Hi colleagues, hope everyone is doing well! I need some advice. I have a server that writes logs to /var/log/test_log.json. On the Splunk side, I opened a port via "Data Input -> TCP". The logs in  test_log.json are written line by line. Example: {"timestamp":"2025/02/27 00:00:15","description":"Event 1"} {"timestamp":"2025/02/27 00:00:16","description":"Event 2"} {"timestamp":"2025/02/27 00:00:17","description":"Event 3"} Could anyone suggest if they have a ready-made rsyslog configuration file for correctly reading this log file? The file is continuously updated with new logs, each on a new line. I want rsyslog to read the file and send each newly appearing line as a separate log. Has anyone encountered this before and could help with a ready-made rsyslog configuration? Thank you! ... View more

Colleagues. Hi all !! Can you give me some advice on editing dashboards? I have 4 static tables And I need to arrange them so that the first three are on the left and go in order, and stretch the right so that it is large and long and there is no empty space. I tried to play around with xml somehow, but to no avail. The xml itself is in the file. If this can be done at all, if not. So sorry for such a question! Thanks to all!     <form> <label>Testimg</label> <row> <panel depends="$alwaysHideCSS$"> <title>Настройка по ширине</title> <html> <style> #test_1{ width:50% !important; } #test_2{ width:50% !important; } #test_3{ width:50% !important; } #test_4{ width:50% !important; } </style> </html> </panel> </row> <row> <panel id="test_1"> <title>Table 1</title> <table> <search> <query>| makeresults count=10 | eval no=5 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel id="test_2"> <title>Table 2</title> <table> <search> <query>| makeresults count=10 | eval no=6 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel id="test_3"> <title>Table 4</title> <table> <search> <query>| makeresults count=10 | eval no=20 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> <row> <panel id="test_4"> <title>Table 3</title> <table> <search> <query>| makeresults count=10 | eval no=7 | table no</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form> ... View more

Hello. I added a new peer through the Search peers settings But I realized that I do not need this server. I try to delete via the web, it doesn’t work, I delete it by editing the file, it also doesn’t work, restarting the distsearch.conf file returns where this server is. How to remove this server, I've been trying to find a solution for a month now I am editing distsearch.conf file I delete the contents of servers 1.1.1.3, 1.1.1.4 [distributed search] disabled = 0 servers = https://1.1.1.1:8089,https://1.1.1.2:8089,https://1.1.1.3:8089,https://1.1.1.4:8089 Restarting splunk everything returns. I'm trying to delete via web. also does not apply. have access to the network. everything works correctly. But **beep** it I can't remove it from the file HOW DO I RETURN THE OLD VERSION OF THE FILE distsearch.conf ... View more

Hello. I can't change the file, or I might be doing something wrong. Tell I am editing distsearch.conf file I delete the contents of servers 1.1.1.3, 1.1.1.4 [distributedSearch] disabled = 0 servers = https://1.1.1.1:8089,https://1.1.1.2:8089,https://1.1.1.3:8089,https://1.1.1.4:8089 Restarting splunk everything comes back. I'm trying to delete via web. also does not apply. getting this error "Error occurred attempting to remove 1.1.1.3:8089: Failed to proxy search-server command request to Captain. Reason : ERROR: There is no search peer with a URI of https://1.1.1.3:8089. Either the URI you entered is incorrect or the search peer has already been removed.. "   there is network access. everything works correctly. But **bleep** it I can't delete it from the file Maybe someone can tell me what I'm doing wrong. and is there any provision. ... View more

Dear Colleagues  Help write a query to get data about all reports and alerts  I need to get information e.g. 1. Execution time of each report and alert 2. How much does a completed report and alerts and stuff like that tried to find information in the monitoring console But did not find information about each report and alert I will be grateful ! ... View more

