cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
uagrawal_splunk
Splunk Employee
Member since: ‎10-21-2019
‎06-05-2020
Community Statistics
Posts 29
Solutions 2
Karma Given 1
Karma Received 6
Member Since ‎10-21-2019
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Splunk Stream App - Ingest Pcap issue

by Splunk Employee in Splunk Enterprise Security
‎01-10-2020 04:38 AM
‎01-10-2020 04:38 AM
I came across one known issue of uploading the pcap files from UI: https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues You can try the following command: ./streamfwd -r pcap_file_path ... View more

Re: Splunk Stream App - Ingest Pcap issue

by Splunk Employee in Splunk Enterprise Security
‎01-09-2020 05:14 AM
‎01-09-2020 05:14 AM
You are trying to upload the .pcap file or .cap file? In which Splunk version and Stream version you are facing an issue ? ... View more

Re: Configuration page doesn't work for Splunk Add...

by Splunk Employee in All Apps and Add-ons
‎12-07-2019 02:14 AM
‎12-07-2019 02:14 AM
@vector_sec The Splunk Add-On for Office 365 consists of a Tenant and Input page where you can do your Configuration. So I think below link will work for you: For tenant configuration: https ://[splunk hostname:port]/en-US/app/splunk_ta_o365/tenant For Input Configuration: https ://[splunk hostname:port]/en-US/app/splunk_ta_o365/input For logging and proxy settings: https: //[splunk hostname:port]/en-US/app/splunk_ta_o365/settings ... View more

Re: Error: slave has more than 10 number of contin...

by Splunk Employee in Monitoring Splunk
‎12-06-2019 10:14 AM
‎12-06-2019 10:14 AM
Can you provide the splunkd logs ... View more

Re: How to uninstall a disabled app - 'splunk_app_...

by Splunk Employee in Deployment Architecture
‎12-06-2019 09:39 AM
‎12-06-2019 09:39 AM
Where are you not seeing the splunk_app_stream folder in search head or heavy forwarder? Is the Splunk_TA_stream folder is present at $SPLUNK_HOME/etc/apps/ ? ... View more

Re: How to confirm if Netflow or other data is bei...

by Splunk Employee in Knowledge Management
‎12-04-2019 11:35 PM
‎12-04-2019 11:35 PM
1) Navigate to Stream App -> Admin Dashboards -> Stream Forwarder Status dashboard. Check the status of the Stream forwarder. Also, check the Total events dashboard. From there you can identify whether stream app is indexing data or not. 2) In the Search bar, run this query sourcetype= stream:* . If search query returns no result, then Stream App is not indexing any data into Splunk. ... View more

Re: Unable to access Splunk Web receiving error me...

by Splunk Employee in Dashboards & Visualizations
‎11-22-2019 09:49 AM
‎11-22-2019 09:49 AM
From logs, it seems like the pooling stanza is missing in the default/server.conf file. Add the pooling stanza https://docs.splunk.com/Documentation/Splunk/8.0.0/Admin/Serverconf and the web UI will be accessible. ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-22-2019 09:11 AM
‎11-22-2019 09:11 AM
No problem. Glad to help. ... View more

Re: Field extraction receiving error message

by Splunk Employee in Splunk Search
‎11-22-2019 08:48 AM
‎11-22-2019 08:48 AM
In which Splunk Version you are getting this error? ... View more

Re: Field extraction receiving error message

by Splunk Employee in Splunk Search
‎11-22-2019 08:32 AM
‎11-22-2019 08:32 AM
The screenshots are not attached. ... View more

Re: Field extraction receiving error message

by Splunk Employee in Splunk Search
‎11-22-2019 08:18 AM
‎11-22-2019 08:18 AM
According to me, you have to mention field name in rex, which you can use further, like (?<Name>//) Please refer doc for more info: https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Rex ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-22-2019 08:02 AM
1 Karma
‎11-22-2019 08:02 AM
1 Karma
The collect command stated in the question is correct and it will indexed the data in new index: host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype" ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-22-2019 08:01 AM
‎11-22-2019 08:01 AM
No problem, I am writing the collect command in answers for others. ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-22-2019 07:36 AM
‎11-22-2019 07:36 AM
Are you able to copy the data in the destination index? ... View more

