How to externally trigger a universal forwarder to send data to an indexer...
I have server "X" on which is installed a universal forwarder. Typically, I'd use the universal forwarder's cron functionality to trigger the execution of a PowerShell script. The PowerShell script...
View ArticleDifferent Sourcetypes at HF and SH
Hi there, I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events). I am getting events as expected. Sourcetype observed at HF = sophos:central:alerts...
View ArticleMissing field values in report
We have logs in the following format[1]. We created a report with few fields like time, service, operation, method, principle, systemid and count. But when ever a field is missing in the log, the...
View ArticleNeed help with line-breaking app.log
Have a feed coming in from App.logs, which I can't get to line-break properly. Props.conf [mq_error_logs] CHARSET=UTF-8 MAX_TIMESTAMP_LOOKAHEAD=30 SHOULD_LINEMERGE=true TIME_PREFIX=^...
View ArticleDifferent sourcetypes at heavy forwarder and search head
Hi there, I have installed Sophos add-on for Splunk at HF level and configured 2 inputs (Sophos alerts and events). I am getting events as expected. **Sourcetype observed at HF = sophos:central:alerts...
View Articlesplunk hash-passwd Command Not Accepting My Password
Hi, May I please get some clarification as to why my password isn't accepted by the `splunk hash-passwd` CLI command? Need to place it in my `user-seed.conf`. Thanks in advance. Here: ![alt text][1]...
View ArticleBar Chart Line length change
My current search output showing the following result, for one entry it is greater than the rest. I want to show the graph will the greater value , Its length be less so my chart is in proportions....
View ArticleQuery for Users, Roles, AD Groups and Indexes.
Hi, I'm trying to get the query to pull out the following, but struggling a bit with all the joins. I need to get a list of the following in a report. 1. List of users 2. The Roles each user is part...
View ArticleMultiple time frame search with one of the time frames not utilizing brackets...
I have a solution that uses api called macros that prefix the time frame to the search. ie. earliest="03/14/2019:00:00:00" latest="03/14/2019:23:59:59" `my_report(sample)` I need to modify this macro...
View ArticleAnd condition between two different SOURCE_KEY in a stanza inside...
Hi, I want to filter out Checkpoint events based on two different conditions: 1. It comes from a specific IP XX.XX.XX.XX, I have this information in host metadata field. 2. The action field after...
View ArticleLeading/trailing space in valueSuffix/valuePrefix Simple XML element...
I have a Splunk 7.3 dashboard that contains the following Simple XML:"Average Time" That is, the `` element contents has a trailing space, and the `` element contents has a leading space. This works....
View ArticleWhere are the docs for the PowerShell Modular Input AddOn?
The readme file for the PowerShell Modular Input AddOn says docs are at https://docs.splunk.com/Documentation/AddOns. This link is dead I've been to...
View ArticleWhy props.conf not getting picked up while ingesting data through HEC, /event...
Why props.conf not getting picked up while ingesting data through HEC, /event endpoint?
View ArticleHow to run a report and write results only once in a scheduled time window ?
Hi All, I have a report that should run for example between the time period 8.00 pm to 10.00 pm with a frequency of every 5 min from monday to friday. The report is a join of two indexes and the report...
View Articlerunning splunk in openshift container. sudo error in script entrypoint.sh
Hi, I can run splunk as a docker image - no problem. But running in Openshift it crashes running sudo (assume in entrypoint.sh script). image splunk/splunk:7.3.0 PLAY [Run default Splunk provisioning]...
View ArticleSplunk Enterprise 7 and Traps 6.1.1
We have Traps data being ingested by Splunk through the TA for Palo Alto, in addition to firewall data. The Traps information doesnt populate on any dashboard in the Palo Alto app for Splunk,...
View ArticleHow are the tokens generated in the browser for REST API?
Hello! I am using this addon - Splunk Add-on for Microsoft Cloud Services. I checked the Network tab and I saw the REST API which is being called. The scenario is that I need to programmatically...
View ArticleCalculate the value of a field based on the values of other fields
I have a some fields like this: **Group_servers|Name_server|Status** Group1| server1|OK Group1| server2|OK Group2| server1|OK Group2| server1|No data Group2| server1|Yellow Group2| server1| I want to...
View ArticleHow to create a table with raw events after stats?
I am running the following search looking for a user who logins in from multiple cities within a five minute time period. index=foo | bin span=5m _time | dedup src | iplocation src | stats count by...
View ArticleSimple rex works on REGEX101 but not in splunk.
Hey so I have a list of of values, that need to be standardized. The values I'm need to transform look like this: Pool1-dp Pool2-dp Pool3_MSDP Pool4_MSDP Pool5-dp I need to trim the values to just have...
View Article