Hello colleagues When running the command (/opt/splunk/bin/splunk reload deploy-server -class Class_Name -debug) There was no such error before. Literally today got out with what it can be connected? Will setenv SPLUNK_CLI_DEBUG to "v". In check_and_set_splunk_os_user(): In env found *no* SPLUNK_OS_USER var. WARNING (cli_common) btool returned something in stderr: 'Will exec (detach=no): USER=root USERNAME=root PATH=/opt/splunk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/opt/splunk/bin PWD=/opt/splunk/etc/deployment-apps HOSTNAME=splunk-deployer SPLUNK_HOME=/opt/splunk SPLUNK_DB=/opt/splunkDBcold/DBdefault SPLUNK_SERVER_NAME=Splunkd SPLUNK_WEB_NAME=splunkweb PYTHONPATH=/opt/splunk/lib/python2.7/site-packages NODE_PATH=/opt/splunk/lib/node_modules LD_LIBRARY_PATH=/opt/splunk/lib LDAPCONF=/opt/splunk/etc/openldap/ldap.conf /opt/splunk/bin/splunkd btool web list ... View more

Help write a request what is the volume of logs in GB / MB goes to splunk per day / month ... View more

Hello colleagues I have a python file. which I add to Data inputs -> script Set the interval, set up, the file itself works but the initial path starts with /opt/splunk/bin/python.   /bin/python  /.../.../file.py help pls!! ... View more

Hello colleagues, I would like to know I have events where there is a unixTime field. But the _time field does not show correctly how can I write in props.conf so that the _time field takes time from the unixTime field ... View more

Hello colleagues. we recently switched from Splunk HF to UF. before this event with sourcetype = MSWindows:2012:IIS. parsed normal but after installation, something went wrong. and events in the spanner do not take all the fields from the logs ... View more

Hello dear colleagues, has anyone encountered this error, I checked search.log for inconsistent metadata. Help me decide. I have a request in SH, when I drive it I get this error ... View more

how parsing xml data ?     <v8e:Event> <v8e:Level>Information</v8e:Level> <v8e:Date>2022-01-26T16:20:24</v8e:Date> <v8e:ApplicationName>Job</v8e:ApplicationName> <v8e:ApplicationPresentation>Фоновое</v8e:ApplicationPresentation> <v8e:Event>Finish</v8e:Event> <v8e:EventPresentation>Сеанс</v8e:EventPresentation> <v8e:User>Jong Wik</v8e:User> <v8e:UserName>Корот</v8e:UserName> <v8e:Computer>srv-2-srv</v8e:Computer> <v8e:Metadata/> <v8e:MetadataPresentation/> <v8e:Comment/> <v8e:Data xsi:nil="true"/> <v8e:DataPresentation/> <v8e:TransactionStatus>NotApplicable</v8e:TransactionStatus> <v8e:TransactionID/> <v8e:Connection>0</v8e:Connection> <v8e:Session>5146</v8e:Session> <v8e:ServerName/> <v8e:Port>0</v8e:Port> <v8e:SyncPort>0</v8e:SyncPort> </v8e:Event> ... View more

ERROR TailReader - File will not be read, is too small to match seekptr checksum (file=c:\logs\MailBoxAudit\mailboxaudit_23_12_2021_13_48.csv). Last time we saw this initcrc, filename was different. You may wish to use larger initCrcLen for this sourcetype, or a CRC salt on this source.     inputs.conf   /opt/splunk/etc/deployment-apps/TA-Exchange-Mailbox/local/inputs.conf  [monitor://c:\logs\MailBoxAudit] whitelist=\.csv$|\.CSV$ sourcetype=csv index= indexname disabled=false crcSalt = <SOURCE> initCrcLength=8192 after making a change to the file inputs.conf. i ran the command /opt/splunk/bin/splunk reload deploy-server -class heavy_forwarders for the changes to be accepted the file comes to the index, but it does not start up some   what could be the problem ?         ... View more

I have an alert. which runs every minute "cron" and the setting is set to "time range last 4 minutes" but for some reason my alert works 30 minutes ago and in this interval look for 4 minutes    create at 4:46:04 PM  search 4:16:00 pm to 4:20:00 pm      Time is correct on SH servers.   ... View more