Typo correction: Hello Giuseppe, Noticed it's been over 8 years since you posted your question, but came across this post while searching on how to make a text box empty by default......same as you were looking to do. Was working on a dashboard today, and thought what character is not ever in event data, and is not a character used by SPL for any reason.  The answer was the:  ~ This worked for me, like a charm, in a dashboard text box:    <initialValue>~</initialValue> <default>~</default> Best regards,      Dennis ... View more

Hi everyone. Previous replies to this topic will work but a threat actor can exploit spaces, carriage returns, and Splunk comments to bypass your search query looking for delete commands. Please use this query if you want to account for that: index=_audit action=search | regex search="\\|(\\s|\\n|\\r|(```[\\s\\S]*```))*delete"   ... View more

EDIT (just realized someone answered this too) So consider this my thumbs up to that. Though the embedded example others provided works. It should be used sparingly. The TL/DR use a look AS a lookup. That scales even at large lookup sizes. | mysearch | lookup mylookup host OUTPUTNEW host as to_filterr | where isnull(to_filter) gives you results where it is not in the table. this has added option of using the lookup match types such as wildcard, CIDR etc etc. Calling a csv file directly in a subsearch does not. It is best to use the repeatable pattern. ... View more

Some app doesn't have that support, for example: ERROR ApplicationUpdater - Error reloading Splunk_TA_stream: handler for server (http_post /replication/configuration/whitelist-reload): Configuration from app=Splunk_TA_stream does not support reload: server.conf/[diag]/EXCLUDE-key   ... View more

Old thread here, but I'm having trouble getting the tag to show up in  console searches after restarting the host forwarder service. Running 8.2.5 server and 9.0.0.1 forwarder agent. /splunkforwarder/etc/system/local/tags.conf content: [host=server01] myapp = enabled ... View more

FYI, Release 6.1.0 of the AWS Add-on that was released on 11th July 2022 resolves this issue: Release notes for the Splunk Add-on for AWS - Splunk Documentation New features Version 6.1.0 of the Splunk Add-on for AWS version contains the following new and changed features: Support for the parsing of CSV files from AWS S3 (Generic S3 and SQS-based S3 ingestion methods) https://docs.splunk.com/Documentation/AddOns/released/AWS/Releasenotes#New_features ... View more

 @muebel - The only thing that I can remember is user and role specific memory limits.   ... View more

TLS certs issued to IP addresses "Sharing" certs among multiple clients (multiple servers too but I can find legitimate use cases for it). All scheduled searches with the same schedule. No sound method of source health monitoring (that's more of an organizational/policy issue than config but some internal splunk-based automation would surely be helpful here). Searches with tons of rex commands (create the extractions already!). Abuse of append in searches (usualy by users "extending" old searches in dashboards without really understanding SPL). Searches with eval _time=something. Often that's a badly onboarded source (but can be legit use case so it's up for review, not necessarily automatic red flag). Using obsolete tls version and/or weak cipher suites. Using default certs when tls is enabled. ... View more

with some help from @mmccul in slack I was able to figure this out. btool is expecting a specific directory structure, and is looking for the spec files to be found in `system/README` from what is specified as the `--dir` target. It also only looks in directories named like the normal config directories ( apps, master-apps etc) ... View more

@woodcock sorry to resurrect this topic  - but can you give some suggestions on how to run near real-time alerts without alerting on the same events if the window overlaps? ... View more

There are many different approaches possible. The most "process-oriented" would of course be that there is a change proposal which is submitted somewhere (probably a git branch), it's getting tested on pre-prod environment, verified, accepted, merged into main branch and from there pushed to the components using some form of orchestration tool (ansible? puppet? set of own hand-made tools?). But there are some other approaches that can be useful in some circumstances. As I often pointed out - central distribution of apps has its drawbacks - among them is the possibility of running any executable with the effective rights of the user running the splunk component (which in case of windows forwarders is often Local System!) with no obvious audit means. So I have some environments from which I simply copy the configs every now and then and push them to a repository for history. There is no one-size-fits-all approach because the environments differ and requirements differ as well. But any practical approach should IMO involve a robust and easily accessible history of configs. And give you the ability to roll back to a particular point in the past. ... View more

