cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
shocko
Contributor
Member since: ‎09-20-2016
a week ago
Community Statistics
Posts 105
Solutions 4
Karma Given 45
Karma Received 3
Member Since ‎09-20-2016
Activity Feed
Topics I've Started
View All

Re: Alert Action Icon Picture

by in Alerting
a week ago
a week ago
I have the same issue. The actual PNG file I have located on my search head (Splunk Enterprise 9 on windows 2019)  at  c:\Program Files\Splunk\etc\system\static\mod_alert_icon_email.png c:\Program Files\Splunk\share\splunk\search_mrsparkle\exposed\img\mod_alert_icon_email.png And referenced in the following config files etc\system\default\alert_actions.conf   Contents of this file are [email] icon_path = mod_alert_icon_email.png label = Send email description = Send an email notification to specified recipients       ... View more

Re: How to combine apps?

by in Splunk Enterprise
‎02-28-2023 03:04 AM
‎02-28-2023 03:04 AM
I think I have explained it poorly.  I guess when I think about it what I wish to achieve is a s follows: Problem: I have multiple search apps that have various views, navigations, macros etc. I source control the apps in Git and when I wish to create a new version of the app I do so by updating Git and deploying the folder/files from that Git repository to my search head. This works well. Each app shows in the UI as a separate entity under the Apps dropdown  I have been re-evaluating these apps as most of them are used by the same team. They have asked me if I could combine them into one app (all dashboards, views and navigation etc.)  so they only have to navigate one app the in the Apps dropdown. I wish though to maintain my deployment model within GIT so combining them all into one single app/folder is a challenge in this regard. So, now that I think of it is the following possible? Keep all apps separate so I keep my deployment model Remove the navigation items from these apps Create a new app that only has the navigation/views from the other apps?     ... View more

Re: Issue with rex regular expression repeating ch...

by in Splunk Enterprise
‎02-28-2023 02:19 AM
1 Karma
‎02-28-2023 02:19 AM
1 Karma
Thanks @jotne and your point is well noted. I was using a simple example but I have used ^ and $ for start/end markers for my production regex.  ... View more

How to combine apps?

by in Splunk Enterprise
‎02-27-2023 01:50 PM
‎02-27-2023 01:50 PM
I have several apps I have built in Splunk Enterprise 8.2.5. Each one is in a separate folder under /etc/apps on my search head and each has numerous lookups/macros etc. configured. The problem I have is I wish to combine them all into a single app as they are all used by the same people. The problem is I source control them in Git so I can easily make a change, update Gut and re-deploy the app to the search head. This amounts to it clearing out the app/<app> folder and pulling down the latest version from Git. This works great. Now if I move everything to a single app how can I keep a folder for each 'sub app' for I can keep my Git model? Essentially I want this new app to just have a set of Navigations/Dashboards  ... View more

Re: Issue with rex regular expression repeating ch...

by in Splunk Enterprise
‎02-26-2023 03:53 PM
‎02-26-2023 03:53 PM
@ITWhisperer I can't believe I missed that! Wood for the trees and been at a computer screen too long. Should have re-read the docs. Thanks for taking the time to answer. Much appreciated! ... View more

Issue with rex regular expression repeating charac...

by in Splunk Enterprise
‎02-25-2023 07:21 AM
‎02-25-2023 07:21 AM
Using Splunk enterprise 8.2.5 and trying to match a string of repeating characters in my Events. For example of the log file I'm ingesting       INFO - Service Started DEBUG - Service suspended       So I was testing this as follows but the field mylevel is not extracted        | makeresults | eval msg="info"| rex field=msg "(?<mylevel>\w{4-5})" | table mylevel       This works though       | makeresults | eval msg="info"| rex field=msg "(?<mylevel>(\w{4})|(\w{5}))" | table mylevel       What is incorrect/wrong with my usage of this ?       \w{4-5}         ... View more

Re: Why is Windows Event Log Whitelist not working...

