Activity Feed
- Posted Adding existing index to cluster master on Splunk Enterprise. 06-14-2024 07:16 AM
- Tagged Adding existing index to cluster master on Splunk Enterprise. 06-14-2024 07:16 AM
- Tagged Adding existing index to cluster master on Splunk Enterprise. 06-14-2024 07:16 AM
- Got Karma for Re: How to resolve this error: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. use. 12-13-2023 06:32 AM
- Posted License Utlilization is not Showing for all Indexes on Splunk Enterprise. 12-04-2023 04:41 AM
- Tagged License Utlilization is not Showing for all Indexes on Splunk Enterprise. 12-04-2023 04:41 AM
- Posted Splunk Archived data to GCS Bucket on Splunk Enterprise. 10-23-2023 01:01 AM
- Tagged Splunk Archived data to GCS Bucket on Splunk Enterprise. 10-23-2023 01:01 AM
- Got Karma for Re: How to resolve this error: The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. use. 07-18-2023 12:19 PM
- Posted How to monitor the below files with extension (.json.gz) in Splunk? on Getting Data In. 06-05-2023 10:21 AM
- Tagged How to monitor the below files with extension (.json.gz) in Splunk? on Getting Data In. 06-05-2023 10:21 AM
- Posted How to extract values depending on field, props.conf, transforms.conf, and regex? on Getting Data In. 05-22-2023 09:13 AM
- Tagged How to extract values depending on field, props.conf, transforms.conf, and regex? on Getting Data In. 05-22-2023 09:13 AM
- Posted Re: Splunk Dashboard for creating panels inside grid on Dashboards & Visualizations. 05-03-2023 12:50 PM
- Posted How to make Splunk Dashboard for creating panels inside grid? on Dashboards & Visualizations. 05-03-2023 12:44 PM
- Tagged How to make Splunk Dashboard for creating panels inside grid? on Dashboards & Visualizations. 05-03-2023 12:44 PM
- Posted Re: Deployment Server License Calculation on Deployment Architecture. 04-11-2023 06:59 PM
- Posted Deployment Server License Calculation: Will my architecture requires Heavy Forwarder? on Deployment Architecture. 04-11-2023 12:05 PM
- Tagged Deployment Server License Calculation: Will my architecture requires Heavy Forwarder? on Deployment Architecture. 04-11-2023 12:05 PM
- Posted How to avoid duplicate fields in CIM Data Normalization? on Knowledge Management. 02-13-2023 10:42 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-14-2024
07:16 AM
Hi team, I have two indexers in a clustered environment and one of my colleague created a index in both the indexers (/opt/splunk/etc/apps/search/indexes.conf) not on the cluster master. This is very old index and have more than 50GB of data If I add the same config in master (/opt/splunk/etc/master-apps/_cluster/local/indexes.conf) will it hamper anything. Would I lose any data.
... View more
Labels
- Labels:
-
using Splunk Enterprise
12-04-2023
04:41 AM
Hi Team,
While running the below search we are not getting license calculation for 2-3 indexes(showing 0) but for other indexes I am able to see the results.
index=_internal source="*license_usage.log" sourcetype=splunkd
| stats sum(b) as Bytes by idx
| eval GB=round(Bytes/1024/1024/1024,3)
| rename h as Host, s as Source, st as Sourcetype, idx as Index, GB as "License Used in GB"
| table Index, "License Used in GB"
I am trying to understand why it is happening for only 2-3 indexes. We have the index data present on both the indexers.
... View more
- Tags:
- license
Labels
- Labels:
-
development
10-23-2023
01:01 AM
Hi Team, We have a requirement to forward the archived data to external storage (GCS Bucket). I have verified the splunk document but haven't found any luck on this. Kinldy assist me in forwarding the archived data to GCS Bucket.
... View more
- Tags:
- data
Labels
- Labels:
-
configuration
06-05-2023
10:21 AM
Hi Team,
I would like to monitor the below files with extension (.json.gz) in splunk.
In DS APP inputs i have given the stanza like this
When checked in splunk it is showing only 1 day.
These are the files that i want to monitor
Kindly let me know how to monitor the files.
