Bit9 Security Platform: Why am I not getting any "Trust" information in...
Followed the install instructions, everything else seems to be working as expected, but any dashboard panel that references Trust scores is showing no data... All other panels are working great. Any...
View ArticleHigh RAM usage when index "os" is searched
Splunk is running on a VM with 6 virtual cores, 24 GB RAM and windows OS. We have installed Splunk Universal Forwarders one two Linux systems and we have also installed the nix add on. We have enabled...
View ArticleDisplaying largest value from Multiple Extractions in each Event
Hi all, I have multiple events, where in each individual event Im extracting multiple fields using regex, essentially it looks like this where each BU is a separate field I'm extracting from the event...
View ArticleAdd alert/report emails be added to a mail queue
We experienced an issue with having Splunk send mails via our enterprise mailserver. Due to the number of emails being sent within a short amount of time, the mailserver rejected a handful of the...
View ArticleTimestamp lookahead questions
Hi I have the following configuration: timestamp format : %c timestamp prefix: `Start\sTime:\s+` lookahead: ??? I want a configuration that will look for the timestamp through the entire event...
View ArticleSingle slash as part of REGEX
Hello all, I have the following query which gives me the required results, but I can't get the regex command to INCLUDE the single slash in front of the file.exe. I want to do this to prevent the query...
View Articlehow to make sure fields are available for custom ReportingCommand?
I have a working custom ReportingCommand in place, using the Python SDK 1.5.0. My command needs some fields that have been placed in the event by some transforms for the sourcetype. I have a problem:...
View ArticleThis license does not support being a remote master.
Error - Bad request- In handler 'localslave'. editTracker failed, reason='WARN': path=/masterlm/usage: This license does not support being a remote master. Actually what I'm looking is as of now I done...
View ArticleHelp with replacing values
Hi, I have my output I was looking for, but was wondering if there was a cleaner way to do it. Basically I have a field like such f1||f2||f3||f4. f2 and f3 can be null in some cases. If they are null I...
View Articlehow to know app is synced between deployments-server and clients without RDP...
i have a deployment-server and 3000 clients, i made changes to one of the app, and it should pushed to all the forwarder agents which is associated with the app. Here comes my challenge, what if i have...
View ArticleIs there a REST API call or other method to check which files were processed...
I have a customer complaining that one of the sourcetype data is not appearing for couple of days in the past. I see the files for those dates are available in customer's server, but Splunk didn't pick...
View ArticleHow do I edit my Splunk forwarder blacklist configuration to exclude a...
I am trying to customize the Splunk Forwarder to send only certain logs. It looks like it is working correctly when I only add event IDs to the blacklist. What I would like to do is also add specific...
View ArticleHow to get refresh tokens via Python script?
Hello dear Splunkers, I'm working on a connector between Google Analytics and Splunk. So far, I have everything working, except for one thing: getting a refresh_token. I've implemented the following...
View ArticleAfter upgrading Windows forwarders from Splunk 6.1.1 to 6.3, why are we...
We recently started trying to upgrade our Windows forwarder installations from 6.1.1 to 6.3, after the upgrade, the Forwarder management page states the forwarder has errors installing. The...
View ArticleHow many search heads should I have in my environment for X amount of users?
I’m at the point where I think I need to increase the number of search heads for the current usage base and future user growth. Currently there is just the one search head serviced by two load balanced...
View ArticleWhy am I seeing an inconsistent number of results using the Splunk Java SDK?
I have a Java program that uses the Splunk SDK 1.5.0 to set up a service, create a job, and get the result count like so: HttpService.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2); ServiceArgs...
View ArticleIs the Splunk 6.3 universal forwarder using 90% of your CPUs?
I'm not sure how long it has been happening, but I began to see it across our UFs today.
View Articlestreamstats to get last value with field clause
I'm using streamstats to get some values from the last event, but I need to do it where that last event has a property matching a value. So I'm trying to solve the problem of inaccurate...
View ArticleSplunk Support for Active Directory: LDAPSEARCH LDAPGROUP filter not...
Hello, I have used the LDAPSearch/LDAP group command to retrieve the members of a group. It returns the members "dn" and shows either "direct" or "nested", but the documentation states if it returns...
View ArticleHow to configure OAUTH2 for the REST API Modular Input ?
Hi guys. I've just downloaded the REST API Modular Input, and I have some doubts about its configurations using OAUTH2. Here are two fields I'm in doubt in: OAUTH 2 Token Refresh URL -> what URL...
View Article