Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About AhmadKhattak20
AhmadKhattak20
Explorer
Member since:
01-31-2021
05-12-2022
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 01-31-2021 |
Activity Feed
- Posted Re: How to enable Splunk Web UI on RHL version 8? on Monitoring Splunk. 05-23-2021 11:06 PM
- Posted Re: How to set the time zone/alias for syslog data on Getting Data In. 05-19-2021 04:40 AM
- Posted Re: How to set the time zone/alias for syslog data on Getting Data In. 05-19-2021 02:19 AM
- Posted Re: How to set the time zone/alias for syslog data on Getting Data In. 05-18-2021 09:40 PM
- Tagged Re: How to set the time zone/alias for syslog data on Getting Data In. 05-18-2021 09:40 PM
- Posted Re: How to set the time zone/alias for syslog data on Getting Data In. 05-17-2021 11:56 PM
- Posted How to set the time zone/alias for syslog data on Getting Data In. 05-17-2021 04:44 AM
- Posted Re: [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-29-2021 08:55 PM
- Posted Re: [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-29-2021 08:40 PM
- Posted Re: [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-28-2021 10:26 PM
- Posted [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-27-2021 01:04 AM
- Tagged [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-27-2021 01:04 AM
- Tagged [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-27-2021 01:04 AM
- Tagged [Multiple Servers with Same Hostname] Deployment Server Integration on Installation. 04-27-2021 01:04 AM
- Karma Re: cisco estreamer data logs for edgarsilva01. 03-01-2021 01:45 AM
- Posted Re: cisco estreamer data logs on All Apps and Add-ons. 02-26-2021 01:12 AM
- Tagged Recorded Future App - Invalid Key in Stanza [Proxy] on All Apps and Add-ons. 02-25-2021 11:46 PM
- Tagged Recorded Future App - Invalid Key in Stanza [Proxy] on All Apps and Add-ons. 02-25-2021 11:46 PM
- Posted Recorded Future App - Invalid Key in Stanza [Proxy] on All Apps and Add-ons. 02-25-2021 11:01 PM
- Posted Re: How to count specific data separated by pipe character ? on Splunk Search. 02-21-2021 05:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
05-23-2021
11:06 PM
Hi @SamHTexas , Can you clarify your question? Are you unable to access Splunk Web UI after installing Splunk Enterprise? Have you looked at the below, https://docs.splunk.com/Documentation/Splunk/8.2.0/Admin/LaunchSplunkWeb Specifically if you are trying to access via remote browser look at the last paragraph in the above link.
... View more
05-19-2021
04:40 AM
Thank you, I pushed the props.conf with the below stanza on indexers and now I'm getting expected results. [source::/var/splunk/path/ipaddress/*.log]
TZ = UTC
... View more
05-19-2021
02:19 AM
Hi @javiergn, I've removed the TZ_ALIAS from the props.conf. I'm pushing the app from the deployment server onto the Syslog Server where a Splunk UF is installed. On the Syslog Server, this is located under /opt/splunk/etc/apps/custom-app-folder/local/props.conf I ran the query that you mentioned and the results are following, _raw _time source May 19 09:10:01 …. 2021-05-19 09:10:01 /var/splunk/path/ipaddress/2021-05-19-servername.log I verified that the source that was showing up in the query results is the same that I'm using in the props.conf stanza for source, (this props.conf is pushed on the syslog server - it is not present in any indexers/search head) [source::/var/splunk/path/ipaddress/*.log]
TZ = UTC
... View more
05-18-2021
09:40 PM
Hi @javiergn , I ran the command that you gave me, index=indexname sourcetype=syslog source=sourcename
| head 1
| _raw, _time The result that I got was the following, (only showing the timestamps result) _raw _time May 19 04:30:01 2021-05-19 04:30:01 It seems that Splunk is still extracting the time stamp from the event data itself and not converting the UTC time stamp to the one being used in Splunk Preferences. The time zone preference set in Splunk User Preferences is below For reference what I've done in props.conf on the UF running on the Syslog Server is following, [source::/path/*.log]
TZ=UTC
TZ_ALIAS=UTC
... View more
- Tags:
- hi @
05-17-2021
11:56 PM
Hi @richgalloway , yes there is a different directory and file maintained. Although I've not used the inputs.conf to set the TZ property rather I've used the props.conf to set the TZ property. Hi @javiergn, Yes, I've used this source stanza in the props.conf file however the events from the file still show up with UTC Timestamp.
