About dolj

dolj · ‎03-27-2025

Very helpful it is set to stream XML so I guess that is the issue and I need to either find a way to deal with it or modify the setting which as you mentioned looks easier said than done.

dolj · ‎03-26-2025

Sorry for being vague I am trying to build the app using the Splunk Add-On-Builder using a rest api call. The problem I am having is the logs are coming in, in one big blob and I have tried multiple line_breaker options and tested them in regex101. With respect to the streaming mode. I checked all the .py files associated with the app and could not find any instances of <streaming_mode>xml</streaming_mode> or <streaming_mode>simple</streaming_mode> in any of them. is it one of the cases where i have to add it? Does Splunk default to XML?

dolj · ‎03-25-2025

As mentioned above the events are coming in as one big blob not broken into separate events based on the line breaker above.

dolj · ‎03-25-2025

Hi Community, I have a JSON data source that I am trying to get into Splunk via a heavy Forwarder using a custom built app that uses an API call. For some reason my LINE_BREAKER seems to be getting ignored every line ends and starts as follows. myemail@this-that-theother.co"},{"specialnumber":"number" the line break is the comma between the open and close curly braces..... IOW ,{ this is the line I am using in my props.conf LINE_BREAKER = (\,)\{\" for some reason the data continues to come in, in one big blob of multiple events. This is my props.conf KV_MODE = json SHOULD_LINEMERGE = 0 category = something pulldown_type = 1 TZ = UTC TIME_PREFIX=\"time\"\:\" MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT =%Y-%m-%dT%H:%M:SZ TRUNCATE = 999999 LINE_BREAKER = (\,)\{\" EVENT_BREAKER_ENABLE = false Time comes in as such "time":"2025-03-25T19:36:35Z" Am I missing something?

dolj · ‎03-13-2025

@livehybrid, both suggestions look great but I am trying to have a field in a table dynamically change based on the result. So one filed in multiple columns will have different colors based on the results in that field. The idea is to call out the results in red that are >=(+-15).

dolj · ‎03-12-2025

I am trying to change the color of a result based on its deviation from zero. the numbers can be both positive and negative. The range I am trying to implement is as follows, (-10) <- 0 -> 10 should be #ff0000 (-15) <- (-10) and 10->15 should be #ff8c00 <- (-15) and 15-> should be #ff0000 basically any result from 0 to plus/minus 10 should be green, anything between plus/minus 10 and plus/minus15 should be orange and anything past plus/minus 15 should be red. Is this possible?

dolj · ‎03-11-2025

I am trying to find a way to compare the results listed in a table to each other. Basically the table lists the results of many different test where some test have the same names, but have been run and rerun so they have same test_names but different test_IDs. something like this test_name test_id Score Drift test 1 .98 100 test 1 .99 98 -2 test 1 1.00 100 2 test 2 .01 30 test 3 0.54 34 test 3 0.55 76 42 I am looking for a way to take the score from line one and have some sort of logic that will look at the result of the next line and if the test has the sane test_name BUT a different test_ID it will subtract the first lines score from the second lines score and continue along until the (for example) the next line has a different test_name and it skips the line until it finds another line where the following line have the same test_name. and it continues on until all scores are compared. The delta command almost works but I need to have the ability to say BY test_name something like | delta Score as Drift by test_name unfortunately delta doesn't accept by clauses I am trying to find a way to calculate the drift column using Splunk so I can create a detection where the drift exceeds a specific threshold.

dolj · ‎03-04-2025

What is the best practice to have a Splunk heavy forwarder call out to a third party API and pull logs into Splunk. Most of the solutions I use have apps on Splunk base but this one does not. Do I have to build a custom add-on using something like the add-on builder?

dolj · ‎11-25-2024

with respect to the Magic 8 should you always try to include them in the props of your various source types for a data set? I am slightly confused as if this is a best practice why most pre-configured TAs on splunkbase include the magic 3 or 4 what happened to the rest of them? Is it always a best practice to include all 8?

