Hello everyone! I create the role for splunk users, which will be able to edit alerts. What capabilities should I choose for such users? To be minimal and sufficient ... View more

Hello everyone!  Do anybody know, is it possible to aggregate (bind) auditd events (I mean logs from audit/audit.log) in one by Record ID (Event ID)? I want to make in on parsing study, and to get in my index already aggregated events in one. ... View more

Hello, everyone! I have search, which ends in such way ... | table id, name | outputlookup my_lookup.csv so my search get such results id name 1 John 2 Mark 3 James Now, I want to record only NEW id's from search  to lookup, which weren't there Is it possible to make without reworking search? ... View more

Hello, Team! I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if there is a delay in the arrival of events, restarting agents does not help. Events goes to HFs, then to indexers. On splunk universal forwarders such errors in splunkd.log WARN TailReader [282099 tailreader0] - Could not send data to output queue (parsingQueue), retrying... in metrics.log +0300 INFO HealthChangeReporter - feature="Large and Archive File Reader-0" indicator="data_out_rate" previous_color=green color=yellow due_to_threshold_value=1 measured_value=1 reason="The monitor input cannot produce data because splunkd's processing queues are full. This will be caused by inadequate indexing or forwarding rate, or a sudden burst of incoming data."   where is problem? on splunk universal forwarder or on heavy forwarder? what to look? ... View more

Hello, Team! I see delays in the receipt of events in the indexes. Events are collected by SplunkForwarder agents. In the case of a complete absence of events, restarting agents helps, but if there is a delay in the arrival of events, restarting agents does not help. What can help?  ... View more

Hello everyone! I'm trying to make props file which will trim all not cyrillic symbols from field "account" My log example is  18:10:24 Object="some object" Source="some source1323" Account="Аккаунтvfweцw" i want to delete vfwew from field Account, but note that symbols can go in any order and with cyrillic symbols too, i need to catch them all and delete, only from one field SEDCMD-notcyr - Account="....   ... View more

Hello everyone In the result of my search I got such results (last command was stats values(list) as list, values(standard) as standard by host  fields list and standard are multivalues host list standard   5 1   1 2   2 3   3 4   I need to compare fields "list" and "standard" make field "result" where will be: lacking records, redundant records and passing records Lacking is record that present in standard but not in list, redundant is present in list but not in standard, and passing is which is in list and standard is equal. so for this example must be: result Passing: 1 2 3 Lacking: 4 Redundant: 5 ... View more

Hello everyone,  I have events which contains such fields user1=..., user2=...., user3... etc And I have lookup which have column "user" where located all users.     ... View more

Hello everyone, is it possible to collect logs from telegram chat to Splunk?  exist any ready solutions? ... View more

Hello everyone, I have next one task: I want to collect (with collect command) information which I got after stats. Problem is that there is empty _raw field, and I don't want to add _raw in stats (because of heavy search) So, now I have such search:   .... | stats ... ... | table ... | collect index=test   I need the _raw field before collect to apply to it rex sed command.  I know that collect creates raw field even if it doesn't exist. If there are any other ways to create it? Thank you. ... View more

Hello everyone,  I have logs like      2022-11-23 12:47:42.000 id="123" event="some text text2 text3 text4"     I want to trim everything that goes after three consecutive spaces, so I want to get raw logs     2022-11-23 12:47:42.000 id="123" event="some text text2 text3"       I did such props.conf [my_sourcetype] ... EXTRACT-event = event="(?<event>.+?)\s{3,}.*" ...   It's working fine, I get event field what I want, but I still get old logs with 3+ spaces. What should I add to props conf to get correct logs? ... View more