cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Mr_Sneed
Explorer
Member since: ‎02-14-2024
‎03-09-2024
Community Statistics
Posts 7
Solutions 0
Karma Given 3
Karma Received 1
Member Since ‎02-14-2024
Activity Feed
View All

Re: inputs configuration and location.

by in Knowledge Management
‎02-20-2024 04:15 AM
‎02-20-2024 04:15 AM
Thank you for the information. It is very helpful!   ... View more

inputs configuration and location.

by in Knowledge Management
‎02-20-2024 01:20 AM
‎02-20-2024 01:20 AM
Hello all, I am confused on which machines I am intended to have my inputs.conf files configured.  1. I am currently operating under the assumption that inputs.conf files are primarily for the indexer is this correct? 2. If I update an inputs.conf file do I need to push the updated file through my deployment server so that the inputs.conf files tied to the applications on the S.U.F reflect in the same changes made on the manager. a. I have raw xml data populating and I wish to fix this so that it is easier to read... Currently there is no source type in my inputs.conf. I believe applying an appropriate source type in the inputs.conf is the first step to fixing this problem.  b. There are multiple stanzas in inputs.conf. Do I need to apply a source type to each of the stanzas that have to do with sending xml logs or is their a way to apply this change on global scale? Z. Will someone please explain the difference between source and source type I have read the documentation on the manner and am still uncertain in my understanding.   Thanks for the help in advance!   ... View more

Re: how to edit logs to not look like raw text

by in Getting Data In
‎02-18-2024 03:25 AM
‎02-18-2024 03:25 AM
PickleRick, I found the answer to my question.   The answer : If when searching an index for data you come across an event that appears to be raw text... Note the source type and verify it is created (settings > source types >( search the specific index and create it if it does not exist) (in Search and reporting) click the drop down associated with the event that contains "raw" text. click the drop down titled "Event Actions." select extract fields. observe the log and select the appropriate delimiter. name your fields. assign appropriate permissions. and enjoy.   To answer your questions I chose not to use Splunk base apps or addons for this particular task because these particular apps and addons are not intuitive to configure and hard to find usable documentation for.  I do not know how to identify if I am using fast mode search or not.   Thanks for the help     ... View more

how to edit logs to not look like raw text

by in Getting Data In
‎02-17-2024 04:51 AM
‎02-17-2024 04:51 AM
Currently I am feeding Splunk Zeek logs (formerly known as bro) via the monitor command. Some of the logs in the Zeek index are being parsed correctly. Other logs, however, are still appearing as raw text.  I remember in the past there was a certain link in the settings where I could specify how to extract each field in the event what to call the field and what data belonged to it.  I also remember being able to test the specific settings I was applying via a log of the same index/source type. Any help interpreting what I am trying to communicate or guidance as to finding that specific page I am looking for is very much appreciated.  ... View more

Re: splunk forwarder is not connecting to the splu...

by in Installation
‎02-15-2024 12:09 AM
1 Karma
‎02-15-2024 12:09 AM
1 Karma
in splunk.log I had an interesting log that mentioned something about the hostname and not being able to resolve it. I changed the hostname and everything works. Thanks for the help ... View more

splunk forwarder is not connecting to the splunk m...

by in Installation
‎02-14-2024 10:28 AM
‎02-14-2024 10:28 AM
My forwarder refuses to connect to the manager over 8089.  firewall is allowing traffic set deploy-poll is working and yet I cannot see the connection even be attempted via netstat on the splunk universal forwarder (nix) UF ---> HF   here is my deploymentclient.conf [deployment-client] [target-broker:deploymentServer] #this was part of default after command was run deploymentServer=x.x.x.x:8089 targetUri = 10.1.10.69:8089  #this was part of default after command was run ... View more

splunk ingestion

by in Getting Data In
‎02-14-2024 04:41 AM
‎02-14-2024 04:41 AM
New Splunk instance throwing error after deploying apps. Please help   Root Causes --V events from tracker.log have not been seen for the last 2190 seconds which is more than the red threshold   LOG --v TIME (happening multiple times a millisecond) -0500 INFO Tailing Processor [MainTrailingThread] adding watch on path:/opt/splunk/* ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-09-2024 05:48 AM
Karma from
View All
Karma given to