Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About las
las
Contributor
Member since:
12-05-2011
05-07-2025
Community Statistics
| Posts | 143 |
| Solutions | 13 |
| Karma Given | 49 |
| Karma Received | 26 |
| Member Since | 05-12-2011 |
Activity Feed
- Karma Re: Is it possible to add _meta fields in DB Connect? for livehybrid. 05-07-2025 01:11 AM
- Posted Re: Is it possible to add _meta fields in DB Connect? on All Apps and Add-ons. 05-07-2025 01:10 AM
- Posted Is it possible to add _meta fields in DB Connect? on All Apps and Add-ons. 05-06-2025 05:28 AM
- Tagged Is it possible to add _meta fields in DB Connect? on All Apps and Add-ons. 05-06-2025 05:28 AM
- Posted Re: Configure Splunk Infrastructure Monitoring Add-on to give users access to sim command on Splunk Search. 12-09-2024 07:13 AM
- Got Karma for Re: Unable to create incident from Splunk in Service-Now using the add-on. 10-29-2024 03:34 AM
- Posted Configure Splunk Infrastructure Monitoring Add-on to give users access to sim command on Splunk Search. 10-18-2024 02:02 AM
- Tagged Configure Splunk Infrastructure Monitoring Add-on to give users access to sim command on Splunk Search. 10-18-2024 02:02 AM
- Posted Re: Configure Splunk Add-On for OpenTelemetry Collector to use HTTP_PROXY, without affecting other traffick on Splunk Observability Cloud. 10-14-2024 12:45 AM
- Karma Re: Configure Splunk Add-On for OpenTelemetry Collector to use HTTP_PROXY, without affecting other traffick for bishida. 10-14-2024 12:30 AM
- Posted Re: Configure Splunk Add-On for OpenTelemetry Collector to use HTTP_PROXY, without affecting other traffick on Splunk Observability Cloud. 10-09-2024 05:01 AM
- Posted Configure Splunk Add-On for OpenTelemetry Collector to use HTTP_PROXY, without affecting other traffick on Splunk Observability Cloud. 10-04-2024 12:05 AM
- Got Karma for Re: Event: Show source loading ..... 06-03-2024 04:52 PM
- Posted Re: Why doesn't a maintenance window in ITSI put the service in maintenance on Other Usage. 03-13-2024 06:49 AM
- Posted Why doesn't a maintenance window in ITSI put the service in maintenance on Other Usage. 03-13-2024 06:14 AM
- Karma Re: Why the ErrorCode 5 when trying to forward Sysmon logs (unable to subscribe)? for mawni. 03-07-2024 01:17 AM
- Posted Re: Splunk Secure Gateway Connect to SAML IdP on All Apps and Add-ons. 11-15-2023 06:38 AM
- Posted Re: Anybody knows about {@fieldname} in a join on Splunk Search. 10-17-2023 11:37 PM
- Karma Re: Anybody knows about {@fieldname} in a join for gcusello. 10-17-2023 11:37 PM
- Posted Anybody knows about {@fieldname} in a join on Splunk Search. 10-17-2023 11:11 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-07-2025
01:10 AM
Hi @livehybrid Thanks for the reply, it was as I also could read in the docs, but nice to get it confirmed. Kind regards las
... View more
05-06-2025
05:28 AM
Hi. We have been forced to add identifiers to the collection tier in our Splunk environment. The way we have solved it, is using _meta with a couple of fields. Now we have some DB data that is getting indexed and we would like to tag these data the same way. The easy part was editing the /local/inputs.conf file and adding the extra line to all the input stanzas - this unfortunately didn't work and as far as I can read the db_inputs.conf doesn't allow the _meta line in the stanzas. Does anyone have an idea, how to solve this problem, my thougths run in the direction of index-eval, but that is a more complex setup. Kind regards las
... View more
Labels
- Labels:
-
configuration
-
other
12-09-2024
07:13 AM
Sorry about the delay. Unfortunately this does not seem to be the problem I have changed the local.meta to # simquery command
[commands/simquery]
access = read : [ * ], write : [ admin ] And restartet - that why it took so long - but I still get the same error
... View more
10-18-2024
02:02 AM
Hi. We are just starting to use Splunk Infrastructure monitoring, and have added the "Splunk Infrastructure Monitoring Add-on". We have created the connection to Splunk Observability, without any problems, and admins can run the search command "| sim flow query=..." without any problems. The problem arises when a normal user is trying the same command, where we get the following error message: "Error in "sim" command: Splunk Infrastructure Monitoring API Connection not configured." I have reviewed all permissions I could think of, and except for a couple og view, there is public access. I can't find any new capabilities, that might need to be added. If anyone can point me in the right direction, it would be greatly appriciated. Kind regards
... View more
10-14-2024
12:45 AM
Thank you very much for your time and effort. I have created both a support ticket and an idea. Kind regards
