@altink - Surely you can do that. Go to classic Splunkbase. Click on Manage App (You won't see this option if you are not the editor or owner of the App) Click on any of the version number for which you would like to update the release notes. And here, you should be able to update the release notes or any other details. I hope this is helpful!!! If this helps, kindly upvote and accept the answer.!!
... View more
That's correct because label has to be unique, in this case it will not generate unique label. I would suggest set the label as well with host field, because host name already tells you whether its QA or Prod or Dev. I hope this helps!!!
... View more
@Jasmine - Use like instead of match function. | eval label=case(like(host, "%tv00.test.net"), "Test",
like(host, "%qv00.qa.net"), "QA",
like(host, "%pv00.prod.net"), "Prod") I hope this helps!!!
... View more
@PickleRick - You must be right and I know its so complicated for HEC endpoint on what will execute or not, so I would avoid it all together at all and filter it early directly from source when using HEC.
... View more
@dc17 - You need to give full path like: [WinEventLog://Microsoft-Windows-Sysmon/Operational]
checkpointInterval = 5
current_only = 0
disabled = 0
start_from = oldest
index = sysmon
sourcetype = WinEventLog:Sysmon In my case, I can see a folder called Micrsoft > Windows > Sysmon folder. In which I can see Operational logs. You need to give full path, instead of just MyCustomLog. Give full path, which you can find from Event Viewer. I hope this helps!!!
... View more
@dc18 - If you are on Splunk Cloud try Data Manager - https://docs.splunk.com/Documentation/DM/1.8.3/User/AWSAbout , see if it can help. If not Splunk Add-on for AWS would be your best bet. I hope this helps!!
... View more
@rob_gibson - You need to filter on the source which is generating the data. And not send data at all to Splunk HEC. Alternatively, You can install Splunk HF locally on the service. Create Splunk HEC input locally on Splunk HF. Update your data source to send data to local Splunk HF HEC instead of Splunk Indexers. You must use services/collector/raw endpoint of Splunk HEC for data filtering to work. https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/UsetheHTTPEventCollector Use nullQueue with regex to filter data on from going to Splunk. https://community.splunk.com/t5/Getting-Data-In/Filtering-events-using-NullQueue/m-p/66392 Forward data from Splunk HF to Splunk Indexers. I would recommend not sending data to Splunk HEC at all directly by Data source would be simple solution. I hope this helps!!!
... View more
@Markfill - Please describe what do you mean by index rolling (I assume, you mean bucket rolling and not index rolling.) * Warm Bucket to Cold Bucket? OR * Cold Bucket to Frozen Bucket or being deleted?
... View more
@cmezao - I feel Upgrade Readiness App warnings nowadays generate errors from the internal App as well. I personally feel it's safe to ignore.
... View more
@Prathyusha891 - FYI splunklib doesn't come built in with Splunk. In your App you need to put the Splunklib explicitly, mostly in the bin folder of your App. pip install splunk-sdk --target ./bin I hope this helps!!! Kindly upvote if it does!!!
... View more
@kidderjc - I'm no Java expert based on my past experience with log4j to Splunk HEC. If Splunk fails for some reason your solution will encounter a memory issue and may crash. My Recommendation: Store logs to log files on the server and use Splunk UF to forward the logs to Splunk indexers. I hope this helps!!!
... View more
@jasonpeh - Wait and try again. Try different browser. Are usually the solution to these temporary problems. If not contact education@splunk.com and report the issue. Americas: education_amer@splunk.com Europe: education_emea@splunk.com Asia/Japan/Australia: education_apac@splunk.com I hope this helps!!!
... View more
@Sandivsu - Not sure if you can do that with props and transforms. But I'll provide a solution you can apply at the search query level. index=<your-index> .....
| rex field=_raw "\s\w+\[\w+\]:\s(?<json_content>\{.*\})"
| spath input=json_content I hope this helps!!! Kindly upvote if it does!!!
... View more
@avikc100 - You can add custom CSS to your simple XML dashboard to achieve this. Dashboard XML Source Code <form>
<label>Fixed Column Sticky</label>
<row depends="$tkn_never_show$">
<panel>
<html>
<style>
#myTable table td:nth-child(1) {
position: fixed !important;
}
#myTable table th:nth-child(1) {
position: fixed !important;
}
</style>
</html>
</panel>
</row>
<row>
<panel>
<table id="myTable">
<search>
.... If position: fixed doesn't work, you can try with position: sticky; I hope this helps!! If it does kindly upvote!!!
... View more
@rickymckenzie10 - To simplify your understanding of warm and cold buckets and different parameters. (Only applicable when you are not using volumes) Warm Buckets -> buckets in /db path Cold Buckets -> buckets in /colddb path Frozen Buckets -> Deleted/Archived data Warm to Cold Bucket Movement -> when maxWarmDBCount bucket count is reached. Cold to Frozen (deleting, max age) Bucket Movement -> when all events are older than frozenTimePeriodInSecs I hope this helps you understand the parameters better. Kindly upvote if it does!!!
... View more
@SplunkUser5 - Yes @jotne is right about transforms.conf issue. But if you want to exclude at the input level. This is a common issue I come across all the time and I keep forgetting again and again that is Windows path requires extra backslashes in the regex sometimes. Try: C:\\\Users\\\.*\\\AppData\\\Local\\\Microsoft\\\Teams\\\current (try the 4 backslash version as well, as I'm not sure which one will work. I always have to do try and error between 2, 3, and 4 backslashes.) I hope this helps!!! Kindly upvote if it does!!!
... View more