by in Getting Data In
‎11-22-2022 11:49 AM
‎11-22-2022 11:49 AM
I finally figured it out!  So I suspected that the UF thought it had already collected these events so I had a look into this file %SPLUNK_HOME %\var\lib\splunk\modinputs\WinEventLog\System which basically contains a record where the UF left off on a given WinEventlog i.e. the EventID it last consumed. <BookmarkList> <Bookmark Channel='System' RecordId='1236992' IsCurrent='true'/> </BookmarkList>   Event 1236992 is one higher than the last instance of the events I wish to whitelist and consume (you can see the EventID in the windows event viewer). I stepped through the following: Stopped the UF Deleted this file Started the UF I now have all my events! Note: this may contain duplicates events so we can use delete to remove them based on EventID.  I then deleted other events form my index that I did not require via https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Delete. Be careful if running this! ... View more

Re: What is the best way to reload Windows event l...

by in Getting Data In
‎11-21-2022 03:07 PM
‎11-21-2022 03:07 PM
This helped me so thanks! ... View more

How does the Universal Forwarder Detects the Sourc...

by in Splunk Enterprise
‎11-21-2022 01:38 PM
‎11-21-2022 01:38 PM
I'm collecting the System logs from a Windows 2012 R2 DHCP Server using Splunk Universal forwarder 9.0.1.0 to a Splunk Enterprise 8.2.5 indexer. Initially I was collecting all logs using this stanza       [WinEventLog://System] start_from = oldest disabled = 0 current_only = 0       As per the inputs.conf guide here it states that for the allowed key values in an WindowsEvent log monitoring stanza we may use SourceName The source of the entity that generated the event. Corresponds to Source in Event Viewer.   I wished to reduce the number of events collected to only those related to DHCP. When I look into the windows event viewer I see this event for example However, if I search for any event in my indexed data from this server with        SoureName = DHCP-Server       there are no results. A simple query over all time like this shows this       index=windowsdhcp | stats count by SourceName       Howver, in the putput of the stats of all Sourcenames I see this Sourcename namely Microsoft-Windows-DHCP-Server. So I got back to windows event vierwer and look at the XML view of the event which is as follows:       - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> <EventID Qualifiers="0">1376</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-11-21T17:14:28.000000000Z" /> <EventRecordID>1236733</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>vmsys305.vhihealthcare.net</Computer> <Security /> </System> - <EventData> <Data>10.119.6.0</Data> <Data>89</Data> <Data>6</Data> </EventData> </Event>       There is no mention of the event with Source=Microsoft-Windows-DHCP-Server. The Providername is the same however. I then press the Copy button which yeilds the following pasted data (to notepad):       Log Name: System Source: Microsoft-Windows-DHCP-Server Date: 21/11/2022 21:13:18 Event ID: 1376 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: vmsys609.vhihealthcare.net Description: IP address range of scope 10.119.6.0 is 89 percent full with only 6 IP addresses available. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> <EventID Qualifiers="0">1376</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-11-21T21:13:18.000000000Z" /> <EventRecordID>93904</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>vmsys609.vhihealthcare.net</Computer> <Security /> </System> <EventData> <Data>10.119.6.0</Data> <Data>89</Data> <Data>6</Data> </EventData> </Event>       So now we have our SourceName=Source mapping. Summary So this leads me to belive that the sttaement from this guide regarding the SourceName being equivelent to the Source as seen in Windows event viewer requires some clarifcaiton namely that it is as viewed from the output of the copy of the xml view of the event not the default output.   ... View more
Labels

Re: Why is Windows Event Log Whitelist not working...

