Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ivan5593
ivan5593
Explorer
Member since:
06-15-2022
06-04-2025
Community Statistics
| Posts | 7 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 06-15-2022 |
Activity Feed
- Got Karma for Re: Why are some fields not extracted properly at Heavy Forwarder? (Connected to Splunk Cloud). 03-28-2025 05:49 AM
- Posted Re: Why are some fields not extracted properly at Heavy Forwarder? (Connected to Splunk Cloud) on All Apps and Add-ons. 03-25-2025 04:53 AM
- Posted Using webhooks in SOAR on Splunk SOAR. 05-28-2024 07:47 AM
- Posted Re: Get the value of a dynamic name field on Splunk Search. 03-09-2023 11:14 PM
- Posted Get the value of a dynamic name field on Splunk Search. 03-09-2023 06:11 AM
- Posted Re: How to delete password of inputs.conf from a modular input? on Getting Data In. 02-19-2023 11:56 AM
- Posted How to delete password of inputs.conf from a modular input? on Getting Data In. 02-15-2023 09:21 AM
- Posted Why when applying Props.conf, HF suddenly stops? on Getting Data In. 06-15-2022 01:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-25-2025
04:53 AM
1 Karma
Usually at the forwarding layer, the TA extracts metadata fields such as time, and parses data according to props and transforms of every TA. Once extracted, the forwarders sends cooked data to indexing tier. But essentially forwarders can act as a simple log redirector or an indexer (in terms of extracting data) depending on your configuration. Also, Splunk have other type of fields that are extracted at search time. Basically, you store your "raw" log and extract the fields when you do the search. This is why sometimes the TA must be installed at Search tier (your cloud instance). Otherwise this kind of calculated or lookup fields wont work. Please follow the documentation of each Technical add-on to know if you need to install it in the search tier, it often will be.
... View more
05-28-2024
07:47 AM
Hello! I'm trying to integrate Splunk SOAR - Splunk - Jira to update the ticket status. The source of truth will be Jira, so any update should be propagated from Jira to the other Splunk products. I was wondering about configure a webhook in Jira that triggers a playbook in Splunk SOAR, and update the tickets. Is there any way to accept webhooks in Splunk SOAR? Maybe a better way to do this integration? Thanks in advance!
... View more
Labels
- Labels:
-
using SOAR ⁄ Phantom
03-09-2023
06:11 AM
Hello, I'm having an issue with a field search. I have a lookup where I specify for every sourcetype which field is relevant in order to create a ticket. Let's say the csv as the following: sourcetype,field
sourcetypeA,host
sourcetypeB,dest Then, I do a lookup to have this field into an unique field accross the sourcetype: index=test
| lookup fields_relation sourcetype OUTPUT relevant_field
| eval relevant_host = 'relevant_field' What I want now is to do an eval and set the value of this relevant_field (e.g. For the sourcetypeA I want a variable named relevant_host with the value of host variable). But all the tries let me to only have the string 'host'. I tried do an eval sorrounding the variable between '' with no luck. Still the string field. How can I get the variable value? Thank you!
... View more
Labels
- Labels:
-
fields
02-19-2023
11:56 AM
I saw this posts and I adapted the solutions provided using the templates on splunk-app-examples repository. I have now working the modular input and I can create the password as shown before but my issue is more with deleting the plain inputs.conf password and use only the cyphered password on the storage passwords container.
... View more
02-15-2023
09:21 AM
Hello,
I have created a modular input using the example of splunk-app-example. It extends the class Script and I modified the get_scheme function adding arguments
(example) key_secret = Argument("key_secret") key_secret.title = "Key Secret" key_secret.data_type = Argument.data_type_string key_secret.required_on_create = True
This code allows to save key_secret as a plain string, which is clearly unsecure. Investigating I reached to the storage_password endpoints, and I added the following to stream_events method:
if key_secret != "":
secrets = self.service.storage_passwords
storage_passwords = self.service.storage_passwords
storage_password = storage_passwords.create(key_secret, key_id, tenant) input_item.update({"key_secret": ""})
else:
key_secret = next(secret for secret in secrets if (secret.realm == tenant and secret.username == key_id)).clear_password
This is not working, as I cannot modify the input definition, is storing both in storage_passwords and in inputs.conf. Is there any way in code to delete the inputs.conf password, or what is the correct way to manage this?
Thanks!
... View more
Labels
- Labels:
-
inputs.conf
-
modular input
06-15-2022
01:51 AM
Hello all,
We are using an RSyslog to write logs to file in a Heavy Forwarder but we found that it was escaping tabs as #011. We found a solution that is apply to the file source a SEDCMD as follows:
inputs.conf
[monitor:///opt/splunk-data/<datafile>]
sourcetype=<datasource>
props.conf
[source::///opt/splunk-data/<datafile>]
SEDCMD-fix_tab = s/#011/ /g
We applied the configuration and restarted the HF and worked by about 15 minutes but then suddenly stopped to change this character by a tab. Why can this happen?
Thank you!
... View more
Labels
- Labels:
-
heavy forwarder
-
props.conf
