Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Hutch
Hutch
Path Finder
Member since:
06-28-2022
06-06-2024
Community Statistics
| Posts | 27 |
| Solutions | 2 |
| Karma Given | 16 |
| Karma Received | 4 |
| Member Since | 06-28-2022 |
Activity Feed
- Posted Assistance adding earliest and latest to a search without creating a massive lookup table. on All Apps and Add-ons. 12-22-2022 09:03 AM
- Tagged Assistance adding earliest and latest to a search without creating a massive lookup table. on All Apps and Add-ons. 12-22-2022 09:03 AM
- Tagged Assistance adding earliest and latest to a search without creating a massive lookup table. on All Apps and Add-ons. 12-22-2022 09:03 AM
- Posted Re: Salesforce Add-On contains deprecated functions by default? on All Apps and Add-ons. 12-22-2022 08:16 AM
- Posted Re: Permission Denied when clicking "view results" on Alert on Alerting. 12-22-2022 08:14 AM
- Posted Does Salesforce Add-On contain deprecated functions by default? on All Apps and Add-ons. 11-25-2022 09:33 AM
- Tagged Does Salesforce Add-On contain deprecated functions by default? on All Apps and Add-ons. 11-25-2022 09:33 AM
- Tagged Does Salesforce Add-On contain deprecated functions by default? on All Apps and Add-ons. 11-25-2022 09:33 AM
- Karma Re: Rule to detect known RHEL vulnerabilities for richgalloway. 11-16-2022 08:46 AM
- Posted Updating Splunk to use a cert that is trusted by root CA cert instead of self-signed, what could break? on Splunk Enterprise. 11-16-2022 08:38 AM
- Karma What is the best way to send Mulesoft logs to Splunk? for SplunkExplorer. 11-03-2022 11:35 AM
- Karma Re: What is the best way to send Mulesoft logs to Splunk? for richgalloway. 11-03-2022 11:35 AM
- Posted Re: Two unique sourcetypes in directory with hundreds of logs on Getting Data In. 11-02-2022 01:51 PM
- Posted Why was permission denied when clicking "view results" on alert? on Alerting. 10-31-2022 08:24 AM
- Tagged Why was permission denied when clicking "view results" on alert? on Alerting. 10-31-2022 08:24 AM
- Tagged Why was permission denied when clicking "view results" on alert? on Alerting. 10-31-2022 08:24 AM
- Karma Re: How to convert UTC to CST in SPL? for matt8679. 09-01-2022 11:00 AM
- Karma Re: How to convert UTC to CST in SPL? for richgalloway. 09-01-2022 11:00 AM
- Karma Re: How to convert UTC to CST in SPL? for matt8679. 09-01-2022 11:00 AM
- Posted Re: How to convert UTC to CST in SPL? on All Apps and Add-ons. 09-01-2022 10:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-22-2022
09:03 AM
Hello Splunkers, I think I could be over thinking the search below. I am working on adding an earliest and latest time to the search, but I need to ensure that there are no duplicates being stored in the lookup table. Anybody have any recommendations? My first impression is that we could have a lookup table that could become very large over time. If we not not run the search over all-time, which we are trying not to do. index=salesforce eventtype=sfdc_object sourcetype="sfdc:account"
| eval object_type="Account"
| rename Name AS object_name
| sort 0 - _time
| dedup Id
| eval object_id= substr(Id, 1, len(Id)-3)
| table LastModifiedDate, LastModifiedById, Id, object_id, object_name, object_type, AccountNumber
| outputlookup lookup_sfdc_accounts.csv
... View more
Labels
- Labels:
-
search
12-22-2022
08:16 AM
For those who are coming across this issue within your environment. We have confirmed that this does not impact ingest in anyway.
... View more
12-22-2022
08:14 AM
@DanielP1 , We have not found a solution to this issue at this time. Were you all able to locate a fix?
... View more
11-25-2022
09:33 AM
Happy Friday Splunkers,
We are attempting to on board data from the Salesforce but after reviewing the _internal index we are receiving multiple errors for deprecated functions that come default within the add-on. Has any one else experience anything similar to this or is it possible there is a misconfiguration somewhere?
From the looks of it a python script will need to be modified.
11-25-2022 12:12:48.735 -0500 ERROR PersistentScript - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_salesforce/bin/Splunk_TA_salesforce_rh_account.py persistent}: return func(*args, **kwargs)
11-25-2022 12:12:48.735 -0500 ERROR PersistentScript - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_salesforce/bin/Splunk_TA_salesforce_rh_account.py persistent}: /opt/splunk/etc/apps/Splunk_TA_salesforce/lib/solnlib/utils.py:153: UserWarning: _get_all_passwords is deprecated, please use get_all_passwords_in_realm instead.