by in Getting Data In
‎11-21-2022 09:21 AM
‎11-21-2022 09:21 AM
The plot thickens! So the sourcename was actually Microsoft-Windows-DHCP-Server. This is as per the copy/paste to notepad of the XML view in Widows event veiwer and shown above as Log Name: System Source: Microsoft-Windows-DHCP-Server Date: 14/11/2022 23:11:37 Event ID: 1376 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: dhcp-srv-a.mydomain.com Description: IP address range of scope 10.119.6.0 is 89 percent full with only 6 IP addresses available. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> <EventID Qualifiers="0">1376</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-11-14T23:11:37.000000000Z" /> <EventRecordID>87097</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>dhcp-srv-a.mydomain.com</Computer> <Security /> </System> <EventData> <Data>10.119.6.0</Data> <Data>89</Data> <Data>6</Data> </EventData> </Event>   I updated my input stanza as follows and now working :   [WinEventLog://System] start_from = oldest disabled = 0 current_only = 0 whitelist1 = SourceName="Microsoft-Windows-DHCP-Server"   I basically pushed all events from the System event log to my testSplunk instance and saw what SourceName it pulled out of the classic event. That said, I am now still getting ALL events frm the System log! My entire inputs.conf file is as follows [default] index = windowsdhcp _TCP_ROUTING = ssl-production [WinEventLog://System] start_from = oldest disabled = 0 current_only = 0 whitelist = SourceName="Microsoft-Windows-DHCP-Server" [WinEventLog://DHCPAdminEvents] start_from = oldest disabled = 0 [WinEventLog://Microsoft-Windows-Dhcp-Server/Operational] start_from = oldest disabled = 0 [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog   So I then change my inputs to this to see if I can stop any system events coming whatsoever! [default] index = windowsdhcp _TCP_ROUTING = ssl-production [monitor://$WINDIR\System32\DHCP] disabled = 0 whitelist = DhcpSrvLog* crcSalt = <SOURCE> sourcetype = DhcpSrvLog But they keep on coming even though the change is present and btool output does not show any entries for WinEventLog://System I had to restart the universal forwarder so it to stop picking up all System event log events.  On anoher DHCP server I am back to square one with the original monitoring stanza not working with the whitelisting  I'm really stumped as to what is going on here! It#s almost like current_only has no effect 😞   ... View more

Why is Windows Event Log Whitelist not working?

by in Getting Data In
‎11-14-2022 03:49 PM
‎11-14-2022 03:49 PM
Running a Windows 2012 R2 DHCP Server with UF 9.0.1 and Splunk Enterprise 8.0.5. My inputs at the UF look like this:   [default] index = windowsdhcp _TCP_ROUTING = prod [WinEventLog://System] start_from = oldest disabled = 0 current_only = 0 whitelist1 = SourceName="DhcpServer" whitelist2 = SourceName="Dhcp-Server" [WinEventLog://DHCPAdminEvents] start_from = oldest disabled = 0   My issue is that the whitelisted events in the 1st stanza are not getting processed to the indexer. If I review the XML of the events in the Windows Event Viewer: These events are collected and indexed:   - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> - <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" /> <EventID>20251</EventID> <Version>0</Version> <Level>4</Level> <Task>121</Task> <Opcode>106</Opcode> <Keywords>0x2000000000000000</Keywords> <TimeCreated SystemTime="2022-10-29T12:25:40.655052000Z" /> <EventRecordID>161</EventRecordID> <Correlation /> <Execution ProcessID="3884" ThreadID="4472" /> <Channel>DhcpAdminEvents</Channel> <Computer>dhcp-srv-a.mydomain.com</Computer> <Security UserID="S-1-5-20" /> </System> - <EventData> <Data Name="Server">dhcp-srv-b.mydomain.com</Data> <Data Name="RelationName">dhcp-srv-b.mydomain.com-dhcp-srv-a.mydomain.com</Data> <Data Name="OldState">COMMUNICATION_INT</Data> <Data Name="NewState">NORMAL</Data> </EventData> </Event>   These events do not get captured (Note: event is in classic format):   Log Name: System Source: Microsoft-Windows-DHCP-Server Date: 14/11/2022 23:11:37 Event ID: 1376 Task Category: None Level: Warning Keywords: Classic User: N/A Computer: dhcp-srv-a.mydomain.com Description: IP address range of scope 10.119.6.0 is 89 percent full with only 6 IP addresses available. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DHCP-Server" Guid="{6D64F02C-A125-4DAC-9A01-F0555B41CA84}" EventSourceName="DhcpServer" /> <EventID Qualifiers="0">1376</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2022-11-14T23:11:37.000000000Z" /> <EventRecordID>87097</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>dhcp-srv-a.mydomain.com</Computer> <Security /> </System> <EventData> <Data>10.119.6.0</Data> <Data>89</Data> <Data>6</Data> </EventData> </Event>     I can't see why it is not collecting the second event via the 1st stanza? ... View more

Re: Scripted Input permissions and execution troub...