Concerning the subtleties of _index_time in search, making sure you find the events you need, great conf talk on this  https://conf.splunk.com/watch/conf-online.html?search=PLA1327B&search.event=conf21 slides directly https://conf.splunk.com/files/2021/slides/PLA1327B.pdf >With minimal up-front effort it is possible to guarantee that your alerts and other scheduled searches run, are always successful, and do not miss data. Common challenges are skipped searches, latent data, Splunk down time, failures, and dependencies on other searches. Approaches such as an expanded sliding window consume additional resources and will inevitably fail. We will demonstrate a Splunk macro that tracks search execution times in a KVstore and dynamically controls the search timeframe, thus decoupling it from execution time. This additionally provides a capability to quickly and easily re-run a search over any timeframe in a controllable manner. We will further demonstrate the use of Apache Airflow for more complex use cases. ... View more

Not exactly. I close this question. I agree that the question is kind of ambiguous. I have to deeply learn how Splunk querying works to find my way around this.   Thanks Update: Not sure how I can close the question without deleting it.  ... View more

Good daytime, I wanted to ask you have you found the proper way to implement snmp logs receiving? I am having issues with this right now, so I wonder how you implemented this if u did ... View more

Another bump from 6 years later. still facing similar issue and what a answer to this question ... View more

Even this is now 1year old 😉 But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol  Just use ./splunk check-integrity -index [ index name ] [ -verbose ] to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets. ... View more

Oustanding solution. We ended up using it for deleting buckets that were causing issues in our cluster. ... View more

I've been trying to figure out a nice way to do this, and this is what what i have come up with:  https://gist.github.com/6d61726b760a/e6fef9c2e5d47c43a1ba2ae5bd659638 its a little python script runs a search on your deployment server which generates a list of guids, and then submits a delete request for each guid returned.  My search is simply looking for clients that haven't reported in more than 24h but you could come up with whatever query you like. ... View more

if the splunk instance is 6.7+, there isn't a need for the channel parameter in the POST ... View more

Perfect. Thanks somesoni2. ... View more

Hi Sagar0511, at first you have to enable Forwarders receiving [Settings -- Forward and Receiving -- Receiving] Then you have to configure on your Forwarder the indexer to send logs: you can do this directly on Forwarder (only for test) running a command on the Forwarder by CLI cd \Program Files\splunkuniversalforwarder\bin splunk add forward-server <host name or ip address>:<listening port> Or deploying a Technical Add-On (TA) that contains outputs.conf file using Deployment Server. Then you have to say to the Forwarder which logs you want to send to indexer. To do this you can download a TA from SplunkBase (Splunk_TA_Windows) and then deploy it using Deployment Server. Or, for a test, you can copy it (after two untar) on Forwarder $SPLUNK_HOME\etc\apps folder You can also follow the process described at http://docs.splunk.com/Documentation/Splunk/7.1.0/Data/Getstartedwithgettingdatain Bye. Giuseppe ... View more

I wish I had the monitoring console access. Unfortunately I don't have full access but trying to help others that do. I did search for Blocked or indexscopedsearch and didn't come back with anything really useful. I have found a huge difference in the numbers between Metrics and TSTAT as far as EPS and Total event are concerned for the forwarder each hour or day. Thanks again for trying to help. I will I had admin access, but I don't. 😞 ... View more

Hi sathish2k8, Yup, perfectly possible to create a form input for a dashboard and pass the values to a search. There is more info here: http://docs.splunk.com/Documentation/Splunk/7.1.0/Viz/tokens You'll likely have to adjust the format of the result time token through additional eval commands as demonstrated here: https://answers.splunk.com/answers/438999/dashboard-how-can-i-convert-a-token-from-a-time-pi.html Once the token is in the correct format needed for the dbquery, then you'll run that final search Please let me know if this helps! ... View more

Hi riqbal, I think part of the issue might be related to some additional config you aren't aware of. Try running btool to get an view of all the inputs config. A usage example is: /opt/splunk/bin/splunk btool --debug inputs list This will give you a rolled up view of all inputs config. Additionally, you can look at inputs config from Splunk with this app I made for this purpose : https://splunkbase.splunk.com/app/3923/ Although it seems less likely, there could also be some props.conf config causing issues (rewriting the index config), but I think doing a thorough examination of the inputs config at each step will be the most helpful thing to do. Please let me know if this helps! ... View more