Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yosoypako
yosoypako
Path Finder
Member since:
04-23-2019
2 weeks ago
Community Statistics
| Posts | 13 |
| Solutions | 2 |
| Karma Given | 2 |
| Karma Received | 2 |
| Member Since | 04-23-2019 |
Activity Feed
- Got Karma for Re: knowledge bundle replication error. 2 weeks ago
- Posted Re: knowledge bundle replication error on Knowledge Management. 2 weeks ago
- Posted Re: knowledge bundle replication error on Knowledge Management. 2 weeks ago
- Posted Re: knowledge bundle replication error on Knowledge Management. 2 weeks ago
- Karma Re: knowledge bundle replication error for richgalloway. 2 weeks ago
- Posted Re: knowledge bundle replication error on Knowledge Management. 3 weeks ago
- Posted knowledge bundle replication error on Knowledge Management. 3 weeks ago
- Got Karma for Re: Use JSON extracted field to route to a different indexes. 12-15-2023 10:06 AM
- Posted Re: Use JSON extracted field to route to a different indexes on Splunk Enterprise. 12-15-2023 05:34 AM
- Posted Re: Use JSON extracted field to route to a different indexes on Splunk Enterprise. 12-05-2023 08:26 AM
- Karma Re: Use JSON extracted field to route to a different indexes for richgalloway. 12-05-2023 08:14 AM
- Posted Use JSON extracted field to route to a different indexes on Splunk Enterprise. 12-04-2023 02:57 AM
- Posted Re: Keep specific events and discard the rest on Splunk Enterprise Security. 04-24-2019 06:59 AM
- Posted Re: Keep specific events and discard the rest on Splunk Enterprise Security. 04-24-2019 06:19 AM
- Posted Re: Keep specific events and discard the rest on Splunk Enterprise Security. 04-24-2019 04:40 AM
- Posted Re: Keep specific events and discard the rest on Splunk Enterprise Security. 04-24-2019 02:22 AM
- Posted Keep specific events and discard the rest on Splunk Enterprise Security. 04-23-2019 08:55 AM
- Tagged Keep specific events and discard the rest on Splunk Enterprise Security. 04-23-2019 08:55 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
1 Karma
Hello, Now it is working. This made the trick: [replicationDenylist] ms_graph = ...TA-microsoft-graph-security-add-on-for-splunk[/\\]bin[/\\]... Thanks
... View more
2 weeks ago
Hello, by same error i mean that after changing the stanza config in distsearch.conf and restarting the service on the sh., there was the Invalid key message on btool but with different value
... View more
2 weeks ago
Hello. I have tried different combination of replicationDenyList stanza definition, in all cases it did not work. with quotes, "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\...", without quotes apps\TA-microsoft-graph-security-add-on-for-splunk\bin\... , with * "apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*", with full path D:\Splunk Search Head\etc\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*, and combinations of them. But nothing, I always got the error: Invalid key in stanza [replicationDenyList] in D:\Splunk Search Head\etc\system\local\distsearch.conf, line 29: MSbin (value: apps\TA-microsoft-graph-security-add-on-for-splunk\bin\*). Do you have a working example of this stanza? Thanks for your help.
... View more
3 weeks ago
Hello, thanks for your help. Until now were using a single deployment of splunk (indexer, search head and data inputs) on the same box. Now we have just started to split the roles by deploying a new search head. By the search is not working I meant that the service is up and running, we can log on it but the searches are not running. We got this message: Unable to distribute to peer named [indexer_splunk_instancename] at uri https://[indexer_ip]:8089 because replication was unsuccessful. ReplicationStatus: Failed - Failure info: failed_because_BUNDLE_DATA_TRANSMIT_FAILURE. Verify connectivity to the search peer, that the search peer is up, and that an adequate level of system resources are available. On the indexer, on splunkd.log we got these messages: File length is greater than 260, File creation may fail. After reading the doc, I saw the app is supported on the indexers but it is not required. If we move this application to one heavy forwarder. It will not be included on the replication bundle between SH and Indexer?
... View more
3 weeks ago
Hello. We are deploying a new search head in our splunk environment. We are using windows 2019 servers as platform. The nearch head is not working. We can see these errors on the indexer: WARN BundleDataProcessor [12404 TcpChannelThread] - Failed to create file E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.e035b54cfcafb33b.tmp\apps\TA-microsoft-graph-security-add-on-for-splunk\bin\ta_microsoft_graph_security_add_on_for_splunk\aob_py2\cloudconnectlib\splunktacollectorlib\data_collection\ta_checkpoint_mng.py while untarring E:\Splunk\var\run\searchpeers\[search_head_hostname]-1713866571.bundle: The system cannot find the path specified. The file name (including the path) exceeds the limit of 260 characters on windows OS. How can we use this addon?
... View more
Labels
- Labels:
-
other
12-15-2023
05:34 AM
1 Karma
Hello.
We have made it work. This is the stanza we have configured in transforms.conf on the heavy forwarder:
[setindexHIGH]
SOURCE_KEY = field:topic
REGEX = audits
DEST_KEY = _MetaData:Index
FORMAT = imp_high
Thanks for your help.
