×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
skylasam_splunk
Splunk Employee
Member since: ‎10-17-2012
‎06-05-2020
Community Statistics
Posts 35
Solutions 8
Karma Given 2
Karma Received 24
Member Since ‎10-17-2012
Activity Feed
Topics I've Started
No posts to display.
View All

Re: How does Splunk 6.3 provide native support for...

by Splunk Employee in All Apps and Add-ons
‎10-18-2015 07:55 AM
1 Karma
‎10-18-2015 07:55 AM
1 Karma
Check out the documentation here - http://docs.splunk.com/Documentation/Splunk/6.3.0/Data/MonitorWindowsDatawithPowerShellscripts ... View more

Re: How to set command line parameters that splunk...

by Splunk Employee in Installation
‎02-17-2015 10:23 AM
‎02-17-2015 10:23 AM
You can control this by setting the SPLUNK_BINDIP in splunk-launch.conf. ... View more

Re: How to install a Windows universal forwarder v...

by Splunk Employee in Getting Data In
‎02-06-2015 11:47 AM
1 Karma
‎02-06-2015 11:47 AM
1 Karma
Please use a command line like this - msiexec /i splunkforwarder-6.2.1-245427-x64-release AGREETOLICENSE=Yes /quiet The /quiet is to suppress the GUI. You have to specify the msi in the command line which was missing in your invocation. ... View more

Re: What are the benefits of the KV store vs a tra...

by Splunk Employee in Splunk Search
‎10-28-2014 01:46 PM
‎10-28-2014 01:46 PM
When we talk about automatic lookups, we're referencing the capability described here - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Edit_existing_automatic_lookups_or_configure_a_new_lookup_to_run_automatically This automatic lookup capability is not supported by KV store. Regarding the question around the "restricting lookups to running on the search head tier" - This is intended to call out the fact that any KV store lookup will need to occur on a Search head; i.e all SPL commands on a search string occuring after a KV store lookup will need to be run on the search head. ... View more

Re: What are the benefits of the KV store vs a tra...

by Splunk Employee in Splunk Search
‎10-28-2014 11:59 AM
9 Karma
‎10-28-2014 11:59 AM
9 Karma
Please take a look at the documentation here - http://dev.splunk.com/view/SP-CAAAEY7 ; specifically the table that discusses pros / cons of KV store vS CSV lookups. ... View more

Re: ODBC - How to pass parameter to a Saved Search...

by Splunk Employee in Splunk Search
‎09-11-2014 08:45 AM
‎09-11-2014 08:45 AM
No, this is not a supported scenario. You would have to craft the saved search so that you're doing the necessary filtering within the saved search. ... View more

Re: Windows Event Logs source and sourcetype names...

by Splunk Employee in All Apps and Add-ons
‎08-02-2014 10:43 AM
‎08-02-2014 10:43 AM
This is a known issue - http://docs.splunk.com/Documentation/Splunk/6.0/ReleaseNotes/KnownIssues#Windows-specific_issues It has been since fixed in UF 6.0.4+ and UF 6.1.x. You can upgrade to these versions which has the fix. Alternatively if you cannot upgrade, you can modify your props.conf file to also look for this lower case sourcetype. ... View more

Re: Splunk ODBC 32-bit on Windows 7 64-bit

by Splunk Employee in All Apps and Add-ons
‎04-14-2014 08:38 AM
‎04-14-2014 08:38 AM
Please capture traces and email them to devinfo@splunk.com so that we can investigate further. HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Splunk ODBC Driver\Driver set LogLevel to 5 and LogPath to a valid directory such as "c:" (without quotes) and then run the repro. ... View more

Re: How to use ODBC driver to connect to Splunk fr...

by Splunk Employee in All Apps and Add-ons
‎02-24-2014 10:09 AM
1 Karma
‎02-24-2014 10:09 AM
1 Karma
What version of Excel and PowerPivot are you using? Are you able to retrieve data just using Excel alone? ... View more