... View more
10-09-2024
05:01 AM
Hi. Thank you for your effort, I hope you find something. Kind regards
... View more
10-04-2024
12:05 AM
Hi. We are starting to use Splunk Infrastructure monitoring, and want to deploy the Otel-Collector using our existing Splunk infrastructure (Deployment Server). We would really like to send the Otel data to IM using a HTTP_PROXY, but do not want to change the dataflow for the entire server, so only a local HTTP_PROXY for the otel-collector. As I read the documentation you need to set environment variables for the entire server and not just the otel-collector process. Has anyone any experience using HTTP_PROXY and Otel-Collector? Kind regards las
... View more
Labels
03-13-2024
06:49 AM
Disclaimer: This is in no way supported and will break Splunk support. Don't use this in a production environment. There are better ways to solve this, I'm just not smart enough to figure them out. This hack breaks at the next update - allways, so extra care should be taken. think this would be very nice if Splunk could support the desired behavior, maybee as an option or configuration. There are three places that influences the maintenance window calculation: service_health_metrics_monitor: Original: | mstats latest(alert_level) AS alert_level WHERE `get_itsi_summary_metrics_index` AND
`service_level_max_severity_metric_only` by itsi_kpi_id, itsi_service_id, kpi, kpi_importance
| lookup kpi_alert_info_lookup alert_level OUTPUT severity_label AS alert_name | `mark_services_in_maintenance`
| `reorganize_metrics_healthscore_results` | gethealth | `get_info_time_without_sid`
| lookup service_kpi_lookup _key AS itsi_service_id OUTPUT sec_grp AS itsi_team_id
| search itsi_team_id=*
| fields - alert_severity, color, kpi, kpiid, serviceid, severity_label, severity_value
| rename health_score AS service_health_score | eval is_null_alert_value=if(service_health_score="N/A", 1, 0),
service_health_score=if(service_health_score="N/A", 0, service_health_score) This could be changed to: Modified: | mstats latest(alert_level) AS alert_level WHERE `get_itsi_summary_metrics_index` AND
`service_level_max_severity_metric_only` by itsi_kpi_id, itsi_service_id, kpi, kpi_importance
| lookup kpi_alert_info_lookup alert_level OUTPUT severity_label AS alert_name | `mark_services_in_maintenance`
| `reorganize_metrics_healthscore_results` | gethealth | `get_info_time_without_sid`
| lookup service_kpi_lookup _key AS itsi_service_id OUTPUT sec_grp AS itsi_team_id
| fields - alert_severity, color, kpi, kpiid, serviceid, severity_label, severity_value
| rename health_score AS service_health_score | `mark_services_in_maintenance` | eval is_null_alert_value=if(service_health_score="N/A", 1, 0),
service_health_score=if(service_health_score="N/A", 0, service_health_score), alert_level=if(is_service_in_maintenance=1 AND alert_level>-2,-2,alert_level) I have added an extra call to macro "mark_services_in_maintenance" and expanded the last eval to set alert_level to maintenance. service_health_monitor: Original: `get_itsi_summary_index` host=atp-00pshs* `service_level_max_severity_event_only`
| stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid
| lookup service_kpi_lookup _key AS serviceid OUTPUT sec_grp AS itsi_team_id
| search itsi_team_id=*
| gethealth
| `gettime` Could be changed to: Modified: `get_itsi_summary_index` `service_level_max_severity_event_only`
| stats latest(urgency) AS urgency latest(alert_level) AS alert_level latest(alert_severity) as alert_name latest(service) AS service latest(is_service_in_maintenance) AS is_service_in_maintenance latest(kpi) AS kpi by kpiid, serviceid
| gethealth
| `gettime`
| `mark_services_in_maintenance`
| eval alert_level=if(is_service_in_maintenance=1 AND alert_level>-2,-2,alert_level), color=if(is_service_in_maintenance=1 AND alert_level=-2,"#5C6773",color), severity_label=if(is_service_in_maintenance=1 AND alert_level=-2,"maintenance",severity_label), alert_severity=if(is_service_in_maintenance=1 AND alert_level=-2,"maintenance",alert_severity) Again an extra call to macro "mark_services_in_maintenance" and the eval at the bottom to set the service in maintenance. Those to will ensure the service appears in maintenance in the "Service Anayser" and "Glasstables" I think it also takes care of "Deep Dives" but they don't appear to turn dark grey. In order to ensure correct calculation we also have to make changes in "gethealth" search command. The Python script that is of interest is located here: "SPLUNK_HOME/etc/apps/SA-ITOA/lib/itsi/searches/compute_health_score.py" Search for "If a dependent service is disabled, its health should not affect other services" You should get som code that look like this: for depends_on in service.get('services_depends_on', []):
