×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
dougsummersett
New Member
Member since: ‎09-28-2017
‎06-05-2020
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-28-2017
Activity Feed
View All

Re: How to adjust search to include names that are...

by in Splunk Search
‎11-26-2019 04:34 PM
‎11-26-2019 04:34 PM
Here is a run-anywhere search that proves that hyphenated searches do work: index=_* AND "data.instance_guid"="*-*-*-*-*" Are you saying that one of your datasets has stripped the hyphens and apostrophes from the dataset so you need to normalize one side or the other to do the search? ... View more

Re: Users can't see new data source in existing in...

by in Security
‎03-19-2018 05:24 PM
‎03-19-2018 05:24 PM
you can look in the _audit and _internal indexes for that user to see if there are any errors and which searches they ran. Does that compliance role inherit from the user role? Or another role maybe? If the users are mapped to that role and that role has access to the index, then I'm wondering if it's missing something like the search capability? ... View more

Re: Error trying to add csv

by in Getting Data In
‎01-23-2018 10:36 AM
‎01-23-2018 10:36 AM
Sounds like you might have a permissions issue or some missing files on your Splunk box. Check here and see if your files are complete. https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/ChecktheintegrityofyourSplunksoftwarefiles If not, the solution is to fix pemissions (examples --Right click in windows or sudo chown -R splunk:splunk /opt/splunk/) And then reinstall (or upgrade to 7.0.1) On a side note.. For kicking files into my test stand-alone 500mb splunk I just setup a folder on my workstation called dump, and then added this to my local splunk forwarder inputs.conf file. Then on my Windows workstation I can just drag files into c:\dump and the forwarder just grabs it for me. [monitor://C:\dump\*] disabled = 0 recurse=true followTail = 0 sourcetype=dump ignoreOlderThan = 10d index = main ... View more

Re: Error messages when I try to connect the unive...

by SplunkTrust in Getting Data In
‎09-28-2017 11:47 PM
‎09-28-2017 11:47 PM
Hi dougsummersett, the first messages means that the new UFs cannot connect to the Deployment Server. You can test this using telnet on the management port (usually 8089). Did you configured Deployment Server? If not, message isn't important. If yes and connection is OK, check if your UF is seen by the Deployment Server. When you say: "The deployment is setup to listen on port 9997." are you speaking of Indexer? To debug connection with Indexers, at first test connection using telnet on 9997 port telnet team-splunk01 9997. After configure outputs.conf on the forwarders to send logs to Indexers (I usually use Deployment Server, but it's possible to do this also manually. When outputs.conf is Ok to send logs to indexers (and Splunk restart) check if Indexers are receiving internal logs (index=_internal host=Universal_Forwarder_hostname). If it's OK I suggest to use Splunk_TA_Windows (eventually distributed by Deployment Server) to take Windows logs. Bye. Giuseppe ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM