I just added additional  SEDCMD-removereset=s/\x1B\[0;m//g   ... View more

small correction:  if the application contains -(hyphen) then the regex from your search is not matching. for example application applications.Splunk_TA_bit9-carbonblack.stateOnClient I would suggest using below regex that will capture first . (period) to next .(period) applications\.(.*)\.stateOnClient ... View more

I have the same problem with MonitorNoHandle for dns.log. Did you solved it? ... View more

I would use the Splunkbase app Slack Notification Alert https://splunkbase.splunk.com/app/2878/#/overview. In the body of the alert you can use $result.host$ to refer to the hostname. ... View more

I'm seeing this as well. Has there been any resolution to this? It's as if the forwarders just stop reporting and need to be restarted again. ... View more

yes, it looks fine just use sort instead of reverse . Also to solve conflicts due to duplicates try this <input type="dropdown" token="field2" searchWhenChanged="true"> <label>date</label> <fieldForLabel>field2</fieldForLabel> <fieldForValue>field2</fieldForValue> <search> <query>| gentimes start=-240 increment=14d | eval starthuman=strftime(starttime,"%m/%d/%Y") | eval endhuman=strftime(endtime,"%m/%d/%Y") | bin span=14d endtime | eval field2=starthuman." - ".endhuman | table field2 | sort field2</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> field-label/value/token/and query field-name needs to be same. ... View more

try putting comma separated list of machineTypesFilter ... View more

Which would be a more efficient search for your car keys? "somewhere in Texas" OR "somewhere in Dallas" OR "somewhere in my house" The more details that you give, the fewer places (buckets of compressed data) need to be searched. If you know that index="Dallas" AND sourcetype="my house", then say so! That being said, as long as you are fully qualifying indexed fields (e.g. host="MyHost"), it is MUCH less of a big deal. Also, if this is ad-hoc stuff, it is not too bad. It can really add up, though, if you save and schedule open-ended searches like this. A running search fully consumes a core on each indexer and the search head. ... View more

Any idea if this can be fixed for vmstat.sh. We're getting broken pipe errors. ... View more

What I have configured, which I do not like as it is not dynamic, is added: _meta = heavy_forwarder::rsyslog.fqdn To the /etc/system/local/inputs.conf file on each of the rsyslog hosts under the default stanza. I had to do this due to wanting to use the host regex on the monitor path for hostname. Also had to add the fields.conf on the IDXC/SHC members to be able to search for them properly. Don’t get me wrong, this works fine... It is just not as dynamic and requires me to start using puppet (which is ok, it is just another place for configurations that IMO should/could be managed by the deployment server dynamically via inputs.conf in specific inputs apps) to dynamically generate the rsyslog fqdn for the _meta tag I want to create in the system/local/inputs.conf file (per host) as new hosts are spun up. This just seems like an oversite (not being able to use system variables in config files) - especially for systems running as Heavy Forwarders on Syslog hosts. ... View more

Cheers, Thanks! ... View more

Yep! Check out the Custom Table Cells examples in 6.x dashboard examples app ( https://splunkbase.splunk.com/app/1603/) OR here: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEUB ... View more

Other alternatives include: https://github.com/paychex/Splunk.Conf19 PayChex cover your assets (conf presentation/example queries) https://splunkbase.splunk.com/app/4182/ Git Version Control for Splunk You may also wish to vote for https://ideas.splunk.com/ideas/E-I-7 on the ideas.splunk.com website but make sure you understand how it works first, you will find the Ideas documentation here ... View more

