Hi @kannu, I understand: there aren't eventtypes.conf and tags.conf, (I don't understand how it was declared CIM compliant!). The only way is consider them as custom and follow the normalization process using the Add-On builder or the SA-CIM Vlaidator. Ciao. Giuseppe
... View more
Hi @kannu, did this fix your problem? Currently im facing the same, set DATETIME_CONFIG = Current - this inserts the file now in my configured schedule but only the headers of the CSV file.. Any suggestions?
... View more
@harsmarvania57 I found your solution more relevant to my case. I need to renew the RSA password; is it possible to change RSA password during server.pem renewal?
... View more
Hello All, I am working on building use cases for PCI compliance , Just got to know that splunk has an PCI compliance app for checking that clients data is PCI compliant or not . Just wondering if i can get sample data from somewhere to test My use cases and run the PCI compliance app as well . Thanks in advance Manish Kumar
... View more
Well , I have figured out the answer of my problem , Which is first I have extracted the inner json , from main json event , then i have used props.conf to index them using seprate event in that way splunk is taking all field with separate events . [azure] LINE_BREAKER=((?<=\}),(?=\{)|[\r\n]+) TRUNCATE = 0 SHOULD_LINEMERGE = false SEDCMD-remove_prefix=s/{"body":{"records":.?\[//g SEDCMD-remove_suffix=s/\]}.*}//g
... View more
Hello Splunkers ,
Good day
I am stuck with one problem where i am monitoring .gz files using UF and getting the data on splunk as expected .
But when i have checked splunkd.log in that i am seeing below error
08-14-2019 02:34:43.158 -0500 ERROR ArchiveContext - From archive='E:\Tanium\Tanium Module Server\services\connect-files\output\SavedQuestion\Splunk-Running-Processes-with-MD5-Hash\Splunk-Running-Processes-with-MD5-Hash_2019-08-13T15-42-22.gz': Decompression error
Can anybody suggest how to get rid of it .
Thanks in advance
Kannu (manish kumar)
... View more
If you want to run in powershell please try same command starting with &
& "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd openssl x509 -in "C:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem" -noout -enddate
... View more
@marycordova
After enabling all logging , Still i am not able to fetch /search the data for any of the field
Id
• Name
• Host_name
• OS_version
• State
• Agent_version
• Policy
• Last_logged_in_user
• Update_type
• Update_available
• Background_detection
• Is_safe
• Date_last_modified
• Ip_address
• Mac_address
• Date_first_registered
• Date_offline
... View more
Well, most of the people put the syslog directly to Heavy Forwarder Server. So if you don't have separate syslog server, then you can re-use the "syslog" software on the HF server itself as long as it is not heavily loaded.
esxi system (push via syslog) => Syslog server (collect using rsyslog or syslog-ng) => Splunk UF or HF can then send this to Indexer => Install addon on indexer/SH to extract fields (and on HF)
... View more
Pls look at https://docs.splunk.com/Documentation/StreamApp/7.1.2/DeployStreamApp/FileTransfer and specifically configure section, where you can edit and enable ftp.
https://docs.splunk.com/Documentation/StreamApp/7.1.2/User/ConfigureStreams
... View more
@knielsen . Your query is not returning the result in manner which i want .
SsdfWsdfC4 VMware, Inc.
SWsdfBeF5 VMware, Inc.
ansdfging5 5.0.3
asd1dfsing6 5.0.3
ansdfsdfg2
6.2.1
... View more
I'd use splunk app PDI : https://splunkbase.splunk.com/app/1901/
Or the latest Splunk data stream processing : https://www.splunk.com/en_us/software/stream-processing.html
... View more
Not exactly, the linked answer tells you to test the LDAP connection, and connection information with another tool and visually check the results for verification purpose.
Anyway, have a look at @JDukeSplunk answer how to setup multiple OU's for userBaseDN
cheers, MuS
... View more
See one of my recent answers in case your table as multi-values and you want to color them based on range: https://answers.splunk.com/answers/694420/is-it-possible-to-highlight-a-value-within-a-multi-1.html
... View more
as @teunlaan mentioned: the list forward-server command, only shows things as active, when there is actual data going across. If your only input is running just once every 5 minutes, then it will probably be silent for a good part of the time and therefor showing as inactive.
If you put a watch on that command, and keep your eyes on it when the scripted input triggers, you'll likely see it come to life.
... View more