×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- About danielbb
danielbb
Motivator
Member since:
07-24-2019
yesterday
Community Statistics
| Posts | 592 |
| Solutions | 3 |
| Karma Given | 371 |
| Karma Received | 30 |
| Member Since | 07-24-2019 |
Activity Feed
- Karma Re: How to upload a csv from a host that has a universal forwarder? for livehybrid. yesterday
- Posted How to upload a csv from a host that has a universal forwarder? on Getting Data In. yesterday
- Karma Re: How to avoid sending an empty report? for gcusello. Thursday
- Karma Re: Is there a way to dynamically control the severity of an alert? for gcusello. Thursday
- Karma Re: Is there a way to dynamically control the severity of an alert? for livehybrid. Thursday
- Karma Re: Is there a way to dynamically control the severity of an alert? for PickleRick. Thursday
- Karma Re: How to avoid sending an empty report? for livehybrid. Tuesday
- Posted Is there a way to dynamically control the severity of an alert? on Monitoring Splunk. Tuesday
- Posted How to avoid sending an empty report? on Monitoring Splunk. Tuesday
- Posted Re: How to run a scripted input on only one of several heavy forwarders? on Getting Data In. a week ago
- Karma Re: How to run a scripted input on only one of several heavy forwarders? for PickleRick. a week ago
- Karma Re: How to run a scripted input on only one of several heavy forwarders? for livehybrid. a week ago
- Karma Re: How to run a scripted input on only one of several heavy forwarders? for gcusello. a week ago
- Posted How to run a scripted input on only one of several heavy forwarders? on Getting Data In. a week ago
- Karma Re: Why is linecount 2 when it's clearly 1? for isoutamo. a week ago
- Karma Re: Why is linecount 2 when it's clearly 1? for livehybrid. a week ago
- Posted Re: Why is linecount 2 when it's clearly 1? on Getting Data In. 2 weeks ago
- Posted Re: Why is linecount 2 when it's clearly 1? on Getting Data In. 2 weeks ago
- Karma Re: Why is linecount 2 when it's clearly 1? for isoutamo. 2 weeks ago
- Posted Re: Why is linecount 2 when it's clearly 1? on Getting Data In. 2 weeks ago
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
yesterday
We have a universal forwarder and the customer has a csv file on this machine that he would like to ingest. The customer would like to ingest it as a lookup so I wonder whether we should ingest the csv via the UF or potentially, send it via the REST api to be uploaded as a lookup. Does the latter option make sense?
... View more
- Tags:
- csv to upload
Labels
- Labels:
-
CSV
-
data
-
universal forwarder
Tuesday
We would like to dynamically populate the severity field, is it possible?
... View more
- Tags:
- alert
Labels
- Labels:
-
other
Tuesday
Is there a way to avoid sending an empty report? I'm thinking about converting the report to an alert but the customer would like to keep it as a report.
... View more
- Tags:
- report
Labels
- Labels:
-
other
a week ago
Thank you @gcusello, this makes perfect sense, I'll go ahead and create a distinct app that would be deployed only on one of the HFs, much appreciated.
... View more
a week ago
We have a Splunk app that includes multiple scripted inputs. The app is deployed to 15 heavy forwarders, but we want one of the scripts to run on only one of them. I first tried adding host = <hostname> inside the scripted‑input stanza, but I now realize that this isn't the solution. Is there a way to restrict a scripted input so it executes on only a single server, without having to split the app?
... View more
Labels
- Labels:
-
inputs.conf
2 weeks ago
I came across an identical thread at Re: How does Splunk calculate linecount? - Splunk Community
... View more
2 weeks ago
@isoutamo I'm running the following - index = <my_index> linecount=2
| table _raw and everything shows up as one line, I don't see any sign of \n, what do I miss? I also checked with an encoding tool and it doesn't show either the 13 ascii code or the 10 one within these lines. My biggest confusion is the fact that for this sourcetype I have - SHOULD_LINEMERGE=FALSE And therefore, how come, sometimes the events have multiple lines?