Re: odbc connector

by Splunk Employee in All Apps and Add-ons
‎02-21-2014 01:59 PM
‎02-21-2014 01:59 PM
Hi, Please do the following - 1. Open 32-bit ODBC administrator panel. 2. Click the System DSN tab; select the Splunk DSN and click configure. 3. What does your Server URL setting have ? It should be set like this - https:// : ; e.g https://10.225.196.112:8089 4. Make sure that the mgmt port on your Splunk search head is not being blocked by your firewall. ... View more

Re: Splunk for AD DNS Debug logging

by Splunk Employee in All Apps and Add-ons
‎02-19-2014 12:06 PM
‎02-19-2014 12:06 PM
Yes, you need to enable DNS debug logging. See http://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx for details on how to do this. ... View more

Re: Splunk for AD Topology Issue

by Splunk Employee in All Apps and Add-ons
‎02-19-2014 11:23 AM
‎02-19-2014 11:23 AM
Do you see the Forest, Site, Domain, etc. information being populated? Are are those blank as well? ... View more

Re: Splunk app for MS active directory - no result...

by Splunk Employee in All Apps and Add-ons
‎02-05-2014 08:07 AM
‎02-05-2014 08:07 AM
Hi - Can you be more specific about which dashboard you're encountering this error with; is it the User logon failures? Please paste the URL if possible. Also, what version of the AD app are you running? ... View more

Re: Not collecting windows event logs (application...

by Splunk Employee in All Apps and Add-ons
‎02-04-2014 02:32 PM
‎02-04-2014 02:32 PM
Ok , got it. Yes, you should do the following - 1. Download and deploy the Windows Add-on - http://apps.splunk.com/app/742/ - to the relevant machine from which you want to collect the data. 2. Copy the contents of stanzas for "WinEventLog://" from $SPLUNK_HOME\etc\apps\splunk_ta_windows\default to $SPLUNK_HOME\etc\apps\splunk_ta_windows\local and set disabled=0 on them. 3. Restart splunk. ... View more

Re: Not collecting windows event logs (application...

by Splunk Employee in All Apps and Add-ons
‎02-04-2014 12:53 PM
‎02-04-2014 12:53 PM
Are you looking at the CAS performance dashboard at the IMAP and POP3 panel? Can you paste in the URL for the dashboard which is causing a problem for you? ... View more

Re: Splunk ODBC 32-bit on Windows 7 64-bit

by Splunk Employee in All Apps and Add-ons
‎02-03-2014 09:20 AM
‎02-03-2014 09:20 AM
Hi Asohahn, When do you get this error - "Driver's SQLAllocHandle on SQL_HANDLE_ENV failed."? Please provide the steps that you're doing in Excel. ... View more

Re: Application Server Monitoring

by Splunk Employee in All Apps and Add-ons
‎02-03-2014 09:00 AM
1 Karma
‎02-03-2014 09:00 AM
1 Karma
If you're looking for data to populate the Application Installs and Application crashes dashboards - then you need to make sure you're collecting data for the Windows event log Application channel. Hope that helps. ... View more

Re: Modifying the All Indexed Data dashboard for c...

by Splunk Employee in All Apps and Add-ons
‎01-07-2014 08:09 AM
1 Karma
‎01-07-2014 08:09 AM
1 Karma
A couple of things to check - 1. Does this user role have access to the new indices that you've setup? 2. Have you modified eventtypes.conf stanzas to include the relevant indices? For example - [windows_performance] search = index=perfmon (sourcetype="powershell" OR sourcetype="Perfmon:" OR sourcetype="WMI:Perfmon") 3. You can specify more than one index to target in the searches. ... View more

Re: Windows App Perfmon Data Input doesn't work

by Splunk Employee in All Apps and Add-ons
‎01-02-2014 12:51 PM
‎01-02-2014 12:51 PM
The performance monitoring dashboard not showing any data might be linked to the fact that lookups needed for the dashboard to function properly did not get created in time. Could you send the contents of the following files currently- $SPLUNK_HOME\etc\apps\windows\local\inputs.conf $SPLUNK_HOME\etc\apps\windows\default\inputs.conf ... View more