** Modified powershell to skip if 7.2.4 already exists on system** ** Modified .bat file to only run once at service start** ** This allows you to install and not loop Uninstall-Install of same UF update** I used this process to remove older version of windows UF and upgrade using app deployment. Main piece was batch file in /bin/scripts directory that allowed me to run what ever I needed. You need to create app with files and directories listed below on deployment server, create a server class to add your old UF clients and push out using normal app deployment process. Make sure to remove clients from server class once they are upgraded. This process removed older version 7.2.x, and installs 7.2.4. It also removes old and adds new Deployment Server configuration to UF client that your upgrading. My Deployment server then pushed out any default apps my windows systems needed. Its not pretty but it works and you can improve it. I had to modify directory names so careful that scripts match what you create. App location: /opt/splunk/etc/deployment-apps/windows_ufupdate7.24/ App contents and folders you have to create /local/app.conf (blank file needed for Deployment server) /bin/splunkforwarder-7.2.4-8a94541dcfac-x64-release.msi (downloaded from splunk.com) /bin/SplunkFullInstall.ps1 (example below) /bin/CopyConfigs.ps1 (adds app to UF client with the Deployment server IP. Example below) /bin/scripts/installer.bat (example below) /bin/configfiles/deploymentclient/local/app.conf (blank file needed for Deployment server) /bin/configfiles/deploymentclient/local/deploymentclient.conf (example below) /default/inputs.conf (needed to execute windows bat file. Example below) /bin/SplunkFullInstall.ps1 $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) $testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if ($testadmin -eq $false) { Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition)) exit $LASTEXITCODE } #### SPLUNK 7.2.4 New-PSDrive -Name HKCR -PSProvider Registry -Root HKEY_CLASSES_ROOT $regkeypath= "HKCR:\Installer\Products\F63C3FFC168A520418A4FF5C143E9D11" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Write-Host "The value does exist" Start-Sleep -s 25 exit} Else {Write-Host "The value does not exist"} $regkeypath= "HKCR:\Installer\Products\562176F993A508143953E0C4217E1283" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\562176F993A508143953E0C4217E1283 -Recurse} Else {Write-Host "The value does not exist"} $regkeypath= "HKCR:\Installer\Products\D8F76B23C2EAA254395F55894752D642" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\D8F76B23C2EAA254395F55894752D642 -Recurse} Else {Write-Host "The value does not exist"} $regkeypath= "HKCR:\Installer\Products\E698A50C4F506B941A19CF921B63B218" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\E698A50C4F506B941A19CF921B63B218 -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 6.3.0 $regkeypath= "HKCR:\Installer\Products\C042F9A1CE44AA641A538C56CC9204B1" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\C042F9A1CE44AA641A538C56CC9204B1 -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 6.6.1 $regkeypath= "HKCR:\Installer\Products\38133C98C7FC0BA42863BB91DCE49DC1" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\38133C98C7FC0BA42863BB91DCE49DC1 -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 6.5.2 $regkeypath= "HKCR:\Installer\Products\D9D0997EE40A2E545AF41AA604E579C7" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\D9D0997EE40A2E545AF41AA604E579C7 -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 6.5.3 $regkeypath= "HKCR:\Installer\Products\727981DA44845B34E97839CA1F7880DA" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\727981DA44845B34E97839CA1F7880DA -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 6.6.3 $regkeypath= "HKCR:\Installer\Products\E6FA769F0A983BE4CABE3C4CB5E03FEE" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\E6FA769F0A983BE4CABE3C4CB5E03FEE -Recurse} Else {Write-Host "The value does not exist"} #### SPLUNK 7.0.1 $regkeypath= "HKCR:\Installer\Products\4E3F41596A1605B488E5410B7345105E" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\4E3F41596A1605B488E5410B7345105E -Recurse} Else {Write-Host "The value does not exist"} # SPLUNK 7.2.1 $regkeypath= "HKCR:\Installer\Products\1B38171A5C10C7C47A5E38811D50D4C8" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\1B38171A5C10C7C47A5E38811D50D4C8 -Recurse} Else {Write-Host "The value does not exist"} # SPLUNK 7.2.3 $regkeypath= "HKCR:\Installer\Products\ADD0EC2EB45B100469D56B727798A671" $value1 = (Get-Item $regkeypath) -eq $null If ($value1 -eq $False) {Remove-Item -path HKCR:\Installer\Products\ADD0EC2EB45B100469D56B727798A671 -Recurse} Else {Write-Host "The value does not exist"} stop-service SplunkForwarder stop-service Splunkd Start-Sleep -s 15 Remove-Item 'C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf' -Force -ErrorAction SilentlyContinue Invoke-Command -scriptblock { msiexec.exe /q ALLUSERS=2 /m MSIASQSH /i "$PSScriptRoot\splunkforwarder-7.2.4-8a94541dcfac-x64-release.msi" AGREETOLICENSE=Yes SPLUNKPASSWORD=buddy-holly-weezer } Start-Sleep -s 15 Copy-Item "$PSScriptRoot\ConfigFiles\*" $env:programfiles\SplunkUniversalForwarder\etc\apps -Force -Recurse Start-Sleep -s 30 restart-service SplunkForwarder Start-Sleep -s 30 start-service SplunkForwarder Batch file */bin/scripts/installer.bat * @ECHO OFF PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& "$env:programfiles\SplunkUniversalForwarder\etc\apps\utsa_windows_uf_7.2.4\bin\SplunkFullInstall.ps1"" inputs.conf tells app to launch batch file /default/inputs.conf [script://.\bin\scripts\installer.bat] interval = -1 ** point client to Deployment Server** ** /bin/configfiles/deploymentclient/local/deploymentclient.conf ** [deployment-client] [target-broker:deploymentServer] # Change the targetUri targetUri = 10.5.5.155:8089 ** update Deployment server on client** /bin/CopyConfigs.ps1 $currentUser = New-Object Security.Principal.WindowsPrincipal $([Security.Principal.WindowsIdentity]::GetCurrent()) $testadmin = $currentUser.IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if ($testadmin -eq $false) { Start-Process powershell.exe -Verb RunAs -ArgumentList ('-noprofile -noexit -file "{0}" -elevated' -f ($myinvocation.MyCommand.Definition)) exit $LASTEXITCODE } Copy-Item "$PSScriptRoot\ConfigFiles\*" $env:programfiles\SplunkUniversalForwarder\etc\apps -Force -Recurse Start-Sleep -s 10 restart-service SplunkForwarder ... View more