dolj · ‎08-09-2023

Can you leverage the total derived using the addcoltotals command to support other calculations? i.e. can you use it to calculate a percentage? | addcoltotals count labelfield="total" | eval percent=((count/total)*100) | table host count percent

dolj · ‎04-27-2023

I see there is a limit in the inputs.conf (1-9) but what about the serverclass.conf file? There is no mention in the documentation. https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Inputsconf

dolj · ‎02-11-2023

is there a format that needs to be adhered to when using a blacklist with regex? I am trying to format "New Process Name:" with a regex that will extract events from a specific data source. I have tested the regex with regex101 and it identifies the events that I want to filter and is basically blacklist3 = New\sProcess\sName\:\s+C\:\\Program\sFiles\s\(x86\)\\...... should that work or do I need to format it something more like blacklist3 = New Process Name = C\:\\Program\sFiles\s\(x86\)\\...... my current blacklist is resulting in ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"" splunk-winevtlog - Processing: 'blacklist3' [legacy], range error found in 'regex'...... According to this document, https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/Whitelistorblacklistspecificincomingdata blacklist = <your_custom_regex> should work. Thanks

dolj · ‎06-13-2022

is there a best practice search to find the last event sent at the start of an outage and the first event the come in after the outage for a specific data source was rectified? Basically what is the best was to identify the outage window in one search?

dolj · ‎05-24-2020

not sure why but it wasn't working and it now is. I found this log related to the web UI 05-24-2020 23:12:06.172 -0400 ERROR UiHttpListener - An applicaiton server has exited unexpectedly, web UI cannot be used until it is restarted

dolj · ‎05-23-2020

the only thing in ./local/web.conf is [settings] startwebserver = 1 ~ this is a test DS that I am trying to upgrade before hitting prod.

dolj · ‎05-23-2020

checked the splunkd.log while restarting and there were no WARN or ERROR messages only INFO. When you tail the splunkd.log there are not entries written while starting, stopping, or restarting.

dolj · ‎05-22-2020

I have just upgraded my Splunk deployment server from 7.3 to 8.0 and after upgrading the web UI will not come up. I was trying to troubleshoot and was looking at the web_service.log but for some reason it is empty (0 bytes). I cannot figure out why it is not getting any logs or why the UI drops after the upgrade. Any suggestions would be greatly appreciated.

dolj · ‎05-05-2020

I Installed 6.5.10 and configured all windows event logs locally and see events coming in but nothing in the borwser index and nothing in the dashboar even after a restart.

dolj · ‎05-02-2020

Hello, I am new to Splunk and am trying to get the browsing histroy analysis app running on splunk eterprise (demo) that is capturing local logs as well as logs from a UF. I am stummped as I do not know what data input to use and there is not very much documentaion. That I have be able to find. Any help getting the data input setup would bre greatly appreciated. Thanks

Posts	19
Solutions	0
Karma Given	1
Karma Received	0
Member Since	‎05-02-2020

Online Status	Offline
Date Last Visited	‎05-14-2025 08:50 AM

LINE_BREAKER is being ignored

use colorpallette to change color of extremes on a...

comparing scores

Pulling data into splunk via API

Props and the Magic 8

using addcoltotals

Is there a limit to the number of white/blacklists...

inputs.conf blacklist format- Is there a format th...

What is the best was to identify the outage window...

Web_service.log is empty after upgrading from Splu...

Re: LINE_BREAKER is being ignored

Re: LINE_BREAKER is being ignored

Re: LINE_BREAKER is being ignored

LINE_BREAKER is being ignored

Re: use colorpallette to change color of extremes ...

use colorpallette to change color of extremes on a...

comparing scores

Pulling data into splunk via API

Props and the Magic 8

using addcoltotals

Is there a limit to the number of white/blacklists...

inputs.conf blacklist format- Is there a format th...

What is the best was to identify the outage window...

Re: Web_service.log is empty after upgrading from ...

Re: Web_service.log is empty after upgrading from ...

Re: Web_service.log is empty after upgrading from ...

Web_service.log is empty after upgrading from Splu...

Re: Data input for Browsing History analysis app

Data input for Browsing History analysis app

Are you a member of the Splunk Community?