Re: Universal Forwarder Server 2012 R2 Hangs

by Splunk Employee in All Apps and Add-ons
‎12-27-2013 08:42 AM
1 Karma
‎12-27-2013 08:42 AM
1 Karma
Hi, We currently don't support Server 2012 R2. Can you try with Server 2012 instead which is officially supported. ... View more

Re: Splunk for Active Directory scheduled chg_user...

by Splunk Employee in All Apps and Add-ons
‎12-27-2013 08:36 AM
2 Karma
‎12-27-2013 08:36 AM
2 Karma
Hi, Thanks for reporting this issue. As a workaround, you could run the search below for security related changes; replacing the user with the user account you want to report on and then get the PDF for that user. Hope that helps. Search string - eventtype=msad-user-changes user= |eval adminuser=src_nt_domain."\".src_user|eval dest_user_subject=dest_nt_domain."\".user| msad-changed-attributes | session-to-host | ip-to-host | fix-localhost |table _time,src_ip,src_host,adminuser,msad_action,dest_user_subject,MSADChanges|rename src_ip as "Admin IP",src_host as "Workstation",adminuser as "Administrator",msad_action as "Action",dest_user_subject as "Target User",MSADChanges as "Changes" ... View more

Re: There was an error retrieving the configuratio...

by Splunk Employee in Getting Data In
‎10-08-2013 04:18 PM
‎10-08-2013 04:18 PM
Please cut/paste the contents of the following files - $SPLUNK_HOME\etc\apps\launcher\local\admon.conf and $SPLUNK_HOME\etc\apps\launcher\local\regmon-filters.conf and $SPLUNK_HOME\etc\apps\launcher\local\inputs.conf. ... View more

Re: Splunk for Active Directory - No incoming data...

by Splunk Employee in All Apps and Add-ons
‎09-24-2013 01:35 PM
‎09-24-2013 01:35 PM
A couple of things to check first to make sure Powershell scripts can run – 1. Set the PS execution policy on the UF - Set-ExecutionPolicy remotesigned 2. Make sure that the Powershell script itself is not blocked – Open the script in Windows explorer=>Properties; Go to the security tab and unblock. ... View more

Re: Which IP addresses to put in reputation.conf?

by Splunk Employee in All Apps and Add-ons
‎08-12-2013 12:58 PM
1 Karma
‎08-12-2013 12:58 PM
1 Karma
External (public) IP addresses of your outbound mail servers are the ones that need to be in the reputation.conf file ... View more

Re: Add commas to Exchange Table

by Splunk Employee in Splunk Search
‎06-12-2013 02:42 PM
1 Karma
‎06-12-2013 02:42 PM
1 Karma
Try using fieldformat at the end of the search string. Example below - eventtype="msexchange-mailbox-usage" User=""|dedup User|eval mailbox=1|eval mailbox200m=if(TotalItemSize>200000000,1,0)|eval mailbox500m=if(TotalItemSize>500000000,1,0)|eval mailbox1G=if(TotalItemSize>1000000000,1,0)|table User,TotalItemSize,mailbox,mailbox200m,mailbox500m,mailbox1G|addcoltotals labelfield=User label=Totals|search User=Totals|eval avgmailbox=round(TotalItemSize/mailbox)|table mailbox,mailbox200m,mailbox500m,mailbox1G,avgmailbox|rename mailbox as "# Mailboxes", mailbox200m as "# Mailboxes over 200Mb", mailbox500m as "# Mailboxes over 500Mb", mailbox1G as "# Mailboxes over 1Gb", avgmailbox as "Average Mailbox Size"|transpose 5|append [ search eventtype="msexchange-mailbox-usage" User=""|stats max(TotalItemSize) as maxmailbox|eval column="Maximum Mailbox Size"|eval "row 1"=maxmailbox|table column,"row 1"]|rename column as "Field","row 1" as "Value" | fieldformat Value=tostring(Value,"commas") ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
Karma given to
View All