# If a dependent service is disabled, its health should not affect other services
dependent_service_id = depends_on.get('serviceid')
dependency_enabled = [
svc.get('enabled', 1) for svc in self.all_services if dependent_service_id == svc.get('_key')
]
if len(dependency_enabled) == 1 and dependency_enabled[0] == 0:
continue
for kpi in depends_on.get('kpis_depending_on', []):
# Get urgencies for dependent services What I want is to replicate the behavior from a disbled service for depends_on in service.get('services_depends_on', []):
# If a dependent service is disabled, its health should not affect other services
dependent_service_id = depends_on.get('serviceid')
dependency_enabled = [
svc.get('enabled', 1) for svc in self.all_services if dependent_service_id == svc.get('_key')
]
if len(dependency_enabled) == 1 and dependency_enabled[0] == 0:
continue
# If a dependent service is in maintenance, its health should not affect other services - ATP
maintenance_service_id = depends_on.get('serviceid')
try:
isinstance(self.maintenance_services, list)
except:
self.maintenance_services = None
if self._is_service_currently_in_maintenance(maintenance_service_id):
self.logger.info('ATP - is service in maintenance %s', self._is_service_currently_in_maintenance(maintenance_service_id))
continue
for kpi in depends_on.get('kpis_depending_on', []):
# Get urgencies for dependent services So I added a call to an existing function _is_service_currently_in_maintenance, unfortunately this fails, as the table maintenance_service is un-initialized (that is the try: except: block), now it just a simple check if the service we depend on is in maintenance and if it is, we break out with continue. Again, this is NOT supported in any way and should not be used in production and will break at the next update. Kind regards
... View more
03-13-2024
06:14 AM
We are having a problem with maintenance windows in Splunk IT Service Intelligence. We have a common service that two other services are dependent on, on top of those two there are other services dependent on them. Service a Service b Service in maintenance Service not in maintenance Common Service With the current implementation in ITSI, we are forced to put "Service in maintenance" and "Common Service" in maintenance mode to avoid getting wrong healthscores in "Service a". This creates a problem for us, if an error occurs in "Common Service" during the maintenance window, as it won't reflect correctly in "Service not in maintenance", hence we will not be able to detect failures that affect our users. We tried raising a ticket, that correctly stated the this is works as designed and documented. We have an idea ITSIID-I-359, but so far it hasn't been upvoted. Kind regards
... View more
Splunk IT Service Intelligence
Splunk IT Service Intelligence
11-15-2023
06:38 AM
This was solved with the help of PS. On the Application API in AzureAD add the User.read.All of type Application to the configured permissions. Remember to add all the users that needs to access Splunk to the Enterprise Application
... View more
10-17-2023
11:37 PM
Hi guiseppe. I should have been clearer, yes it is a perfectly valid search - except for the many joins, that I also will rewrite with stats. Yes - now I see it, it is a message template thatis part of the logging, so the {@fieldname} is just part of the normal search. Thank you
... View more
10-17-2023
11:11 PM
Hi. I have been given a search, that I need some help decifering. index=atp-aes-prod sourcetype=atp_aes_json SourceContext=RevisionLogger Properties.Url="/api/Document/get-merged-pdf" Properties.IsImpersonated=false | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Application.Commands.Queries.Selfservice.GenerateMergedPdf.GenerateMergedPdfHandler MessageTemplate="User tries to merge*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Integrations.GetOrganized.GoDocumentsService MessageTemplate="Start CombineToPdf method*"] | join type=inner CorrelationId [search index=atp-aes-prod SourceContext=ANS.Platform.Domain.Services.Selfservice.Authorization.SelfServiceAuthorizationService MessageTemplate="SelfServiceAuthorizationService took {@elapsedMilliseconds} ms to be constructed for part {@partId}."] | table Properties.Url, Timestamp, Properties.CompanyName, Properties.partId, Properties.documents It does not run on our system and never will, I think it was developed by somebody versed in relational databases. I'm trying to rewrite this search, but I'm slightly baffled by the {@elapsedMilliseconds} and {@partId}. Does anybody know what they are doing? Kind regards las
... View more
07-25-2023
05:04 AM
Hi.
