Activity Feed
- Posted Re: Why are _internal logs from heavy forwarder(HF) not getting to indexers after a Splunkd restart but _audit are? on Monitoring Splunk. 10-05-2022 10:23 AM
- Karma Re: Splunk timezone change for a specific sourcetye for bsriramineni_sp. 06-23-2022 12:02 PM
- Posted Re: Why is _time order not maintained within my summary index? on Knowledge Management. 12-02-2021 10:34 AM
- Posted Re: Setting the timestamp when using the collect command on Knowledge Management. 12-02-2021 10:33 AM
- Got Karma for Re: Unable to Collect SMBServer/Audit logs. 11-23-2021 12:47 PM
- Posted Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-23-2021 09:32 AM
- Got Karma for Re: Unable to Collect SMBServer/Audit logs. 11-16-2021 02:17 PM
- Posted Re: Unable to Collect SMBServer/Audit logs on Getting Data In. 11-16-2021 11:05 AM
- Posted Re: Latest eStreamer not CIM compliant? on All Apps and Add-ons. 06-29-2021 07:12 AM
- Posted Re: How to get AD FS 2.0 WinEventLogs into Splunk? on All Apps and Add-ons. 05-27-2021 01:56 PM
- Karma Re: Getting Zoom Data into Splunk for melissap. 05-20-2021 07:07 AM
- Posted Re: Entire file contents as a single event on Getting Data In. 05-17-2021 10:06 AM
- Posted Re: sort columns that with the highest Total to the left on Splunk Search. 03-02-2021 08:40 AM
- Posted Re: How to deploy self-signed certs to deployment clients using the deployment server on Security. 02-16-2021 06:45 AM
- Posted Re: How to deploy self-signed certs to deployment clients using the deployment server on Security. 02-16-2021 06:45 AM
- Posted Re: Users missing from Access Control on Security. 02-09-2021 07:37 AM
- Karma Re: How to deal with datamodel retention period as summary range is not working for lguinn2. 01-20-2021 08:09 AM
- Posted Re: Can I configure universal forwarder to listen to a TCP port? on Getting Data In. 12-07-2020 10:16 AM
- Karma Add static HTML panel to simple HTML dashboard and reference local static content for tmuth_splunk. 12-01-2020 09:49 AM
- Karma Re: Can inputs.conf be reloaded without restarting splunkd? for skippylou. 12-01-2020 09:08 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-05-2022
10:23 AM
Run /opt/splunk/bin/splunk btool outputs list --debug You should see that the whitelisted index list does not include _internal. It is a precedence issue. For us the issue was because the SplunkForwarder app did not include _internal in the whitelist for indexes. Just put this in /opt/splunk/etc/system/local/outputs.conf OR /opt/splunk/etc/SplunkForwarder/local/outputs.conf [tcpout]
forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)
... View more
12-02-2021
10:34 AM
So i figured out a way to retain _time. Whatever you are bringing over into your summary index; source, sourcetype, fields of your choice....Create your own _raw field. In my instance I created _raw as below: | eval _raw= _time. ":" .source | table _raw ALL OTHER FIELDS YOU WANT | collect index=SI This will retain the _time value in your summary index. If this works for you please upvote this response!
... View more
12-02-2021
10:33 AM
So i figured out a way to retain _time. Whatever you are bringing over into your summary index; source, sourcetype, fields of your choice....Create your own _raw field. In my instance I created _raw as below: | eval _raw= _time. ":" .source | table _raw ALL OTHER FIELDS YOU WANT | collect index=SI This will retain the _time value in your summary index. If this works for you please upvote this response!
... View more
11-23-2021
09:32 AM
1 Karma
What sourcetype did your data come in with? Did you have to create the sourcetype?
... View more
11-16-2021
11:05 AM
1 Karma
Is that the correct path of where those logs are actually located? Also, you are going to want to make sure that Splunk is able to capture from that location. Might want to check permissions on the windows event log configuration.
... View more
06-29-2021
07:12 AM
I am seeing in the eStreamer-Dashboard app that those eventtypes exist. Is this correct? Should they be in the TA or App?
... View more
05-27-2021
01:56 PM
Is this still good in 2021??
... View more
03-02-2021
08:40 AM
How would i do the same thing with this search? index="prod_license_summary" | rename indexname as idx | eval GB=MB/1024 | lookup index_list.csv idx OUTPUTNEW idx environment owner | table _time idx sourcetypename GB environment owner | where owner="ghprod" AND environment="prod" | timechart limit=0 span=1d sum(GB) by sourcetypename | fillnull value=0 | addcoltotals labelfield=_time label="Total" | sort Total
... View more
02-16-2021
06:45 AM
Also the cert will be in the local directory of that app.
... View more
02-16-2021
06:45 AM
I have a customer that has four different outputs apps being sent from the DS to different types of UFs. We are thinking of putting each of the SSL certs in these different apps and pushing them to the designated forwarders. Question for you, as long as I put the correct path in clientCert, this will work properly correct? So for example: /opt/splunk/etc/apps/myexternalapp/local/outputs.conf clientCert = $SPLUNK_HOME/etc/apps/myexternalapp/local/splunk-forwarder.pem sslPassword = shabadooo sslVerifyServerCert = true sslVersions = tls
... View more
02-09-2021
07:37 AM
Hello, I am experiencing this issue as well with SAML and using Splunk 8.1.2. We have over 50+ users in SAML. THey are being mapped in authentication.conf to roles that do exist. When i run the rest call above it only shows me 20 users. These 20 users are also only showing up in the GUI. BUT when i run that rest command and add the username of someone who is missing, it returns results for that user. I need some assistance here and i have a feeling that this may be a bug ticket. Does anyone have any information at all?
... View more
12-07-2020
10:16 AM
@richgalloway I cannot find any documentation on caveats or issues with TCP inputs on UFs. I am in a bit of a quandry, my customer is in Cloud, does not have a HF on prem. They have an IDM in cloud, but the cloud team told us we cannot configure TCP inputs on an IDM. We do have a UF on prem. Could we setup the TCP inputs on the UF without any issues moving forward? This is for Zscaler.
... View more
09-01-2020
11:25 AM
I am also having issues with the host field appearing when i run a search for this data. I commented out the field alias in props and for some reason the host field still does not exist in the search. When running a tstats on the index by host we see values for host. But not when we just simply search the data
... View more
06-02-2020
05:53 AM
According to the documentation below, there is not an option for eventSorting=realtime.
Indicates if the events of this search are sorted, and in which order.
asc = ascending;
desc = descending;
none = not sorted
Would the actual setting to be used be isRealTimeSearch?
... View more
04-02-2020
08:15 AM
-How does this app bring in data? I know the script pulls in the data but is there anything I need to do to have the script run?
I see there are two sourcetypes being used, one in the inputs.conf and one in the props.conf, so on Sunday will it download the files and use the sourcetype in the props.conf?
I have downloaded the app, do I just wait until Sunday to have the data ingest?
-After changing the directory in the script to where the files will be downloaded, as well as changing the interval (cron schedule) in the inputs.conf. I am not seeing that data downloaded to my directory. Am I missing something?
... View more
