Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About martaBenedetti
martaBenedetti
Path Finder
Member since:
04-30-2021
10-17-2025
Community Statistics
| Posts | 52 |
| Solutions | 0 |
| Karma Given | 20 |
| Karma Received | 1 |
| Member Since | 04-30-2021 |
Activity Feed
- Posted alert action email with empty attachment on Monitoring Splunk. 10-17-2025 01:12 AM
- Posted Event Collector third-party certificates on All Apps and Add-ons. 05-02-2024 03:54 AM
- Tagged Event Collector third-party certificates on All Apps and Add-ons. 05-02-2024 03:54 AM
- Karma Re: Error message in Enterprise Security for gcusello. 02-06-2024 06:26 AM
- Posted Re: How to filter out the EVENT_TYPE in sfdc:logfile using Splunk Add on for Salesforce? on All Apps and Add-ons. 11-07-2023 11:56 PM
- Posted Re: How to filter out the EVENT_TYPE in sfdc:logfile using Splunk Add on for Salesforce? on All Apps and Add-ons. 11-07-2023 07:40 AM
- Posted How to filter out the EVENT_TYPE in sfdc:logfile using Splunk Add on for Salesforce? on All Apps and Add-ons. 11-06-2023 01:54 AM
- Got Karma for Re: Which values I will have for srchJobsQuota and rtSrchJobsQuota. 10-27-2023 07:17 AM
- Posted Re: Which values I will have for srchJobsQuota and rtSrchJobsQuota on Splunk Search. 10-27-2023 07:16 AM
- Karma Re: Which values I will have for srchJobsQuota and rtSrchJobsQuota for richgalloway. 10-27-2023 07:16 AM
- Posted Which values I will have for srchJobsQuota and rtSrchJobsQuota on Splunk Search. 10-27-2023 06:57 AM
- Tagged Which values I will have for srchJobsQuota and rtSrchJobsQuota on Splunk Search. 10-27-2023 06:57 AM
- Karma Re: How to get time difference between consecutive events by sourcetype during 7 days for ITWhisperer. 08-01-2023 05:31 AM
- Posted How to get time difference between consecutive events by sourcetype during 7 days? on Splunk Search. 08-01-2023 02:41 AM
- Karma Re: Why am I unable to apply search head cluster bundle? for gcusello. 01-26-2023 01:25 AM
- Posted Why am I unable to apply search head cluster bundle? on Deployment Architecture. 01-24-2023 08:28 AM
- Posted Re: Splunk Add-on for Microsoft Cloud Services: NO Azure Audit logs. on All Apps and Add-ons. 10-25-2022 06:04 AM
- Karma Re: Add-On for Atlassian Jira Issue Alerts fails to create alert for guilmxm. 10-13-2022 08:25 AM
- Posted Filter AWS Cloudtrail AwsApiCall events? on Getting Data In. 10-13-2022 07:41 AM
- Karma Re: Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1. for rahmatn. 10-13-2022 06:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-17-2025
01:12 AM
Hi all, I'd like to create an alert that checks whether, as a triggered action of an alert, an email is being sent with an empty attachment. It would be also nice to check whether the alert fails for any reason and the email is not being sent at all. I've found the status of the saved search in scheduler.log, but I wasn't able to find anything regarding attachments. Any idea? Thanks!
... View more
Labels
- Labels:
-
scheduler activity
-
search head
05-02-2024
03:54 AM
Hi Community, I have this global setting in inputs.conf: [http]
enableSSL = 1
port = 8088
requireClientCert = false
serverCert = $SPLUNK_HOME/etc/auth/my_certificates/certificate.cer I have 2 [token_name] stanzas configured working fine but now I have the need to use a different server certificate for one stanza. So I'd like to do something like this: [http://stanza1]
token = token1
index = index1
sourcetype = sourcetype1
[http://stanza2]
token = token2
index = index2
sourcetype = sourcetype2
serverCert = $SPLUNK_HOME/etc/auth/my_certificates/certificate_2.cer I'm not sure it is possible though since in the doc it is written that per-token settings are only these: connection_host disabled index indexes persistentQueueSize source queueSize sourcetype token Any hint? Thanks, Marta
... View more
Labels
- Labels:
-
administration
-
configuration
11-07-2023
11:56 PM
Yes, that could be. Anyway, thank you very much for the help @FelixLeh
... View more
11-07-2023
07:40 AM
I've tried props.conf and transforms.conf both on Heavy Forwarder where the add-on is installed and on indexers with no succeed, it seems that are ignored anche all the event_type are being collected. This is the splunk doc I've followed: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Keep_specific_events_and_discard_the_rest transforms.conf [setnull_EVENT_TYPE]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setparsing_EVENT_TYPE]