... View more
- Tags:
- Getting data
- Json.gz
Labels
- Labels:
-
JSON
-
universal forwarder
05-22-2023
09:13 AM
Hi Team,
Kindly check with below logs
[19-May-2023 06:15:55.341][INFO] abc@abc.com@ABC-CB-NOC, 1.1.1.1:61, create, user:Test, appliances: ALR-prod1 , changeset:devices { device{ALR-prod1} { config { orgs { org-services{ATCHYUTH-NOC} { user-identification { local-database { users { + user{Test} { + email-address test@abc.com + passwd + status CREATED} } } } } } } } }
[28-Jun-2022 08:35:48.010][INFO] abc@abc.com@ABC-CB-NOC, 1.1.1.1:61, create, authentication-method:Dummy-Auth, template:Access-Template , changeset:devices { template{Access-Template} { config { orgs { org-services{Atchyuth-NOC} { user-identification { authentication-methods { + authentication-method{Dummy-Auth} { + method { + local }} } } } } } } }
[28-Sep-2020 12:13:07.137][INFO] abc@abc.com@ABC-CB-NOC, CLI 'set devices template ABC config orgs org-services ATCHYUTH-NOC security captive-portal url abc.net'
[28-Jun-2022 08:35:48.010][INFO] abc@abc.com@ABC-CB-NOC, 1.1.1.1:53, create, authentication-method:Dummy-Auth, template:Access-Template, changeset:devices { template{Access-Template} { config { orgs { org-services{Atchyuth} { user-identification { authentication-methods { + authentication-method{Dummy-Auth} { + method { + local }} } } } } } } }
[28-Sep-2020 12:13:07.137][INFO] abc@abc.com@ABC-CB-NOC, CLI 'set devices template ABC config orgs org-services ATCHYUTH security portal url abc.net' Based on above logs we have one common field org-services. Depending on org-services need to create new field and extract the values to the field. Kindly help me in props.conf and transforms.conf and also let me know the regex pattern that will create a new field based on org-services.
... View more
- Tags:
- extraction
Labels
- Labels:
-
heavy forwarder
-
props.conf
-
transforms.conf
05-03-2023
12:50 PM
<form version="1.1" theme="dark"> <label>Windows Testing</label> <fieldset submitButton="false"> <input type="time" token="time" searchWhenChanged="true"> <label>Select Time Ranage</label> <default> <earliest>0</earliest> <latest></latest> </default> </input> </fieldset> <row> <panel> <title></title> <html> <div> <h2>Successful Authentications</h2> </div> <style> h2 { text-align: center; background-color:gray ; border: 1px solid black; border-radius: 25px; } .dashboard-panel { background-color: #177843; border-radius: 25px; border: 2px solid #73AD21; } .dashboard-panel:hover { transform: scale(0.95); } </style> </html> <single> <search> <query>| tstats count from datamodel=Authentication.Authentication where Authentication.EventCode=4624</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <title></title> <html> <div> <h2>Failed Authentications</h2> </div> </html> <single> <search> <query>| tstats count from datamodel=Authentication.Authentication where Authentication.EventCode=4625</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <html> <div> <h2>User Account Created</h2> </div> </html> <single> <search> <query>| tstats count from datamodel=Authentication.Authentication where Authentication.EventCode=4720</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> <panel> <html> <div> <h2>Account Lockout</h2> </div> </html> <single> <search> <query>| tstats count as "Accounts Created" from datamodel=Authentication.Authentication where Authentication.EventCode=4740</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </single> </panel> </row> </form> Kindly check with source code
... View more
05-03-2023
12:44 PM
Hi Team,
I would like to achieve the below dashboard which is having outer grid and inside we have multiple panels.
Please check with the XML code
Kindly help in achieving this.
... View more
- Tags:
- css
04-11-2023
06:59 PM
Hi @woodcock Agree. We have data sources(database server) which needs to be parsed for that reason need HF I am planning to introduce a intermediate forwarder in between. Just want to know will it cause an impact. Pls have a look into my first question.
... View more
04-11-2023
12:05 PM
Hi Team,
In my environment we made the Deployment Server as License Master as well. Current Architecture
1 - Search Head
1 - Indexer
1 - Deployment Server
2 - Universal Forwarders
I am planning to implement Master as well for the current architecture. Will my architecture requires Heavy Forwarder?
Addition to the above, If I am implementing HF is there an impact and also like to understand how the deployment pipeline works
... View more
Labels
- Labels:
-
deployment server
02-13-2023
10:42 AM
Hi Team,
I am using field aliases as in my sourcetype i have two common fields (dest & dest_ip) which have same values. When i applied field aliases both were reflecting.
How to avoid duplicate fields Kindly help in this scenario
... View more
- Tags:
- cim
Labels
- Labels:
-
alias
-
data model
12-22-2022
01:17 AM
Hi team,
Can you please me on this error?
