About vinod94

vinod94 · ‎05-09-2020

Glad to know that it worked.

vinod94 · ‎05-06-2020

Can you try moving the app which basically resides in cluster master to some other directory and then push the bundle(which basically will push the app without TA-nix) and see if the app is still in etc/apps on the slaves.

vinod94 · ‎05-06-2020

This link might help you.. https://docs.splunk.com/Documentation/Splunk/8.0.3/Indexer/Updatepeerconfigurations#Settings_that_you_should_not_distribute_through_the_configuration_bundle

vinod94 · ‎05-06-2020

Hi dyude, @tfechner , Can you try removing the app from cluster master and then push the bundle. Then, try deleting the app from etc/apps. Once the app is gone from etc/apps you can again install the app from cluster master. I hope none of your indexers are connected as deployment client which has Nix app in the corresponding server class. Just mentioned it for the safe side.

vinod94 · ‎04-14-2020

Hi dyude @conwaw , Try this, Stop the Splunk service. Rename the server.pem($SPLUNK_HOME/etc/auth) to server.pemck or move the pem file. Start the Splunk service. It will generate a new server.pem Let me know if this helps. 🙂

vinod94 · ‎04-04-2020

Hi @spaniard047 , Where have you installed the addon? The addon should be on search head, indexer and forwarder.

vinod94 · ‎04-02-2020

Hi dyude @dmenon , You can try this, rex field=username "(?P<username>[^\.]+)"

vinod94 · ‎03-03-2020

This might help you! https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad

vinod94 · ‎02-20-2020

Hi @satoishi , これを試してもらえますかポート8089が開いているかどうかを確認します。ユニバーサルフォワーダーから8089にtelnetで接続できます次のコマンドを実行して、展開サーバーが正しく設定されているかどうかを確認することもできます ./splunk show deploy-poll Linux用 .\splunk show deploy-poll Windows用展開サーバーを指しているかどうかを確認しますこれが役立つかどうか教えてください

vinod94 · ‎02-09-2020

Glad it worked for you 🙂

vinod94 · ‎01-26-2020

Hi dyude @jonsantos , Can u try this, On the deployment server create an inputs.conf file in the local diretory of winevt app( $SPLUNK_HOME/etc/deployment-apps/winevt/local/inputs.conf) and then try pushing the file. [WinEventLog://Security] disabled = 0 whitelist1 = EventCode=4625 An inputs.conf should get created in local directory of winevt app in the forwarder(C:\Program Files\SplunkUniversalForwarder\etc\apps\winevt\local\inputs.conf ). Check the permission of the inputs.conf file in forwarder. Search the logs with the given index name(if any). Let me know if this helps

vinod94 · ‎09-14-2019

Hi dyude @sandeepmakkena , You can try this , index=your index |rex field=gauge "ProcessorResponse\.Country\[(?P<Country>.+)\]Processor\[(?P<Processor>.+)\]PaymentType\[(?P<PaymentType>.+)\]\s(?P<reason>\w+)"

vinod94 · ‎08-22-2019

dyude @geoffmx , Can you try this, props.conf [msad:nt6:dns] TRANSFORMS-set= domain1,domain2 transforms.conf [domain1] REGEX = query\=subdom\.domain01\.com DEST_KEY = queue FORMAT = nullQueue [domain2] REGEX = query\=domain02\.com DEST_KEY = queue FORMAT = nullQueue Llet me know if it works for you!

vinod94 · ‎08-21-2019

hi dyude @dhirendra761 , its inputs.conf and outputs.conf, you can check the spelling. if it's proper then you can give this a shot... outputs.conf [tcpout:Group1] server=server1:9997 [tcpout:Group2] server=server2:9997 inputs.conf [WinHostMon://Service] _TCP_ROUTING = Group1 [monitor://D:\SATS\SecureLog\*\Logs_Status\*] _TCP_ROUTING = Group2

vinod94 · ‎08-19-2019

Hi dyude @charlesukah, You can refer this blue print.. https://www.splunk.com/pdfs/training/Splunk-Test-Blueprint-Admin-v.1.1.pdf

vinod94 · ‎08-18-2019

@raphabaroudi, Did u check the connectivity between those forwarders and the Splunk instance?