REGEX = EVENT_TYPE\=\"LightningPageView\"
DEST_KEY = queue
FORMAT = indexQueue props.conf [sfdc:logfile]
TRANSFORMS-setEventType = setnull_EVENT_TYPE, setparsing_EVENT_TYPE This is a sample log: 2023-11-06T22:58:22.108+0000 SFDCLogType="LightningPageView" SFDCLogId="aaaa" SFDCLogDate="2023-11-06T00:00:00.000+0000" EVENT_TYPE="LightningPageView" TIMESTAMP="20231106225822.108" REQUEST_ID="TID:aaaa" ORGANIZATION_ID="aaaa" USER_ID="aaaa" CLIENT_ID="" SESSION_KEY="aaaa" LOGIN_KEY="aaaa/aaaa" USER_TYPE="Standard" APP_NAME="aaaa:aaaa" DEVICE_PLATFORM="SFX:BROWSER:DESKTOP" SDK_APP_VERSION="" OS_NAME="WINDOWS" OS_VERSION="10" USER_AGENT=""Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0"" BROWSER_NAME="EDGE" BROWSER_VERSION="119" SDK_VERSION="" DEVICE_MODEL="" DEVICE_ID="" SDK_APP_TYPE="" CLIENT_GEO="Italy/Rome" CONNECTION_TYPE="" UI_EVENT_ID="ltng:pageView" UI_EVENT_SOURCE="" UI_EVENT_TIMESTAMP="1699311501485" PAGE_START_TIME="1699310036553" DURATION="588.0" EFFECTIVE_PAGE_TIME_DEVIATION="false" EFFECTIVE_PAGE_TIME_DEVIATION_REASON="" EFFECTIVE_PAGE_TIME_DEVIATION_ERROR_TYPE="" EFFECTIVE_PAGE_TIME="588.0" DEVICE_SESSION_ID="aaaa" UI_EVENT_SEQUENCE_NUM="22" PAGE_ENTITY_ID="" PAGE_ENTITY_TYPE="Case" PAGE_CONTEXT="force:objectHomeDesktop" PAGE_URL="/lightning/o/Case/list?filterName=Recent" PAGE_APP_NAME="LightningService" PREVPAGE_ENTITY_ID="aaaa" PREVPAGE_ENTITY_TYPE="Case" PREVPAGE_CONTEXT="one:recordHomeFlexipage2Wrapper" PREVPAGE_URL="/lightning/r/Case/aaaa/view" PREVPAGE_APP_NAME="LightningService" TARGET_UI_ELEMENT="" PARENT_UI_ELEMENT="" GRANDPARENT_UI_ELEMENT="" TIMESTAMP_DERIVED="2023-11-06T22:58:22.108Z" USER_ID_DERIVED="aaaa" CLIENT_IP="xxx.xxx.xxx.xxx" UserAccountId="aaaa" SplunkRetrievedServer="https://aaaa.my.salesforce.com"
... View more
11-06-2023
01:54 AM
Hi community, I have installed Splunk Add on for Salesforce on Heavy Forwarder and have been collecting data from Salesforce Object and Event Log. I've noticed that sfdc:logfile is huge and I don't need all the records but from UI there is no why to filter out the collection. Is there a way where we can filter out the EVENT_TYPE? I need only events with EVENT_TYPE="LightningPageView" Any help is appreciated. Thank you Marta
... View more
Labels
- Labels:
-
configuration
-
development
10-27-2023
07:16 AM
1 Karma
Thank you very much @richgalloway !
... View more
10-27-2023
06:57 AM
Hi all,
I've configured a new role to inherit settings from user and power role and I let default values for srchJobsQuota and rtSrchJobsQuota
Basically:
[role_new] importRoles = power; user srchDiskQuota=1000 srchIndexesAllowed = * srchIndexesDefault = * srchMaxTime = 8640000 srchJobsQuota = 3 rtSrchJobsQuota = 6
In this case, which values I will have for srchJobsQuota and rtSrchJobsQuota?
The one set in the role_new or the one set in inherited roles?
Thank you very much
... View more
Labels
- Labels:
-
search job inspector
08-01-2023
02:41 AM
Hi,
I need to plot time difference between consecutive events by sourcetype in the last 7 days.
I'm using this search but it's slow for a dashboard
index=myindex sourcetype=(sourcetype1, sourcetype,sourcetype3)
| streamstats windwos=2 global=f range(_time) as delta by sourcetype
| timechart max(range) as "delta [sec]" by sourcetype
do you have any suggestion for a more efficient search?
Thank you,
Marta
... View more
- Tags:
- sourcetype
01-24-2023
08:28 AM
Hi community,
I've just performed an upgrade on my infrastructure (distributed environment) from Splunk 8.2.3 to Splunk 9.0.3.
All the instances seem to work fine, I have problems though in applying search head cluster bundle.
I use this command to upgrade Splunk Enterprise Security:
$SPLUNK_HOME/bin/splunk apply shcluster-bundle -preserve-lookups true -target https://instance1:8089
But it doesn't work and I receive this message:
Error while deploying apps to first member, aborting apps deployment to all members: Error while updating app=SplunkEnterpriseSecuritySuite on target=https://instance1:8089: Error in JSON response: Unexpected EOF
Do you have any idea of what could be the problem?