... View more
05-17-2021
04:44 AM
Hi There, So, the scenario is that we have a central syslog server which receives syslog messages from different servers in the organization. When the syslog data is received on the syslog server, there is a universal forwarder agent on the syslog server that forwards it to Splunk. The issue is that some servers are using UTC time zone and therefore the syslog data from those servers contains UTC Timestamp. Is there a way to change how the forwarder interprets the syslog data file received from those servers? I've tried editing TZ=UTC and TZ-ALIAS=UTC in props.conf with the source stanza specifying the path for those specific log files that have UTC Timestamp in events. However in Splunk I still see those events with the UTC Time Stamp. This is an issue due to which we can't properly search. Any advice would be much appreciated. Thanks.
... View more
Labels
- Labels:
-
Linux
-
props.conf
-
syslog
-
universal forwarder
04-29-2021
08:55 PM
I just checked again now and by default it seems the clientName value is unique however since the hostname/instance name are same for the 30 Servers so that's why it's still showing up as one entry on the deployment server. Any suggestions on how to deal with this scenario? Keeping in mind that the team cannot change the hostnames for the 30 servers to something unique rather all of them need to have the same hostname. Thank you.
... View more
04-29-2021
08:40 PM
To clarify "Not showing up on the deployment server", it's that since all the servers have the same hostname so on the Deployment Server instead of having all of the e.g. 30 Servers show up I only get one entry shown with the hostname where the IP Address periodically changes/updates within the range of the IP Addresses assigned to the 30 Servers.
... View more
04-28-2021
10:26 PM
Thank you @s2_splunk for your response. So, then for multiple servers having same hostname and therefore not showing up on the deployment server, I can use the deploymentclient.conf - clientName attribute to be set for each server with unique value so that all of them show up on the Deployment Server. Can you share any environment variables I can set in the clientName field so that every value is unique? As you know hostname is same for every server so is there any other environment variable or splunk value such as the one stored in instance.cfg that I can use here? Thank you.
... View more
04-27-2021
01:04 AM
Hi All, I have a scenario where there are many servers having the same hostname due to some requirements of the applications running on them. Now, the splunk universal forwarder agent has been successfully deployed on all of them and the inputs.conf and outputs.conf have been manually configured there. These are windows servers. It's very difficult to manage all of these servers manually by editing the inputs.conf so what I'm trying to do is manage them centrally via the Deployment Server. However after the deploymentclient.conf file has been configured there, all of the servers are not showing up on the Deployment Server because of them having the same hostname. I get one entry against the hostname on the Deployment Server. My question here is that what changes do I need to make so that all of them report successfully on the Deployment Server? I've been thinking of pushing a deploymentclient.conf file via the Deployment Server with the clientName value set to $HOSTNAME-$IPADDRESS. Is this possible? What other environment variable can I use other than $HOSTNAME to make the clientName unique? Lastly, when the logs are being received in Splunk, the host value that shows up there has been manually set for each server in the inputs.conf file with HOSTNAME-IP Address, so when I remove the manual configurations and push the inputs.conf via deployment server, will the host = $HOSTNAME-$IPADDRESS work? Thank you.
... View more
Labels
- Labels:
-
universal forwarder
-
Windows
02-26-2021
01:12 AM
@edgarsilva01 were you able to resolve this issue? Can you share the solution if so? Thanks
... View more
02-25-2021
11:01 PM
Hi All, I recently installed the Recorded Future App Version 1.0.13 on Splunk Search Head running version 8.0.3. Followed the instructions mentioned in the integration guide of Recorded Future, https://go.recordedfuture.com/hubfs/splunk-integration-guide.pdf Initially I did not enable Enterprise Security however after some time I enabled the check and restarted the Search Head. I've been receiving a warning on Search Head i.e. "Health Check: One or more apps("TA-recordedfuture") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to System will be unavailable in Enterprise Security. When I checked the messages which Splunk shows after restart in console, one of them was, Invalid Key in stanza [proxy] in /opt/splunk/etc/apps/TA-recordedfuture/local/recordedfuture_settings.conf line # and when I checked that line # the content was proxy_rdns = 0. I've enabled the proxy settings and have verified that it is working alright so I'm not clear why this warning message is being shown on Search Head Web and on restarting I get the Invalid Key in stanza message. I'd appreciate if anyone could help me understand this situation. Thanks.
... View more
Labels
- Labels:
-
troubleshooting
02-21-2021
05:49 AM
What are the fields that have been extracted for this data? Is there any field extracted that has the country code value, if so then you can easily get the count by country code. As an example, If the field containing the country code is called "code", you could get the count by country code using the below SPL query, index=main | stats count by code Replace the index value with the actual index in which the data is being stored.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-12-2022
02:58 AM
|