... View more
12-05-2023
08:26 AM
Hello.
Thanks for your help.
I have tried with the regex you suggested and with this configuration.
[setindexHIGH]
SOURCE_KEY = _raw
REGEX = audits
DEST_KEY = _MetaData:Index
FORMAT = imp_high
The same result. It is not working. We are receiving the events on the index imp_low
If we run a search for the events, we can see the field named topic is being indexed. But if we set the view to raw text of the event. I can not see the words topic or audits on the events raw text. It looks like that info is being removed from the event. Could it be because the props settings?
... View more
12-04-2023
02:57 AM
Hello. I am trying to route some events to a different index based on a field on the events. The events are JSON formatted. This is an example: {
"topic": "audits",
"events": [
{
"admin_name": "john doe john.doe@juniper.net",
"device_id": "00000000-0000-0000-1000-5c5b35xxxxxx",
"id": "8e00dd48-b918-4d9b-xxxx-xxxxxxxxxxxx",
"message": "Update Device \"Reception\"",
"org_id": "2818e386-8dec-2562-xxxx-xxxxxxxxxxx",
"site_id": "4ac1dcf4-9d8b-7211-xxxx-xxxxxxxxxxxx",
"src_ip": "xx.xx.xx.xx",
"timestamp": 1549047906.201053
}
]
} We are receiving the events into a heavy forwarder. And we forward them the event to an indexer. We want to send the events with the topic audits to a different index than the default one (imp_low). I have tried with these settings in the heavy forwarder: -Props.conf --------------------------------------------- [_json-Mist_Juniper] DATETIME_CONFIG = INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Structured pulldown_type = 1 TRANSFORMS-force_index = setindexHIGH -Transforms .conf: ------------------------- [setindexHIGH] SOURCE_KEY = topic REGEX = (audits) DEST_KEY = _MetaData:Index FORMAT = imp_high But it is not working, all the events are going to the "imp_low" index. Thanks
... View more
Labels
- Labels:
-
using Splunk Enterprise
04-24-2019
06:59 AM
Ok, now it is working. I have added the props.conf and tranforms.conf to the forwarder (/opt/splunk/etc/system/local/) and it is working.
For future similar issues: How can I check if the input data is being already parsed by the forwarder before reaching the indexer? As I have read if the indexer receives the data already parsed by the forwarders it will not transform and filter it and will be directly indexed
Thanks for your help.
... View more
04-24-2019
06:19 AM
Hello.
If i use the btool command (splunk.exe cmd btool props list fgt_utm --debug) I can see that the setnull stanza that is being chosen is this one, with REGEX = .
Thanks.
... View more
04-24-2019
04:40 AM
Hello
I want to send all the logs from the different vd to the same index but I want to filter witch alert level messages are going to be indexed from each vd. So in one index I could index only the alert and emergency level but in other vd the critical, alert nad emergency levels.
I have not written this in the initial post but there are two different splunk machine in this set up an indexer and a universal forwarder. I am editing the props.conf and transforms.conf files only on the indexer, not on the forwarder. How can I confirm that the forwarder is not parsing any event?
Thanks.
... View more
04-24-2019
02:22 AM
Hello
I have tried to use the sourcetype in the props.conf file. But it is still not working.
-If I use the btool *cmd btool props list * it shows:
TRANSFORMS =
TRANSFORMS-set = setnull,setindexone,setindextwo,setindexthree,setindexfour
-And If I use the btool command with both the app and the sourcetype it shows:
TRANSFORMS-set = setnull,setindexone,setindextwo,setindexthree,setindexfour
Any ideas why it is not filtering the events
Regards.
... View more
04-23-2019
08:55 AM
Hello
I want to index the events in the firewalls log based in the alert level and the virtual domain in witch they have been generated. I have followed the guide in https://docs.splunk.com/Documentation/Splunk/7.0.2/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding
but the indexer is indexing all the events not only the events that match the regular expression. I think that the setnull stanza may not be working. But I am not sure how to fix it
-This is the contain in props.conf
[source::/opt/LOGs/firewalls]
TRANSFORMS-set= setnull,setindexone,setindextwo,setindexthree,setindexfour
-And this is the contains in transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[setindexone]
REGEX = level="(error|critical|alert|emergency)".*(vd="one")
DEST_KEY = queue
FORMAT = indexQueue
[setindextwo]
REGEX = level="(critical|alert|emergency)".*(vd="two")
DEST_KEY = queue
FORMAT = indexQueue
[setindexthree]
REGEX = level="(critical|alert|emergency)".*(vd="three")
DEST_KEY = queue
FORMAT = indexQueue
[setindexfour]
REGEX = level="(alert|emergency)".*(vd="four")
DEST_KEY = queue
FORMAT = indexQueue
-Also, I have checked with the command "btool --app=Splunk_TA_fortinet_fortigate transforms list and props list" that the .conf files configuration is being loaded.
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