Thank you
Marta
... View more
Labels
10-25-2022
06:04 AM
Hi, I have the same issue: have you ever solved the problem? Thanks Marta
... View more
10-13-2022
07:41 AM
Does anybody know a good way to filter out AWS Cloudtrail events? I'd like to send to null queue events that contains eventType=AwsApiCall.
My input is configured as "Generic S3" (https://docs.splunk.com/Documentation/AddOns/released/AWS/S3)
This is what I have on my HF where the Splunk_TA_AWS is installed and configured:
transforms.conf
[eliminate-AwsApiCall]
REGEX = \"eventType\":\s+\"AwsApiCall\"
DEST_KEY = queue
FORMAT = nullQueue
props.conf:
[aws:cloudtrail]
TRANSFORMS-eliminate-AwsApiCall = eliminate-AwsApiCall
Doesn't seem to be filtering ... any thoughts?
Thanks
Marta
... View more
- Tags:
- aws
- cloudtrail
Labels
- Labels:
-
heavy forwarder
-
props.conf
-
transforms.conf
10-03-2022
12:11 AM
Hi SinghK, inputs.conf on indexers [splunktcp-ssl:9997]
queueSize=4MB
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/slave-apps/certs/myserver.pem
requireClientCert = true outputs.conf on forwarder [indexAndForward]
index = false
[tcpout]
defaultGroup = my_indexers
forceTimebasedAutoLB = true
indexAndForward = false
clientCert = $SPLUNK_HOME/etc/apps/certs/myserver.pem
useClientSSLCompression = true
[tcpout:my_indexers]
disabled = false
useACK = true
server = idx1:9997,id2:9997,id3:9997,id4:9997,id5:9997,id6:9997
... View more
09-29-2022
03:18 AM
Hi Community,
on Universal Forwarder I see these logs:
09-29-2022 12:12:17.410 +0200 INFO Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500, current_size_kb=499, current_size=61, largest_size=61, smallest_size=18
I know is related to gz files, in fact splunk is monitoring files gz.
In order to increase queue size, I usually push server.conf with new values, like this.
[queue=aeq]
maxSize = 2MB
It seems not working because I keep seeing in logs
Metrics - group=queue, name=aeq, blocked=true, max_size_kb=500
Do you know how can be edited this queue size?
Thanks,
Marta
... View more
- Tags:
- server.conf
Labels
- Labels:
-
universal forwarder
07-14-2022
05:51 AM
Hi @VatsalJagani , I've tried setting in the drill-down offset 120 instead of 2m, the search ends but runs in a wrong range: it is as if the offset is not anymore the $info_min_time$ but the time I click on drill down. Thanks anyway
... View more
07-14-2022
05:49 AM
Hi @harishalipaka I've tried setting earliest in the driil-down search as you suggested, but unfortunatly I got the same error 😞
... View more
07-14-2022
12:17 AM
Hi @VatsalJagani, it is not possible to set that value in the Drill-down offset, a warning appears that the value must be an integer if not $info_min_time$. On the other hand, I've tried setting earliest=$info_min_time$-2m in the drill-down search with no success since when I click on drill-down this error appears:
... View more
07-13-2022
01:00 AM
Hi,
I'm trying to configure Drill-down Earliest Offset in my Notable from Adaptive Response Action.
I'd like to run the Drill-down search setting as earliest 2 minutes before the earliest time of the search: $info_min_time$ - 2minutes.
I'm trying this configuration but seems not to work properly.
Is there a way to do so? Is there a way to set earliest in the Drill-down search?
Thanks a lot
Marta
... View more
05-25-2022
01:38 AM
Thank you! Worked for me!
... View more
05-18-2022
02:46 AM
Worked for me, thanks!
... View more
05-17-2022
03:40 AM
worked for me, thanks!
... View more
05-11-2022
07:25 AM
The source stanza was just a typo, I've corrected it 🙂 Thank you Marta
... View more
05-11-2022
07:25 AM
I was afraid the solution couldn't work with HTTP event collector since I've only used this configuration with classic monitor inputs. The source stanza was just a typo, I've corrected it 🙂 Thank you Marta
... View more
05-11-2022
06:36 AM
Hi Community,
I have the need to filter data based on a specific field value and route to a different group of indexers.
Data is coming through HEC configured on a Heavy Forwarder like this:
[http://tokenName]
index = main
indexes = main
outputgroup = my_indexers
sourcetype = _json
token = <string>
source = mysource
I'd like to use props.conf and transforms.conf as suggested here like this:
props.conf
[source::mysource]
TRANSFORMS-routing=otherIndexersRouting
transforms.conf
[otherIndexersRouting]
REGEX=\"domain\"\:\s\"CARD\"
DEST_KEY=_TCP_ROUTING
FORMAT=other_indexers
In outputs.conf I'd add the stanza [tcpOut:other_indexers]
Is this possible? Is there another way to achieve this goal?
Thank you
Marta
... View more
Labels
03-31-2022
05:48 AM
Same problem, worked for me! Thanks a lot rahmatn!
... View more
03-02-2022
06:01 AM
Thanks a lot somesoni2, now is working fine!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-17-2025
01:04 AM
|
Karma given to
