reliable compared to tstats, with tstats I get accurate lastTime field info.
... View more
04-18-2025
09:14 AM
@jkat54 Hello, I find out I get lastTime tstats metadata from export api endpoint ran from CLI and not getting this lastTime field on web search with same query, even if lastTime info is from last year from offline UF. I guess there is maybe web filtering. This only applies to single result though. Results can be different I guess due to different user/role, app context, api endpoint which may be my case. Thanks.
... View more
04-18-2025
12:51 AM
Hello @jawahir007 how are you? Found out we can filter by search_title also, where can we find list of IR fields? Thanks for your help!
... View more
04-08-2025
05:26 AM
Hi @richgalloway thanks, how do you add library to custom app? In bin folder with .py file?
... View more
04-08-2025
03:17 AM
Hello guys, how to add cryptography or other python lib to Splunk python own environment for scripted input on HF? Preferred solution is to put beside my app in etc/apps/myapp/bin/ folder. Thanks for your help!
... View more
Labels
- Labels:
-
add-on
-
app
-
Python
-
scripted input
04-07-2025
08:34 AM
Hello, we found solution, there was metadata index source key that was possible to use. Thanks for your help guys.
... View more
04-03-2025
11:28 PM
Hello yes UF is already setup on secondary environment. On first environment we use _TCP_ROUTING as we also have two Splunk platforms...
... View more
04-03-2025
02:10 PM
Hello, we have Windows servers from two environments, we want WinEventLog source (Windows Events logs) to go in "windows" index from main environment and secondary environment to go to "sec_windows". On UF from secondary environment we have setup inputs.conf with index = sec_windows but this doesn't work : all goes to windows index, could you help ? Thank you very much. props.conf
[source::WinEventLog:*]
TRANSFORMS-set_index_sec_windows = set_index_sec_windows
TRANSFORMS-set_index_windows_wineventlog = set_index_windows_wineventlog
transforms.conf
# Windows
[set_index_windows_wineventlog]
SOURCE_KEY = MetaData:Source
REGEX = WinEventLog
DEST_KEY = _MetaData:Index
FORMAT = windows
[set_index_sec_windows]
SOURCE_KEY = _MetaData:Index
REGEX = sec_windows
DEST_KEY = _MetaData:Index
FORMAT = sec_windows
... View more
Labels
- Labels:
-
index
-
other
-
source
-
sourcetype
-
universal forwarder
-
Windows
03-07-2025
07:26 AM
Hello @NoSpaces did you report to support as this looks like splunk init shcluster-config bug?
... View more
03-07-2025
07:24 AM
Hello, thanks for your help, had similar issue due to splunk init shcluster-config, secret key wasn't correctly encrypted in server.conf apparently, as seen with help of splunk show-decrypted
... View more
02-27-2025
02:24 PM
Hello, is it solved? Did you check splunkd.log for warnings/errors?
... View more
01-31-2025
09:08 AM
@JLange you're welcome 🙂
... View more
01-24-2025
06:53 AM
Hello, as best practise you should create and deploy an app from deployment server with your inputs.conf and script. Also make sure you include a valid timestamp at the beginning of the output in US format. Follow these instructions : https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/scriptedinputsexample/
... View more
01-24-2025
06:48 AM
Solution from support : "Yes, it is still recommended to use the Deployment Server for centralized management and consistency across Heavy Forwarders. However, if local customizations are required, ensure those changes are synced back to the DS (etc/deployment-apps/<app_name>/local) to prevent overwrites. Alternatively, use 'excludeFromUpdate' in serverclass.conf to protect specific files or directories. For better scalability, avoid making direct changes on HFs and manage all configurations via the DS whenever possible."
... View more
01-21-2025
12:49 PM
Hello, if you have specific app conf (like after configuring it using HF web gui for a specific site), is it still recommended to use deployment server as this requires to sync / copy HF app/local conf back to deployment server etc/deployment-apps/app/local to avoid any deletion when reloading deployment server/app update from DS? I guess using DS is good for centralizing (same) configurations across HFs? https://docs.splunk.com/Documentation/Splunk/9.3.0/Updating/Createdeploymentapps "The only way to allow an instance to continue managing its own copy of such an app is to disable the instance's deployment client functionality. If an instance is no longer a client of a deployment server, the deployment server will no longer manage its apps." Thanks.
... View more
- Tags:
- app
- Deployment Server
Labels
- Labels:
-
heavy forwarder
01-16-2025
09:14 AM
Hello @richgalloway found out | tstats ... by source provides less results than | tstats ... values(source) in a search combining a query joined with tstats 🙃
| tstats min(_time) as firstTime max(_time) as lastTime values(source) as source WHERE index=* by host,index provides ALL sources
| tstats min(_time) as firstTime max(_time) as lastTime WHERE index=* by host,index,source provides only 1 source
... View more
01-16-2025
08:14 AM
You may use /opt/splunk/bin/genRootCA.sh to regenerate ca.pem & cacert.pem
... View more
12-23-2024
07:59 AM
Hello, if this can help, found out another user indicated "this setting was not enabled on our deployer hence the ES upgrade still proceeded without it's enablement."
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-29-2025
11:31 AM
|
Karma given to
