Why am I receiving "call not properly authenticated" error when trying to...
I'm unable to actually push any configurations from the deployer to my search head cluster. [splunk@deployer bin]$ ./splunk apply shcluster-bundle --answer-yes -target https://search1:8089 Error while...
View ArticleDoes the built-in Python 2.7 that comes with CylancePROTECT App for Splunk...
Hello, I was in the process of installing the CylancePROTECT App for Splunk and came across an issue that appears to be python related. I ran the test.py script with the built in Python 2.7 from Splunk...
View ArticleIs there a Splunk App or Add-on that will help read and comprehend ADFS 3.0...
We are working on making sense of our ADFS 3.0 authentication logs. We are currently looking into tying the IP address from these 3 "AD FS Auditing" source logs: 1) EventCode 410 has the IP address and...
View ArticleNeed help with linebreaker for array of json objects
I am indexing json files. Each file contains an array of around 1,000 json objects (with nested arrays/objects). I need to extract each object as a single event. (See sample json source and props.conf...
View ArticleHow to modify my transaction search to extract a sequence of six events when...
Hi, I am trying to extract sequence of events from logs by using `transaction` command. I am looking for sequence of six events. It works well as long as the first and the last events are not the same...
View ArticleHow to join customer ID data from different sources and create a time-based...
I want to correlate data from 2 sources. First data source contains store_events (**source1=store_events**) and second source contains book_events (**source2=book_events**). Source store_events...
View ArticleHow to enable and disable scheduled searches using Splunk REST API in...
I have a requirement to disable scheduled search (specific ones) during a specific window and when a data load runs, enable it back on once the load is completed. I have a limitation of running it...
View ArticleHow to consolidate events that have an ID field with different names across...
Hi all. I have almost 20 different sourcetypes. Field names in sourcetypes are different and I don't have the same in more than 1 sourcetype. Each sourcetype has a "slice" of a record using an ID, but...
View ArticleSplunk Add-on for Amazon Web Services: How to configure sync frequency of...
Where can I configure the frequency in which Splunk will sync newly created EC2 instances? F.Y.I Using the Splunk Add-on for Amazon Web Services.
View ArticleWhy does my saved search in the CLI produce a different column order than the...
Hi, When I execute my saved search in the CLI, the output columns are ordered differently than what I saw in Splunk Web, making the result undeliverable to my customer. The columns are - as was...
View ArticleParsing at search time variable white spaces
Hello, I am new in Splunk parsing and I am facing some problems with this. I am trying to parse, at Search Time, a source of logs (containing two sourcetypes, AIX and Linux). In the AIX sourcetype, I...
View ArticleHow to blackhole unwanted server logs by configuring props.conf and...
Our main syslog server just forwards everything to Splunk. We have exclusions in syslog for certain applications but we would still like to clean out anything not vital to Splunk. I've attempted to set...
View ArticleParse IIS logs (structured data) on Universal Forwarder
We are trying to parse or drop a number of fields on IIS Logs from our Exchange environment. I have done as much digging as I could and have found a forum post that tried to answer this exact question,...
View ArticleUniversal Forwarder - Path to monitor greyed out ?
Hi, I am doing an install of the Universal Forwarder on a Windows server. on the step of the install where you specify what you want to monitor, the Path to monitor text field is greyed out and when I...
View ArticleHow to write to kvstore with java sdk?
We are trying to inject JSON directly into our KV Store instance while using a defined _key inside the JSON object. We are not able to connect because of the following error: 2016-09-23 10:25:01 ERROR...
View ArticleGUI for "display.visualizations.show" for a scheduled PDF report
I've got a scheduled report that's meant to email a stats table in PDF form. By default, this PDF arrives as a large, empty line graph, followed by my desired stats table. I'm able to fix this by...
View ArticleWhy is data duplication occuring inspite of two independent deployments for...
Upon migrating the same logs to a different location and forwarding seperately from those two locations to two independent indexer , there is generation of duplicate events.
View ArticleIssue with CSV File monitoring on Universal Forwarder
**Splunk Version 6.3.4** We are monitoring a csv file with same name which gets overwritten/updated in every 30 minutes. The issue seems to be intermittent i.e. it picks up the file sometime &...
View ArticleAnyone have any ideas with Enterprise Security and Rapid7 to get the dest_ip,...
Hello all, It appears that Rapid7 has goofed the TA to provide their asset data as the destination (dest field) instead of relating it to an 'actual' location as one would expect in Enterprise Security...
View ArticleI have source data and i have inputlookup data, now i need to match them with...
I have source data and i have inputlookup data, now i need to match them with column, but column name in source is Student and Column name in Inputlookup is Roll_Number. How can i match them?
View Article