... View more
- Tags:
- error
- salesforce
Labels
- Labels:
-
troubleshooting
11-16-2022
08:38 AM
Hello Splunkers, We have ran into several issues primarily with getting data into Splunk over HTTP Collectors. It appears that we need to update our cert with one that has a root ca that has been applied to our Splunk instance instead of a self-signed certificate. We are trying to determine what impact updating the cert across our entire environment could have. After adding a cert to splunk web does not push down the the HTTP collectors. They were still using the self-signed certificate. So it appears adding a new certificate to the cluster is required. This will be my first time updating the certificate across the entire environment so feel free to provide any advice or doc pages that could assist. Documentation we are currently using: https://docs.splunk.com/Documentation/Splunk/9.0.2/Security/ConfigureandinstallcertificatesforLogObserver
... View more
Labels
- Labels:
-
configuration
-
Other
11-02-2022
01:51 PM
I agree with @richgalloway .
... View more
10-31-2022
08:24 AM
Hello fellow Splunkers,
One of our end users was attempting to investigate a Splunk Alert. When they attempted to access the URL contained in the email. They received a permissions denied error. They also received the same alert when manually navigating to the alert under the "Alerts" section and attempt to review the triggered alert. The alert permission are set so anybody can read the alert, but only Power Users and Admins are able to right.
I have reviewed a couple of other Splunk Community post regarding similar permission issues but was unable to locate a solution. Does anyone have an idea what could be causing this?
- Hutch
... View more
- Tags:
- alert
- permissions
Labels
- Labels:
-
Other
09-01-2022
10:33 AM
@matt8679 |eval x_devices.last_seen=tostring(x_devices.last_seen) This is changing the value for "x_devices.last_seen" to NULL in the table. Is it possible that it is unable to convert it to a string?
... View more
09-01-2022
10:08 AM
@richgalloway You are telling me that there is no way to convert 2022-08-24T22:06:01Z to an epoch format?
... View more
09-01-2022
10:06 AM
@matt8679 This a snippet from my current search index="x_devices" AND falcon_device.hostname=myhost
| spath
| stats count, min(_time) as firstTime, max(_time) as lastTime, max(_indextime) as recentTime, BY x_device.hostname, x_device.last_seen
| fieldformat firstTime=strftime(firstTime,"%m/%d/%Y %H:%M:%S")
| fieldformat lastTime=strftime(lastTime,"%m/%d/%Y %H:%M:%S")
| fieldformat recentTime=strftime(recentTime,"%m/%d/%Y %H:%M:%S")
| fieldformat lastUpdated=strftime(lastUpdated,"%m/%d/%Y %H:%M:%S")
| fields + x_device.hostname, x_device.last_seen, firstTime, lastTime, recentTime, lastUpdated, timeElapsed, hash, timeElapsed The x_device.last_seen field in the following format 2022-08-24T22:06:01Z I can seem to get x_devices.last_seen in an epoch format. I am currently only trying to change that field since all of my other times are already in the correct format. It appears that I may need to make modifications to transforms.conf
... View more
08-31-2022
05:35 PM
I am only wanting to change the time within this search and not on my indexers. If I understand your response correctly. There is zero way of converting the UTC time listed above into CST within the search. I do want to not I am not trying to change it across my indexers. Only within the search and dashboards.
... View more
08-31-2022
02:48 PM
Hey Splunkers,
I am working on a search but I have encountered a road block in my search. I am attempting to change a UTC time zone to CST within the search. I was able to change the EPOCH times to CST but I am struggling to locate any documentation on how I can convert the UTC time to match the same as my CST results. I need to change my time to match the other time zones.
2022-08-31T21:04:52Z
needs to be converted to the same format as
08/31/2022 16:21:16
... View more
Labels
- Labels:
-
search
08-31-2022
02:39 PM
@gcusello We ended up remove the app. We were not using it and we are in the process of cleaning up thing that are no longer needed. Removing the app resolved the issue.
... View more
08-25-2022
10:13 AM
It is also on version (2.1.0). I also see the marcro ("index_assignment_notable_license_management"). I will try replacing them. If this doesn't work I will most likely remove it as it is not really needed and to my knowledge nobody is using it.