Re: Splunk Add On For ServiceNow 5.0 | snow_incide...

by Splunk Employee in All Apps and Add-ons
‎11-20-2019 10:18 AM
‎11-20-2019 10:18 AM
I tried but unable to reproduce the issue. Maybe I am missing something. ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-20-2019 09:20 AM
‎11-20-2019 09:20 AM
I don't think there is a syntax error. Because this query works for me. I am seeing events on my new_index. I used below query: host="host_name" sourcetype="My_sourcetype" index="test" | collect index="new_index" host="host_name" sourcetype="My_sourcetype" ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-20-2019 09:08 AM
‎11-20-2019 09:08 AM
Are you getting any error message or anything? What happens after you hit the above command. ... View more

Re: Why is collect command not working?

by Splunk Employee in Knowledge Management
‎11-20-2019 08:43 AM
‎11-20-2019 08:43 AM
Have you created your destination_index in the indexer? I tried the same query of yours and it works for me, the events are copied to my new destination_index. If the destination_index is not available then you will get below message : Received event for unconfigured/disabled/deleted index='test' with source="source" host="my_host" sourcetype="my_sourcetype". So far received events from 1 missing index(es). ... View more

Re: Splunk Add On For ServiceNow 5.0 | snow_incide...

by Splunk Employee in All Apps and Add-ons
‎11-20-2019 08:20 AM
‎11-20-2019 08:20 AM
Have you upgraded your ServiceNow Add-on from 3.1.0 to 5.0.0? If yes, then you need to reconfigure your previously configured ServiceNow account. The link for the doc is: https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Releasenotes#Upgrade ... View more

Re: Splunk Forwarder support by Splunk

by Splunk Employee in Getting Data In
‎11-19-2019 11:21 AM
‎11-19-2019 11:21 AM
As I am not in customer support team, I cannot speak for them. I would suggest to directly contact support team. ... View more

Re: Splunk Forwarder support by Splunk

by Splunk Employee in Getting Data In
‎11-19-2019 10:19 AM
‎11-19-2019 10:19 AM
Please refer to this doc to see the compatibility of Splunk Universal Forwarder and Splunk Enterprise Indexers: https://docs.splunk.com/Documentation/Forwarder/8.0.0/Forwarder/Compatibilitybetweenforwardersandindexers ... View more

Re: Field Extraction

by Splunk Employee in Splunk Search
‎11-19-2019 10:10 AM
‎11-19-2019 10:10 AM
I tried the query in regex101 and it takes 650 steps to match the regex. And the same query with little modification takes the 78 steps to match the regex. Here is the query: error\s+message\s+(?<Message>.*(?=(\:\s+message\s+\:))) ... View more

Re: Field Extraction

by Splunk Employee in Splunk Search
‎11-19-2019 09:52 AM
‎11-19-2019 09:52 AM
Try the below query error message .*(?=(: message :)) ... View more

Re: Rest command for Index Size

by Splunk Employee in Splunk Search
‎11-14-2019 08:17 AM
‎11-14-2019 08:17 AM
The below command will work. curl -k -u admin:pass https://localhost:8089/services/data/indexes \ -d name=mymetricsindex \ -d datatype=metric \ -d maxTotalDataSizeMB=5120 For more attributes refer this: https://docs.splunk.com/Documentation/Splunk/8.0.0/Indexer/Configureindexstorage ... View more

Re: Invalid configuration specified: "NoneType-obj...

by Splunk Employee in All Apps and Add-ons
‎11-12-2019 08:45 AM
‎11-12-2019 08:45 AM
Right now, Stream App is not supported with Splunk Enterprise 8.0.0. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
Karma given to
View All