Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About patelmc
patelmc
Explorer
Member since:
03-12-2019
01-25-2022
Community Statistics
| Posts | 29 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 2 |
| Member Since | 03-12-2019 |
Activity Feed
- Posted Re: filed ignore textx within " " on Splunk Search. 01-25-2022 03:20 PM
- Posted filed ignore textx within " " on Splunk Search. 01-25-2022 02:08 PM
- Tagged filed ignore textx within " " on Splunk Search. 01-25-2022 02:08 PM
- Posted Ingest time lookup to add fields does not work on Getting Data In. 11-08-2021 04:51 PM
- Got Karma for configure CA issued certificate on splunkd port 8089 and web port 8443 on SH cluster. 11-01-2021 03:17 PM
- Posted configure CA issued certificate on splunkd port 8089 and web port 8443 on SH cluster on Security. 11-01-2021 02:46 PM
- Tagged configure CA issued certificate on splunkd port 8089 and web port 8443 on SH cluster on Security. 11-01-2021 02:46 PM
- Posted Re: Why am I getting error "Data channel is missing" using HTTP Event Collector with Splunk Light? on Splunk Enterprise. 05-18-2021 10:31 AM
- Posted Change IP address of Splunk servers on Splunk Enterprise. 04-23-2021 08:03 AM
- Posted Re: Splunk Alerting : How to pass arguments/filename to your script? on Reporting. 02-07-2021 10:18 AM
- Tagged Re: Splunk Alerting : How to pass arguments/filename to your script? on Reporting. 02-07-2021 10:18 AM
- Got Karma for Re: Chart multiple series in Splunk 7.3: what's new?. 06-05-2020 12:50 AM
- Posted Re: clear multisect input on dropdown change on Getting Data In. 03-09-2020 08:06 AM
- Posted Re: Chart multiple series in Splunk 7.3: what's new? on Getting Data In. 09-12-2019 02:34 PM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 09-12-2019 05:51 AM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 08-23-2019 06:02 AM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 08-21-2019 02:24 PM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 08-21-2019 01:43 PM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 08-21-2019 12:43 PM
- Posted Re: ingest CSV file into metric index on Splunk ITSI. 08-21-2019 11:54 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-13-2025
10:52 PM
@patelmc If the application field is a search-time extracted field it's unavailable during ingest-time processing. If you want to use it during indexing you have to first extract it as an indexed field (and can subsequently forget it so that it doesn't get indexed). Bonus points question - why extracting those indexed fields? @victor1004k Don't put settings in system/local. Put them into a separate app so they're easier to maintain.
... View more
07-28-2023
04:30 PM
From About HTTP Event Collector Indexer Acknowledgment: Channels are designed so that you assign a unique channel to each client that sends data to HEC. Each channel has a channel identifier (ID), which must be a Globally Unique Identifier (GUID) but can be randomly generated. You assign channel IDs simply by including them in requests as shown in the examples above. When Splunk Enterprise sees a new channel identifier, it creates a new channel. One way to create unique GUIDs is with the Python module uuid. Here is an example of how to do that with a GUID constructed from the local machine's hostname: export HEC_CHANNEL=$(python3 -c "import os, uuid; print(str(uuid.uuid3(uuid.NAMESPACE_DNS, os.uname()[1])))") curl \ -k \ https://$HEC_HOST:8088/services/collector/event \ -H "Authorization: Splunk $HEC_TOKEN" \ -H "X-Splunk-Request-Channel: $HEC_CHANNEL" \ -d '{"sourcetype": "mysourcetype", "event": "http auth ftw! with ACKS"}'
... View more
01-25-2022
10:15 PM
It is not a bug, at least not a bug in splunk - how would splunk know whether a double quote was an internal one or not? The bug (if you want to call it that) lies with the application generating the message. The quoted string needs to escape embedded delimiters, double quotes in this instance, but if the string was enclosed in single quotes instead, then any embedded single quotes (including apostrophes) would need to be escaped. Depending on how you are extracting the fields, you may be able to reduce the risk even further, but extracting one field at a time and using the name of the following field as part of the end marker for the field.
