cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cornemrc
Explorer
Member since: ‎06-18-2020
‎01-30-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 3
Karma Received 5
Member Since ‎06-18-2020
Activity Feed
View All

Re: Microsoft Azure Event Hub Pulls - Wrong Offset...

by in All Apps and Add-ons
‎01-30-2023 06:49 AM
2 Karma
‎01-30-2023 06:49 AM
2 Karma
I have just found a solution for the eventhub offset issue within the MSCS app.  Just deactivate the modular input, then go to  Splunk\var\lib\splunk\modinputs\mscs_azure_event_hub and delete the according file [eventhubnamespace]-[eventhub]-$Default.v1.ckpt  and reactivate the input. Splunk will recreate the file with a corrected timestamp and will reload the missing events from the eventhub. ... View more

Re: Microsoft Azure Add-on for Splunk, AAD users i...

by in All Apps and Add-ons
‎01-19-2022 04:46 AM
1 Karma
‎01-19-2022 04:46 AM
1 Karma
Hello, we were able to solved it by adding this to the local/props.conf on the heavy Forwarder where the azure app is running. [azure:aad:user] DATETIME_CONFIG = CURRENT The issue was not 100% narrowed down, but we could see some errors in the log channel "DataParserVerbose" with this SPL index=_internal host=<Hostname of the Heavy Forwarder> component=DateParserVerbose azure:aad:user  e.g. messages about failed timpstamp extraction 01-19-2022 11:54:40.885 +0100 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (128) characters of event. Defaulting to timestamp of previous event (Fri Mar 9 20:01:24 2018). Context: source=tenant_id:xxxxxxxxxxxxx|host=xxxxxxxxxxxxx|azure:aad:user|\r\n 01-19-2022 11:51:58.536 +0100 WARN DateParserVerbose - A possible timestamp match (Tue Jan 29 11:07:03 2002) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source=tenant_id:xxxxxxxxxxxxx|host=xxxxxxxxxxxxx.schaeffler.com|azure:aad:user|\r\n 1 similar messages suppressed. First occurred at: Wed Jan 19 11:46:56 2022 We think Splunk did try to parse the timestamp somewhere out of the data, but there was actually not real timestamp in the data. So with the above mentioned solution, we force Splunk to use the actual timestamp all the time. This is what we want. Many Regards Michael ... View more

Re: JSON parsing after transforms

by in Getting Data In
‎05-17-2021 06:10 AM
1 Karma
‎05-17-2021 06:10 AM
1 Karma
Hello all, we' ve solved the problem: Props.conf - sourcetype buttercup:server was adjusted   [buttercup:server] TZ = UTC TIME_FORMAT = %Y-%m-%dT%H:%M:%S DATETIME_CONFIG = LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Custom description = buttercup Server Logs pulldown_type = true TRANSFORMS-afilter = setnull, setparsing-audit, setparsing-auth TRANSFORMS-changesourcetype = change-buttercup-server-audit, change-buttercup-server-auth TRANSFORMS-strip-front-json = strip-front-json   The last line was added and this replaced also the SEDCMD command in the buttercup:server:audit sourcetype. transforms.conf - added the following   [strip-front-json] REGEX = ((?<=buttercup_audit: )(.*)) FORMAT = $2 DEST_KEY = _raw   The main problem was, that after rewriting the sourcetype and filtering the events, the parsing does not have any effect anymore because it was already in the indexQueue. SEDCMD whould have also worked in the sourcetype buttercup:server we think. There is maybe a better/more efficient way of orderng the transforms, but it works for now. Many Regards Michael  ... View more

Re: Dropdown - how to keep duplicate values

by in Dashboards & Visualizations
‎06-18-2020 12:10 PM
2 Karma
‎06-18-2020 12:10 PM
2 Karma
@cornemrc try something like the following. SPL is used to create servername as delimited string after combining servername with locationname. Using <eval> to split the servername set the tokens servername and location name using $label$ on <change> of input value.   <input type="dropdown" token="serverlocation"> <label>Server/Location</label> <fieldForLabel>locationname</fieldForLabel> <fieldForValue>servername</fieldForValue> <selectFirstChoice>true</selectFirstChoice> <search> <query>| inputlookup serverlocations.csv | fields servername locationname | eval servername=servername."|".locationname</query> </search> <change> <eval token="servername">mvindex(split($value$,"|"),0)</eval> <set token="locationname">$label$</set> </change> </input>   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-30-2023 06:54 AM
Karma from
Karma given to
View All