×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
emzed
Path Finder
Member since: ‎07-03-2023
‎09-04-2024
Community Statistics
Posts 19
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-03-2023
Activity Feed
View All

Re: Enterprise Security: Security Posture Drilldow...

by in Splunk Enterprise
‎09-04-2024 03:29 AM
‎09-04-2024 03:29 AM
Hello FelixL, I have the same problem as you. Did you find out why it happened and how to fix it? If you change the locale in the url, it will sometimes start working. For example, en-US to en-GB ... View more

Re: config file precedence vs savedsearches

by in Splunk Enterprise
‎08-30-2024 07:13 AM
‎08-30-2024 07:13 AM
Have you eliminated app permissions/shares at the user level?  The saved search may run as user or as a default account(noone). The btool has a switch for "-- user" which I'm not 100% familiar with but the docs do warn about having to use the switch "--app" as well, but then says the switch user does not consider knowledge object permissions when evaluating the user. ... View more

Re: Ingesting delay and batch data sending

by in Getting Data In
‎08-14-2024 07:12 AM
‎08-14-2024 07:12 AM
I found out what the problem was. There is a Cribl server between UF and Indexer, which I mistakenly ruled out as the source of the problem during throubleshooting. I bypassed Cribl for a while and the problem disappeared. The rest was already pretty fast. I found that there was a persistent queue enabled for Linux input/source in the "Alway On" mode. The persistent queue was not turned on for Windows Input/source. Windows logs were OK all the time. After turning it off for Linux data, the problem disappeared. I don't understand why the persistent queue behaves this way, but I don't have time to investigate further. Maybe it's a Cribl bug or a misunderstanding of functionality. The input queue is not required in the project, so I can leave it off. For me, it's currently resolved Thank you all for your help and your time ... View more

Re: Strange behavior of values function

by in Splunk Search
‎07-17-2023 02:12 AM
‎07-17-2023 02:12 AM
I tried the change and It does not help. You can se on first screenshot. You were right that the trigger could be the colon. If I remove the ":" from field and calculate the stat then all mvfield displayed the same way. It doesn't completely solve my problem.  ... View more

Re: rex

by SplunkTrust in Splunk Search
‎07-04-2023 12:41 AM
‎07-04-2023 12:41 AM
"READ: \S+ (/[^/]+)*/(?<filename>[^\s/]+) Rex is about compromises.  I have to make a few assumptions based on the illustrated sample data. "READ:" is perhaps a keyword and doesn't change from event to event. "*MDTM" is perhaps a classifier that may take different forms but that does not contain space. (\S) The path before file name is absolute, and can vary in depth. (See below.) File name contains no space. ([^s])  By convention, file name also does not include a path separator. (Combined with no space, that's [^\s/]) After file name, there is either a space or end of the line. The expression contains two different repetition tokens.  + means repeat at least once, up to any number of times.  * means repeat zero to unlimited times.  Parentheses in standard regex is just grouping.  So, (/[^/]+)* matches /abc, /abc/def, /abc/def/ghi; but (/[^/]+)* zero-length string, so (/[^/]+)*/ also matches /. Hope this helps. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-04-2024 06:50 AM