vinod94 · ‎08-05-2019

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Route_inputs_to_specific_indexers_based_on_the_data_input

vinod94 · ‎08-05-2019

In the link it says it can be done through uf ... i thought that could be a workaround! But thanks for clarifying it 🙂

vinod94 · ‎08-04-2019

Hi @koshyk dyude, This link might help you! https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad

vinod94 · ‎08-04-2019

Hi @t_kubota , サンプルイベントをいくつか教えていただけますか？

vinod94 · ‎08-03-2019

Thank you!

vinod94 · ‎07-29-2019

I am reading with the script only here's the sample .. def openany(p): if p.endswith(".gz"): return gzip.open(p) else: return open(p) results_file = sys.argv[8] for row in csv.DictReader(openany(results_file)): description = "Alert Triggered for " + row["component"] + " value is " + row["count"] not sure if iam doing it in the right way!

vinod94 · ‎07-29-2019

Hi @harsmarvania57 , I've tried reading the file...but it throwing me an error.. search='sendalert test_dropdown results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_adminsearch_RMD51340b9f59d2d65d1_at_1564127640_31/results.csv.gz "

vinod94 · ‎07-26-2019

how do I pass my search output results to a custom alert action script(test.py) which has some static parameters ? for ex. I have a statistics table which has two columns Hosts and Count.. I want to pass the results of these two columns to a static parameter say Description. Ive come across SPLUNK_ARG_8(sys.argv[8])... tried this but it am getting an error " Alert script returned error code 1., search='sendalert test_dropdown results_file="/opt/splunk/var/run/splunk/dispatch/scheduler_adminsearch_RMD51340b9f59d2d65d1_at_1564127640_31/results.csv.gz " . How do I use it in my script? Or is der any other way. Any suggestions? Below is part of my script def openany(p): if p.endswith(".gz"): return gzip.open(p) else: return open(p) results_file = sys.argv[8] for row in csv.DictReader(openany(results_file)): description = "Alert Triggered for " + row["component"] + " value is " + row["count"] # TODO: Implement your alert action logic here url = "https://ensrqbrq8xubd.x.pipedream.net" payload = '''{\"Description\\\":\\\"''' + description + '''\\\"}'''.encode('utf8') headers = { 'content-type': "application/json" } response = requests.request("POST", url, data = payload, headers=headers)

vinod94 · ‎07-19-2019

Dyude! You can try this, | makeresults | fields - _time | eval data="sip:+1234566@12.23.34.45" | rex field=data "sip\:\+(?P<Routing_Number>.*)\@"

Posts	92
Solutions	9
Karma Given	28
Karma Received	63
Member Since	‎09-17-2017

Online Status	Offline
Date Last Visited	‎06-28-2020 05:37 PM

How to pass alert results to custom alert action?

How to install splunk universal forwarder on multi...

Splunk App Fortinet Fortigate

Get total number of columns

Re: Automatic linux/nix-TA installation on indexer

Re: Automatic linux/nix-TA installation on indexer

Re: Automatic linux/nix-TA installation on indexer

Re: Automatic linux/nix-TA installation on indexer

Re: kvstore certificate renewal is not working...

Re: TA_Fortinet add on not extracting fields prope...

Re: Regex help please

Re: Filtering out data (from a forwarder) on Index...

Re: フォワーダー管理のクライアントの追加方法について

Re: Cisco App has stopped working after a recent "...

Re: Whitelist/Blacklist Event ID using Forwarder M...

Re: Field extraction

Re: Blacklisting DNS queries with nullQueue

Re: Splunk forward data not sending to multiple sp...

Re: Splunk Admin certification exam prep

Re: SplunkForwarder not reporting\showing up on se...

Re: Splunk Universal Forwader: Data sending to two...

Re: Splunk Universal Forwader: Data sending to two...

Re: Splunk Universal Forwader: Data sending to two...

Re: props.confとtransforms.confを使用したデータ取り込み時のフィルタの方...

Re: Splunk App Fortinet Fortigate

Re: How to pass alert results to custom alert acti...

Re: How to pass alert results to custom alert acti...

How to pass alert results to custom alert action?

Re: extract no.

Are you a member of the Splunk Community?