I'm using Splunk Enterprise 9.0.4 on-Prem.
The Search head has been set up with AzureAD as IdP and normal user login functions as expected.
I tried to connect the Splunk Mobile App to my search head, but it complains that "SAML needs to be set up for Connected Experiences before devices can be registered", so I log on as administrator, and navigate to "SAML Configuration" in Splunk Secure Gateway. Here it states, that I need to connect to a SAML IdP, and when I look at Okta or Azure it states this: "To use Okta or Azure, use a provided authentication script to establish a persistent connection."
Now it seems that there should be a provided script, that I can use in my SAML configuration, I just can't find anywhere, where it states wich script it is.
Hopefully someone is less blind than me, and can point me in the right direction.
Kind regards
/las
... View more
Labels
- Labels:
-
administration
-
configuration
02-24-2023
06:31 AM
Hi.
We have a use case where we would like to maintain a single information field on some of our entities.
The field name is Application Service, and it is fairly static - but not quite, so it might change over time. This field can logically only have one value, and the problem with the scheduled import, is, that if the value changes, there will be two values for this field name.
So we are trying to create a Python script, that will maintain this value, so if it changes the still will only be one value - the old one is overwritten.
The problem is that when we try to change this vallue and posts to Splunk, we get a code 200 returnkode, but the value has not changed.
This is an example code: (Please don't kill me, this is just a test, and I'm not really a Python developer)
def update_splunk_rest(key, jsonDict):
url = base_url + "/servicesNS/nobody/SA-ITOA/itoa_interface/entity/" + key + "?is_partial_data=0"
authHeader = {'Authorization': token}
r = requests.post(url, headers=authHeader, json=jsonDict, verify=False)
print(r.text)
return r splk_entity = get_splunk_rest("2b4566fb-367e-44ec-b068-d6541a2024e6")
print(splk_entity.status_code)
entity = splk_entity.json()
print(entity)
title = entity['title']
info = entity['informational']
print(info)
keys = info['fields']
values = info['values']
print(keys)
print(values)
i=0
for field in keys:
if field == 'Application Service':
break
i=i+1
values[i] = "Dette er Las test"
print("=============================================================")
print(entity)
#payload = {"_key":"821bd2f7-83d6-47a9-a753-60c04523d57e","title":title,"informational":{"fields":keys, "values":values}}
#print(payload)
response = update_splunk_rest("2b4566fb-367e-44ec-b068-d6541a2024e6", entity)
print(response.status_code)
The entity is changed just before the post (update_splunk_rest), that does a post with is_partiel_data=0, as we are changing the entire record from ITSI.
Has anyone else had this problem and found a solution?
Kind regards
Las
... View more
Labels
- Labels:
-
administration
-
using ITSI
12-28-2022
07:16 AM
Hi. I would like to import the services defined in our CMDB as ITSI Services. It seems that you have to set a specific team when you do the import, and for my trial it created duplicate services, if the service was defined in another team, than the one I specified at load time. I could the create an import for each team, but it seems quite cumbersome, when I can get the team in the data I get from the CMDB, so I would really like to know, if anybody has tried and found a solution, where you are not hard defining the team, but use values or even the team id from ITSI to create the services in one go? KIind regards las
... View more
Labels
- Labels:
-
administration
-
configuration
-
using ITSI
11-07-2022
03:39 AM
Hi Guiseppe. Yes, the question is if I can make the restriction dynamic based on the user that is logged in? Kind regards las
... View more
11-07-2022
02:31 AM
Hi Guiseppe. I might have expressed myself a littele clumsy, I do not want the users to see part of an event, but only a subset of events in the index. There is functionality available to limit searches using indexed fields (Restrictions), so the question is really, how do I get the user that is logged on into this role. Kind regards las
... View more
11-02-2022
11:43 PM
Hi.
