Is there any risk in load balancing universal forwarder to an intermediate...
Hello! Our setup consists of Universal Forwarders sending logs through a load balancer to Intermediate Forwarders then they end up in our indexers. The Intermediate forwarders send logs directly to the...
View ArticleHow do i add a role to user in splunk as it appears to be greyed out, though...
I wanted to add additional role to the existing user and when I do it through available roles it does not allow me as they appear to be greyed out..kindly help
View ArticleGetting TailReader - File descriptor cache is full (100), trimming in one of...
Currently we have two heavy forwarder to configured to forward the data to the indexer. Just wanted to know what are the files being captured from both the servers using the below query. We are using...
View ArticleShare a Dashboard
I have a user who wants to share a dashboard. What capabilities does this user need in order to share a dashboard to other users in their own group?
View ArticleSplunk Jenkins Plugin and Visualization
Hello, I am trying to use Splunk to monitor and visualize a DevOps pipeline. In general terms the pipeline is composed of the following stages: Build -> UnitTest -> RegressionTest -> CM ->...
View ArticleHow do I setup the CA Certs for the JMX Addon
I am using the Splunk Addon for Java Management Extensions https://splunkbase.splunk.com/app/2647/ It's working nicely for JVM's which do not require SSL to connect. The JVM in question is using a cert...
View ArticleNew and started to input data
So this is the first time I was trying to input the TCP data port to my monitoring. I am behind a NAT as it is with a FioS router in a home network environment. I wanted to monitor port 80 for web but...
View ArticleNeed to get the count of number of times a field is used in a request
Need to get the count of number of times a field is used in a request Ex log: (This is a XML log, giving details from the middle and not the entire log) Event 1: Event 2: I need to check how many times...
View ArticleHow do I automatically run mvexpand on a field?
All, I run this search - index=main | makemv PCIDSS delim="," I'd like to be automatically expanded instead. But I don't see how I would do this in props.conf
View ArticleIssues with Splunk Scheduler
Hello All, We have recently installed/configured splunk enterprise with version 6.1.2 and is set to serve as our search head server. From last two weeks splunk scheduler on this server is not working....
View ArticleUnable to search mv
All, I am unable to search by a mvexpand which I am doing via fields.conf. I am getting the extraction I expect, but searching by that fails. This search fails, but is based on clicking right in the...
View ArticleGenerating custom command with complete JSON field extraction
We are developing a generating custom command using the Splunk Python SDK. The issue we are having is that only those fields exported from the first 'yield' are extracted in future events (so only...
View ArticleClean up search head cluster objects
After switching to Search Head cluster some of our team members are having hard time adjusting to the 'deployment of the searches, alerts and dashboards' idea and modify those searches directly through...
View ArticleHow can I read a tgz file into Splunk?
According to a book (**Splunk Essentials By: Betsy Page Sigman**) I recently read on Splunk, Splunk can read in data from basically all types of files containing clear data, or as they put it, any...
View ArticleGetting Cisco Ironport ESA data into the Common Information Model
I am having a tough time understanding how anyone is getting Cisco Ironport ESA data to map to the CIM for use in things like Enterprise Security. Where I work, I would say that email is the *most*...
View ArticleCount number of events before Debup
Is there any way to save the count of the events before doing the dedup ? This is my query index="webapplication_logs" sourcetype="error_log" | rex field=_raw "Severity:\s (?.+)" | search Severity =...
View Articlegetting wrong values in threat group and threat category in threat activity...
Hi Splunkers, I am seeing some junk values in Threat activity details report from Splunk enterprise security, FYI please have a look at the below values threat_collection threat_group threat_category...
View ArticleTwo serverclass.conf files - now what?
Hi, Because of the ridiculous nature in which Splunk handles serverclass.conf via the gui (really? I can create multiple serverclass.conf files, based upon where I was in the gui?)... I know have two...
View ArticleAs follow Up to home splunking and ports
I had an earlier question about the ability to learn Splunk at home. I am using a FiOS router that I just want to search the data passing through to see how Splunk access the data from the Internet. I...
View ArticleProcedure to change License pool in cluster env
I have currently a 200GB (on prem) license on the master License server. We plan to reduce this to 150GB and allocate the 50GB to Splunk Cloud. Splunk have given us a new 150GB license - am unsure of...
View Article