... View more
We have a requirement to configure splunk with the CA issued certificates. We are running Splunk 8.2.2.1. In test environment – two standalone splunk instances. In other environments – cluster 3 node SH cluster + SH deployer 3 node indexer cluster + CM License Master/Monitoring server Deployment Server Heavy forwarders I tried to configure standalone server's Splunk web (8443) and splunkd (8089) using this new CA issued cert. But after I configured it for splunkd 8089 it breaks web, command line and also when I run openssl from other server it shows connected but then hangs and does not show certs. I came across following link but it was for splunk 6 and things has changed a lot since then. https://community.splunk.com/t5/Security/Custom-Certificate-for-Port-8089/m-p/362377 We also want to configure SH cluster to use CA issued cert for splunkd (8089). But I could not find doc for SH cluster. On standalone splunk instance: cat /opt/splunk/etc/system/local/web.conf [settings] httpport = 8443 enableSplunkWebSSL = 1 sslVersions = tls1.2 sslPassword = $7$1_encrypted_password_lzShn0euEM5Yi9m6pUPS38TkYu1lDDsg= serverCert = etc/auth/splunkweb/QA_Splunk_Concatenated.pem privKeyPath = etc/auth/splunkweb/QA_Splunk_PrivateKey.key cat /opt/splunk/etc/system/local/server.conf [general] serverName = xxx.test pass4SymmKey = $7$k_encryted_key== [sslConfig] #serverCert = server.pem sslPassword = $7$3_encryted_key== sslVersions = tls1.2 enableSplunkdSSL = true serverCert = /opt/splunk/etc/auth/splunkweb/QA_Splunk_Concatenated.pem #requireClientCert = false Is this correct? Also, Do I need to request separate cert for each SH member? Will this impact other communication between SH custer and indexer cluster, license master, monitoring console, SH deployer?
... View more
- Tags:
- security
Labels
- Labels:
-
SSL
04-23-2021
08:03 AM
We are moving from one datacenter to another one which require to change IP addresses of all Splunk instances. All of these instances are running with Splunk 8.1.1 and soon will be upgraded to 8.1.3. License Master / Monitoring Console. - Single server. SH ( non-clustered) - Separate servers for SH1 and SH2. SH is configured with 3 indexer peers in three different regions and only one indexer will be moved at a time. Indexer servers - separate servers for each indexer total 3. UF servers. Is there any procedure/doc available. I could not find one in Splunk doc.
... View more
Labels
- Labels:
-
configuration
-
installation
02-07-2021
10:18 AM
How can we use this variable SPLUNK_ARG_4 inside bash shell? Is it possible to pass this variable as $i with the script?
... View more
- Tags:
- ouputlookup
09-12-2019
05:51 AM
This issue is resolved now. very odd.
I had to do the following.
1) configure props.conf and transforms.conf on forwarder.
2) Removed the stanzas from props.conf and transforms.conf on indexer.
I can see metircs data into metric index now.
... View more
08-14-2019
06:19 PM
Recommendation is to restrict apps/dashboards to search heads.
And leave indexers to only receive data from forwarders and store indexes.
If you can read your index data from search heads, dashboards/apps can be created only at the search layer.
Users should be restricted to only search heads where your dashboards reside. This way, the indexed data would be safe/untouched at the indexer layer.
... View more
08-08-2019
08:54 AM
It will depend on the functionality of the app you want to create.
Example:
If it contains knowledge objects (views/dashboards, reports, alerts, etc.) it should go in the search head.
If it contains index time operations (e.g. data routing, anonymization, etc) it should go into Indexers/heavy forwarder
Check Splunk's guide to app development:
http://dev.splunk.com/view/SP-CAAAFD7#createapp
... View more
05-14-2019
05:56 AM
This addon is to monitor postgresql DB which includes log files. The DB connect is actually getting business data from DB tables so this addon would not help.
I created a new sourcetype and it seems to be working now.
... View more
03-12-2019
09:00 AM
Don't do this!
If you already are collecting logs in syslog-ng collect the logs by reading them from file with a universal/heavy forwarder.
Do not forward events from syslog to syslog over a UDP/TCP port, that is the worst of all worlds.
You should always collect from the syslog file if it exists.
See: https://conf.splunk.com/files/2017/slides/worst-practicesand-how-to-fix-them.pdf
... View more
08-16-2019
07:33 AM
Can you please provide how .css file looks like after all changes you have made?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-25-2022
06:50 PM
|