We are going to have a datasource with some sensitive data, where there is a requirement, that only the owner of a specific event is allowed to see it.
The events will have the user as part of the data, that field can be created as an indexed field.
I will, of course, have the data in a separate index, and thought I might be able to use restriction to limit access so that the user only can search in data where the field user matches the logged on user.
I can see it is possible to use the token $env.user$ in a dashboard, but I would really like to use it in the restrictions part of the role, so it automatically will use the logged on user in the restriction.
Any help will be much appreciated.
Kind regards
las
... View more
Labels
- Labels:
-
access control
12-08-2021
02:53 AM
Hi. I have a developer, that works on a local app and maintains the source in Azure Dev/Ops. He is, of course, interested in automating the complete deployment process to our on-prem search head. Has anyone tried this setup, and found some good practises? For some reason I'm not comfortable with having a dev/Ops agent running on the search head, where it potentially could have access to the filesystem etc. Any advise is greatly appreciated Kind regards
... View more
07-21-2021
10:35 PM
Hi Venkatasri. I think I might not have made myself clear, the problem is not creating an input stanza, the problem is if anyone has come up with an idea, about how to get the logs. IBM has outlined this, in my opinion, rather cumbersome process where you have to run several commands, an pass some input from one command to the next before the log is readable. Kind regards las
... View more
07-21-2021
12:57 AM
Hi. We have some IBM DB2 systems running primarily on AIX and now our Security team has tasked us with collecting the audit log in Splunk. I tried just creating an input, monitor-stanza pointing it to the right directory, but nothing, I then changed to look at subfolders, and I got some data. I have looked at the DB2 documentation, and there is a very cumbersome process described (https://www.ibm.com/docs/en/db2/11.1?topic=facility-storage-analysis-audit-logs). Does anybody have some experience collecting DB2 audit logs and how did you do it (file monitor or DB-Connect)? Kind regards las
... View more
Labels
- Labels:
-
inputs.conf
-
monitor
06-03-2021
01:25 AM
Yes, I did try to update the pass4SymmKey, that didn't work. It seems this problem is only on the AIX part, we have succesfully upgraded both Linux and Windows so it is not a general bug. Kind regards las
... View more
05-25-2021
07:22 AM
Hi. Yes, the CM was upgraded to 8.1.3 prior to the upgrade of the UFs. It was just an upgrade, so no remove. kind regards Lars
... View more
05-21-2021
01:14 AM
Hi. I would like to know if anybode else had this issue. We upgraded our UF on AIX to 8.1.3 from 8.0.4, following the guidelines from Splunk. We have set outputs.conf to use indexer discovery. After the upgrade we saw these message: ERROR IndexerDiscoveryHeartbeatThread - Error in Indexer Discovery communication. Verify that the pass4SymmKey set under [indexer_discovery:prod] in 'outputs.conf' matches the same setting under [indexer_discovery] in 'server.conf' on the Cluster Master. [uri=https://xxxx:8089/services/indexer_discovery http_code=502 http_response="OK"] The pass4SymmKey has not changed during the upgrade. We changed the configuration to bypass indexer discovery, and that got data flowing into the system again. Kind regards Lars Søndergaard
... View more
Labels
- Labels:
-
upgrade
10-23-2020
04:04 AM
2 Karma
Reply from Support: The issue only occurs when you have the Cluster Master and the Indexers running different versions of Splunk. When the CM is running 8.1 and the Indexers are running 8.0.5 the "Forwarding and receiving » Forward data" screen on the CM doesn't display the indexers and also the CM doesn't seem to be able to forward its internal logs to the indexers. I then proceeded to do the following : - Set the CM into maintenance-mode - Stopped each indexer and then upgraded them to 8.1 - Started the indexers again - Restarted the CM - Disabled maintenance-mode on the CM After doing this I checked the "Forwarding and receiving » Forward data" screen on the CM again and saw that all the indexers were now showing. I then also performed a search on the _internal logs for the CM hostname and saw that the logs had now been fully forwarded onto the indexers. So I would recommend performing the full upgrade of the CM and Indexers in one go and avoid running with mixed release versions for too long.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-07-2025
01:13 AM
|