... View more
08-24-2022
03:01 PM
I just checked the default/macros.conf file and was unable to locate the macro as it appears to be missing. I also installed the app on one of our sandbox servers and was still unable to locate the app. The app is shared with everyone having read access and only admins and power users being able to write to it. Do I need to give execution rights when the macro doesn't appear in the default/macros.conf file for my environment? To be honest, I am not sure. I have recently taken over this environment and am working on cleaning up any searching issues at the moment. I would imagine it was used by the previous administrator for something.
... View more
08-23-2022
03:01 PM
We are currently attempting to locate why a scheduled search cannot run. We were finally able to locate the search and the reason why. The search that cannot run is a default search that is apart of a default dashboard within the License Monitor for Splunk application that is located on Splunk Base. The search is failing because a macro is either misspelled or does not exist, which in this case it appears that it does not exist.
The macro 'index_assignment_notable_management' does not exist. I was wondering if this macros is perhaps located within another app or if it is no longer contained within the app?
https://splunkbase.splunk.com/app/3521/
... View more
Labels
- Labels:
-
configuration
-
Other
-
troubleshooting
07-20-2022
09:22 AM
Located the issue! It appears that there was an additional app that was also attempting to change the time. I was also using the wrong TZ. I ended up removed the TZ=America/Chicago from system/local/props.conf and putting TZ=UTC in the app instead which resolved the issue.
... View more
07-11-2022
09:57 AM
After looking into our environment. I have located that the UF is sending events to a HF which is sending the data to the indexers. I have had created a new stanza in $splunk_home/etc/system/local/props.conf on the HF and the indexers, performing restarts and verifying permissions. The new stanza that was created is shown below. [host::hostname]
TZ = America/Chicago Do I need to add the additional props.conf info that we have discussed prior?
... View more
07-06-2022
12:24 PM
For the UF I am modifying props.conf that is located in $splunk_home/apps/app_name/local/props.conf. In defaults the APP defined TZ=UTC. [source::....log]
sourcetype = logsourcetype
TZ = America/Chicago
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p
Time_PREFIX = Timestamp":
[host::hostname01]
sourcetype = mysourcetype
TZ = America/Chicago
TIME_FORMAT = %-m/%e/%Y %l:%M:%S %p
TIME_PREFIX = Timstamp": So you think I need to change the TIME_PREFIX to what is seen below? TIME_PREFIX= "Timestamp": The app has in the default props.conf TIME_PREFIX = Timstamp":
... View more
07-01-2022
04:49 PM
Correct, it should go in props.conf how I have it currently. I also attempted to change it to a different TZ to see if I get different results. I also am encountering a similar issue on a HF so I believe it is a user error on my part, but I just can’t locate what I am doing wrong.
... View more
07-01-2022
03:59 PM
When you were referring to setting TZ at the input level. We’re you referring to the host time or a splunk .conf file?
... View more
07-01-2022
02:59 PM
We are not having an issue with the timestamp only with timing. The data is being parsed correctly and the time format is correct within the parsed data. The data is just coming in 5 hours in the future. Adding the TZ to inputs.conf did not resolve the issue.
... View more
07-01-2022
02:20 PM
Hey Everyone,
We are currently running into an issue with one of our sourcetypes coming in roughly five hours in the future. We have reviewed the appliance and verified that the server is set to the correct time but we are unable to locate any issues on the appliance. We are attempting to modify inputs.conf and props.conf to manually adjust the time. We need the time to come in as central time.
Example of timestamp in log
{ "Timestamp": "7/1/2022 4:15:28 PM", "MessageTime": "7/1/2022 4:15:31 PM" ..........
UF local/inputs.conf
[monitor://D:\loglog\*.log]
disabled=false
followTail=0
index=logindex
UF local/props.conf
[source::....log]
sourcetype=logsourcetype
TZ=America/Chicago
Time_PREFIX=Timestamp":
I have attempted to modify local/inputs.conf but reverted back to original one above.
[monitor://D:\loglog\*.log]
disabled=false
followTail=0
TZ=America/Chicago
index=logindex
I have also review system/local to ensure that there is nothing in there as well. Any recommendations? We have been troubleshooting this timing issue for a few month now and I would like to finally find a way to resolve it on Splunk side as we appear to be unable to resolve it server side.
... View more
Labels
- Labels:
-
troubleshooting
07-01-2022
12:32 PM
1 Karma
index="yourIndex" sourcetype="yourSourcetype" | stats count You could also remove the earliest and the latest and set your time frame to 24 hours.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-06-2024
06:58 PM
|
Karma given to