... View more
2 weeks ago
Thank you, @livehybrid, @richgalloway, I'll get screenshots but, a related question, how do I access the second line of _raw?
... View more
2 weeks ago
For multiple sourcetypes, linecount is 2, while clearly, it should be 1. Has anybody encountered this case?
... View more
- Tags:
- linecount
Labels
- Labels:
-
data
-
field extraction
-
other
-
props.conf
3 weeks ago
Thank you @PickleRick, it was a confusion about the app where the collection and the definition exist.
... View more
3 weeks ago
I wonder if I need to install the app on the distinct components in order to view the btool results across the implementation, I assume I have to install it on each components and I just want to verify.
... View more
Labels
- Labels:
-
installation
3 weeks ago
I created a KV Store lookup using the "Splunk App for Lookup File Editing" app, however when I look at Settings>Lookups, the lookup definition doesn't show up. In addition, when running | inputlookup <name> I get the error "The lookup table '<name>' requires a .csv or KV store lookup definition" What do I miss?
... View more
Labels
- Labels:
-
CSV
03-18-2025
09:52 AM
Great @livehybrid, "If you are using config files to create your HEC tokens", what are my options on-prem to configure the HEC token?
... View more
03-18-2025
09:50 AM
Very interesting @livehybrid, how do I check whether indexer acknowledgment is in place?
... View more
03-18-2025
09:17 AM
We are transitioning from getting the HEC data through HFs to getting it directly to the indexers and we are wondering if upon introducing a new data source are we forced to do an indexer rolling restart.
... View more
Labels
- Labels:
-
indexer
03-18-2025
08:31 AM
We are in a transition from sending the data through HFs to sending the data directly to the indexers and we wonder how to configure the load balancer to handle this HTTP data. My understanding is that HTTP is based on TCP and TCP is connection based and therefore we can lock the sender to a particular indexer which would lead to an uneven distribution of the load, any suggestions?
... View more
Labels
- Labels:
-
configuration
03-18-2025
08:20 AM
For our indexers, we see the following under 'Storage I/O Saturation (Mount Point)' - 0.90% (/opt/splunk) 6.56% (/indexing/splunk_cold) We have 14 indexers with roughly the same saturation levels and I wonder if it's healthy. We would like to direct the HEC data straight to the indexers (instead of going through the HFs) and therefore I wonder if at the I/O level we are ready.
... View more
- Tags:
- saturation
Labels
- Labels:
-
using Splunk Enterprise
02-26-2025
08:15 AM
We were told the following - Confluent Vendor has provided the Telemetry URL to configure in the Splunk's Open Telemetry collector to push the metrics from Confluent to Splunk. Is this the right Integration between Confluent and Splunk, meaning via the Open Telemetry Collector (OTEL)?
... View more
Labels
- Labels:
-
HTTP Event Collector
02-25-2025
10:07 AM
I was told that there is an app that can run the btool command on cloud instances. Does anybody know the name of this app?
... View more
- Tags:
- app
Labels
- Labels:
-
Splunk Investigate
-
using Splunk Cloud
02-17-2025
08:42 AM
Thank you @isoutamo, when trying to put the HF as a search peer in the SH and it gives this error - Encountered the following error while trying to save: Status 401 while sending public key to search peer https://<ip>:8089: Unauthorized
... View more
02-14-2025
09:33 AM
I'm running the following command - | rest /services/server/sysinfo And it shows the indexer and the search head but not the heavy forwarder. What can it be?
... View more
- Tags:
- rest-call
02-10-2025
10:26 AM
Thank you @gcusello. Our Proofpoint account manager said the following - "There is an API but no mail flow API so Splunk wouldn't have anything on the Essentials side. Enterprise side - Remote Syslog gets them all sorts of mail flow details! Having said that, the only way to get an integration with Splunk would be to upgrade from Essentials to our Enterprise email." Is there a way to get the Proofpoint data without an upgrade?
... View more
02-05-2025
09:16 AM
I see multiple Tenable Apps and TAs in Splunkbase, which one should I use to get Tenable data in?
... View more
- Tags:
- Tenable Integration
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
Karma from
Karma given to
