About m_pham

m_pham · ‎08-01-2023

Try going into your monitoring console app > Settings > General Setup - then click on Apply Changes to see if that fixes your issue. Double check this page again to be safe: https://docs.splunk.com/Documentation/Splunk/9.1.0/DMC/Configureindistributedmode

m_pham · ‎08-01-2023

Hey - we've ran into some weird issues with the new Lookup Editor app before and it isn't the same issue you're having, but can you try to clear out your browser cache and history to see if it fixes your issue?

m_pham · ‎07-21-2023

The developer added the configuration below in "default/app.conf" that prevents you from accessing the add-on's web UI. This may be by mistake by the developer. You can fix this by adding your own "local/app.conf" within the addon's directory with the config below and set "is_visible = 1" for the add-on to be navigable. [ui] is_visible = 0 label = mqinput is_visible = <boolean> * Indicates if this app is visible/navigable as an app in Splunk Web. * Apps require at least one view to be available in Splunk Web.

m_pham · ‎07-21-2023

What does the add-on logs tell you? Any errors? "All errors should be logged to ta_confluence_audit_log_ingester.log, found in the internal index." https://splunkbase.splunk.com/app/6445

m_pham · ‎07-21-2023

Hi there, if the add-on you're using is just ingesting a the CSV file itself, then you can use the following configuration below to tell Splunk about the header fields so it doesn't ingest them. [my_sourcetype] # Specifies the line number of the line within the file that contains the header fields. If set to 0, Splunk attempts to locate the header fields within the file automatically. HEADER_FIELD_LINE_NUMBER = 0 # Specifies which character delimits or separates field names in the header line. You can specify special characters in this attribute. If HEADER_FIELD_DELIMITER is not specified, FIELD_DELIMITER applies to the header line. HEADER_FIELD_DELIMITER = , More details on ingesting structured data can be found here: https://docs.splunk.com/Documentation/SplunkCloud/9.0.2305/Data/Extractfieldsfromfileswithstructureddata

m_pham · ‎07-21-2023

I'd check with the developer of the add-on if it can run with Python3 since you're running Splunk v9.

m_pham · ‎07-21-2023

I doubt that error is causing your data ingest issue, since "enable_allowlist" appears to be an invalid option for the alert_actions.conf file that came with the Splunk UF software. You can safely ignore that error. It's also a known issue on Splunk UF v9.0.4: https://community.splunk.com/t5/Splunk-Enterprise/Invalid-Key-in-alert-actions-conf-after-upgrade-to-Splunk-9-0-0/m-p/602259

m_pham · ‎07-21-2023

I think the add-on you are looking for is below? It doesn't look like it's Splunk Cloud approved, so you'll have to install it on an on-prem HF and send the data to Splunk Cloud that way. Bitwarden Event Logs - Linux x64 https://splunkbase.splunk.com/app/6592

m_pham · ‎07-21-2023

If you have an on-prem monitoring console host, then you'd be able to query the apps on your HF's like you did with the rest command. I'm not aware of a method of doing that on Splunk Cloud since it can't peer to on-prem environments. I'll let others add their input if they know of anything.

m_pham · ‎07-21-2023

I don't have experience with this TA but it may be a permissions issue, so I'd recommend taking a look at that on that: https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configurepermissions

m_pham · ‎07-19-2023

Are you having issues with getting the data in? Can you dig into index=_internal to find errors in the TA logs?

m_pham · ‎05-09-2023

Adding to @VatsalJagani 's suggestion, try this: [auditrdata] SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+)\w+\s\d{1,2},\s\d{4} NO_BINARY_CHECK=true TIME_PREFIX=^ TIME_FORMAT=%b %d, %Y %I:%M:%S %p MAX_TIMESTAMP_LOOKAHEAD=30 TRUNCATE=5000

m_pham · ‎02-28-2023

There isn't a great way to do this due to Splunk not tracking these types of changes. There is a Splunk idea that Splunk is working on that resolves some of the shortcomings of the current audit log. https://ideas.splunk.com/ideas/E-I-49

m_pham · ‎12-20-2022

Just adding to richgalloway's comment: - What is generating that log? You can most likely look up documentation of the field names of all the values in the log. Or you can ask the person managing the tech generating the log for more information. - You will have to create a props and transforms conf files to extract the field pair values on the search head - it looks like the field values are delimited by the "#" sign. The link below can be used as a starting point: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/ExtractfieldsinteractivelywithIFX#Access_the_field_extractor

m_pham · ‎12-20-2022

Can you expand on what you mean by not seeing all the information in the JSON data? I assume you don't want to click on the "+" in the JSON syntax highlighted event data to expand the list? Even then, you should have most of the field values you need on the field list on the left hand side. Just a warning, if you use INDEXED_EXTRACTIONS=JSON (props.conf) on the data ingest side, you need to use KV_MODE=none (props.conf) for your sourcetype on your search head to prevent issues with duplicate field values.

m_pham · ‎09-03-2022

Take a look at doing that in props.conf: https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Makeyourlookupautomatic#Create_an_automatic_lookup_stanza_in_props.conf

m_pham · ‎08-26-2022

Splunk Cloud uses the standard port 9997 for data ingest.

m_pham · ‎08-12-2022

Your Splunk Cloud (SC) stack has the UF package that you can download and install on any HF or UF to start sending data to SC. You'll need to get onto your SC search head (SH) and download the package: https://docs.splunk.com/Documentation/Forwarder/9.0.0/Forwarder/ConfigSCUFCredentials#Install_the_forwarder_credentials_on_individual_forwarders_in_.2Anix

m_pham · ‎08-12-2022

Splunk Enterprise server can forward data: https://docs.splunk.com/Documentation/Splunk/9.0.0/Forwarding/Aboutforwardingandreceivingdata#:~:text=You%20can%20forward%20data%20from,forwarding%20is%20called%20a%20forwarder.&text=A%20Splunk%20instance%20that%20receives,forwarders%20is%20called%20a%20receiver. Best practice is for your custom inputs is in a separate addon - example: /opt/splunk/etc/apps/my_custom_app/local/inputs.conf You should watch this to learn the basics of Splunk Administration: https://www.youtube.com/watch?v=O_w7rSWlHJs

m_pham · ‎08-11-2022

It sounds like what you want is the Splunk Add-on for Unix and Linux: https://splunkbase.splunk.com/app/833/ The technical add-on (TA) will need to be installed on the DS and configured with your custom inputs.conf for the TA.

Posts	71
Solutions	11
Karma Given	8
Karma Received	26
Member Since	‎11-12-2020

Online Status	Offline
Date Last Visited	4 weeks ago

Re: Splunk index pipeline

Re: Splunk Lookup Editor App

Re: Not able to lunch app "IBM Websphere MQ Modula...

Re: addon that pulls in Confluence Cloud audit log...

Re: Forcepoint Web Security add-on avoid csv head...

Re: TA_browscap add-on giving an error when perfor...

Re: Invalid key in stanza [webhook] alert_actions....

Re: How can I ingest BitWarden event logs to Splun...

Re: How to get Apps installed in HF using splunk

Re: Why is Splunk Add-on for Microsoft Security fo...

Re: Why is Splunk Add-on for Microsoft Security fo...

Re: How to fix issue with parsing events (log file...

Re: How to search to find disabled alert?

Re: How to make changes so that all logs should be...

Re: How to convert the data from JSON format to ra...

Re: want to create a global field for an indexed d...

Re: How to forward syslog from AWS instances to Sp...

Re: How to forward syslog from AWS instances to Sp...

Re: What are some options for Forwarding OS logs f...

Re: What are some options for Forwarding OS logs f...