... View more
- Tags:
- data
12-19-2022
09:44 AM
Hi Team,
I have the env setup like 2 Indexers, 1 Search Head,1 Heavy Forwarder,1 Deployment Server, 1 Cluster Master
My DS is connected to HF and from here the data will be pushed to Indexers
I would like use bots_v3_dataset for my env
https://github.com/splunk/botsv3
Kindly help me how to push the data in distributed deployment.
... View more
- Tags:
- gettingdata
Labels
- Labels:
-
data
-
heavy forwarder
12-15-2022
08:56 AM
Hi @gcusello Thanks for the info i miss the catch i have done the configuration in SH as well. Almost, forgot IDX will not acts as SH. Sorry for the trouble.
... View more
12-15-2022
08:06 AM
Hi @gcusello I am trying to check the search in both the indexers because the events is showing zero I tried both telnet and ping HF---> IDX2,IDX2 ---> HF all the connection established
... View more
12-15-2022
07:37 AM
Hi @gcusello I can see for HF to Indexer 2 the connection is in TIME_WAIT and for indexer 1 it is established Yes there is a local copy but when i tried to check previously it worked the events got shown in indexer 2 but not in indexer 1 Now the data is not showing in two indexers
... View more
12-15-2022
07:11 AM
Hi @gcusello Ok, i found the mistake that i have done but from HF the data is not pushing to indexers. I am sharing the screenshots for reference Heavy Forwarder : inputs.conf outputs.conf Indexer 1 inputs.conf Indexer 2 When i check with connectivity all were connected The index is showing "0" Events In HF i can see the data Please suggest
... View more
12-14-2022
11:49 PM
Hi Team,
Environment
1 - Search Head, 2-Indexers, 1 - Deployment Server, 1 - Heavy Forwarder, 1 -Cluster Master
Problem Statement
1)I am unable to retrieve events when searching with index=*
2) When checked with connectives all were connected (SH --> Indexers --> CM --> HF --> DS)
When checked with internal index showing 401 client is not authenticated.
When checked from backend there is no error showing in splunkd.log
... View more
- Tags:
- data
Labels
12-12-2022
10:16 AM
Hello - I have a requirement where there are 10 user and want to highlight if user is active or inactive. Based on the requirement I have gone with checkbox since there can be multiple users active at same time. Condition - If the user is active then checkbox should be checked. If the user is inactive then checkbox should be unchecked
We are validating via SPL query if user is active or inactive. Help me with JS Code where we can pass data into checkbox and toggle the checkbox value. i.e. 1 or 0 1 means active 0 means inactive
... View more
Labels
- Labels:
-
CSS
-
dashboard
-
javascript
11-22-2022
02:45 AM
Hi @tsawant Please try to check the lookup definition permission whether it is in private or app. Hoping this will resolve the issue
... View more
11-16-2022
11:26 PM
Hi @gcusello Thank you for the response I just want to disable the delete option for user itself.
... View more
11-16-2022
06:29 PM
Hi team
I have created a user and set up capabilities however I haven't checked any delete in capabilities.
When I checked with user console able to see the delete option. Please refer to below screenshot.
Even I tried unchecking can_delete option for alert with admin access but still it is not working.
Please suggest .
... View more
Labels
- Labels:
-
alert action
10-04-2022
07:35 AM
Hi,
| tstats earliest(_time) as Earliest latest(_time) as Latest where index=_internal by _time, index, sourcetype, host span=1d
| eval Earliest=strftime(Earliest,"%Y-%m-%dT%H:%M:%S.%Q")
| eval Latest=strftime(Latest,"%Y-%m-%dT%H:%M:%S.%Q")
| appendcols
[tstats count where index=_internal by _time]
I would like to generate the dashboard for host,sourcetype, latest event received,Total Eventcount and sparkline for count of 1month
As per the above query i am getting result like this
Is there any other alternative for this please suggest?
... View more
08-04-2022
07:46 PM
Hi @chaker Thank you so much. I have learned a lot about Splunk while watching your videos and those helped me to shift my career transition. Please check the below screenshot for reference. I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds I have tried with the TZ setting but was unable to solve it. Please help
... View more
08-04-2022
07:40 PM
Hi @gcusello Please check the below screenshot for reference. I have applied the MAX_DAYS_AGO setting in Splunk it identified the Y-m-d but was unable to find out the exact hours, minutes, seconds I have tried with the TZ setting but was unable to solve it. Please help
... View more
08-03-2022
06:54 PM
hi,
Please check with below screenshot
The indexed time and event log time both are different. Kindly let me know the solution to fix this error.
... View more