by in Splunk Enterprise
‎09-27-2022 05:06 AM
‎09-27-2022 05:06 AM
What mechanism does this though? Linux would not create a a file with X set. The UF though might though add that permissions afterwards I'd imagine.  ... View more

Re: Permission Issues when dealing with Splunk_TA_...

by in Security
‎09-27-2022 05:04 AM
‎09-27-2022 05:04 AM
In my experience if DS is restarted the app might not need any permissions changed it it has not changed but otherwise it will.  ... View more

Re: Permission Issues when dealing with Splunk_TA_...

by in Security
‎09-27-2022 05:03 AM
‎09-27-2022 05:03 AM
Same issue here. Bottom line is Linux will not create a file with the execute bit set for obvious security reasons. That said, I would have expected the forwarder to have some mechanism to do this for apps coming from deployment server. We have the same issue and are simply running  cron job to set the permission. I really don't like this though as it's not centrally controlled and we don't have chef/puppet or ansible.  ... View more

Re: Splunk Addon for Unix - Why is Permission Deni...

by in Splunk Enterprise
‎08-26-2022 03:56 AM
‎08-26-2022 03:56 AM
Anyone? ... View more

Splunk Addon for Unix - Why is Permission Denied o...

by in Splunk Enterprise
‎07-15-2022 04:39 AM
‎07-15-2022 04:39 AM
I'm running Splunk Enterprise 8.2.5 with deployment server on Windows 2019. I'm deploying the Splunk-Addon for Unix app to my Linux estate. The app runs various .sh shell scripts to capture data and ship back to the indexers. The problem is that these shell script have no execute permission when deployed. I have to run a script at the forwarder to add the execute bit for the Splunk user so that the UF can run them. This is fine as a once off but if we updated the deployment app it occurs again. Is there any way to handle this with Splunk itself?  ... View more

How to resolve Splunk Enterprise Poor Performance ...

by in Splunk Enterprise
‎07-14-2022 01:56 AM
‎07-14-2022 01:56 AM
I'm running: Splunk Enterprise 8.2.5 on Windows 2019. 2 indexers in a cluster and a single search head and separate cluster master/license master/deployment server all on windows 2019.  and have installed IT Essentials work version 4.31.1 and created the clustered indexes and enabled the apps I wish to use.  After a few mins the web interface on my single search head grinds to a halt and everything starts running very slowly. Compute on the search head and indexers seems fine and I have 32 cores and 64 GB RAM on each. If I disable all the apps that come with the IT Essentials work package performance returns to normal.  Any ideas on where to look to troubleshoot this?  ... View more
Labels

Re: Sourcetype confusion over IIS logs

by in Getting Data In
‎06-23-2022 03:17 PM
‎06-23-2022 03:17 PM
I have essentially asked the same thing over here. Did you ever get an answer?  ... View more

Re: IIS10 and Log Field Extraction - What to use

by in Deployment Architecture
‎06-23-2022 03:17 PM
‎06-23-2022 03:17 PM
Setting sourcetype=iis seems to work and fields now being extracted correctly! Is this a built-in sourcetype? How does it compare to the sourcetypes in the Splunk Add-On for Microsoft IIS ? ... View more

IIS10 and Log Field Extraction - What to use

by in Deployment Architecture
‎06-23-2022 03:03 PM
‎06-23-2022 03:03 PM
I have some MS IIS 10 instances and I'm ingesting the IIS logs in WSC format from them. I have installed the Splunk Addon For Microsoft IIS  on my search head and both indexers. I set the sourcetype for my inputs to ms:iis:auto. The logs are being ingested but the fields are not being extracted at index time. So, I tried setting the sourcetype to ms:iis:default:85 some fields are extracted but with incorrect filed name. This seems to be due to the fact that the default fields are those for IIS 8.5 and in 10 some are not there by default (s-sitename for example). It seems I would have to tell it what fields I'm using as per Configure field transformations in the Splunk Add-on for Microsoft IIS - Splunk Documentation for the search time extractions to work but not all my IIS servers have the same logging setup. Furthermore, I'd like index time field extraction but that does not seem to work.  This TA is quite old (2020 last update) so I'm wondering is there a better/easier way to do this for IIS 10 ? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
a week ago
Karma from
Karma given to