I want number of days between two events in splunk search?
## My query index=main source=secure.log sourcetype=* | stats earliest(_time) as start, latest(_time) as stop | eval start=strftime(start, "%m/%d/%y") | eval stop=strftime(stop, "%m/%d/%y") | eval days...
View ArticleSplunk Fudamentals 1 Uploading Module 4 Lab files
I'm unable to view Module Lab 4 files after uploading them via Splunk Enterprise.
View ArticleWhat permissions are required to use the Lookup File Editor App?
Hello, I installed the Lookup File Editor app, https://splunkbase.splunk.com/app/1724/. It seems to work fine for admin role users, slight delay in populating when I use ... |inputlookup but it works....
View Articledrill-down doesn't work with base query for calendar custom visualization
We are using calendar visualization for showing events in dashboard. I have tried to add drill-down behavior by using click.value. This works perfectly if i don't use base search. Once i switch to base...
View ArticleHow can I highlight table cells that can either be multi-value or single value?
Hi, I am trying to highlight values in my table but I am having trouble implementing it because the table cells can either be single-value cells or multi-value cells. If I only needed to highlight...
View ArticleSunburst Viz: How to increase number of levels displayed initially when...
Hello, I am using Sunburst Viz for one of my charts. When I choose "Zoom in" as an action, I can only see 2 layers initially. When I click on anything it zooms into more layers. Can I increase the...
View ArticleHow to add a value from a lookup table to results, by using a field value...
I want to include a value from a lookup table in search results, by using a field value from the main search.
View ArticleHow to set the default host name in the url link to a report?
The certificate has `hostname.domain.local` and the scheduled reports are coming out with `hostname:port/PathToReport` minus the `domain.local`. I have checked the `etc/system/local/server.conf` and it...
View ArticleHow to ensure no data is lost (add back the databases) if a server is rebuilt...
We have an Ansible script that rebuilds/reindexes etc a Splunk indexer, if for some reason it implodes on itself. We also have incremental backups of the Splunk databases (for this question lets say...
View ArticleGet events of first day of each month
Hi, We have a report generating data on first day of each month and also on first day of each week. We need to get the data of first day of each month. We have the query as below |eval...
View ArticleWriting a Splunk Query - Unique Count of Initial Access Key Usage from...
I have a use case to write a splunk query to display in a line or area chart the unique and initial AWS access key usage by IAM users in our org trending for the past year. Management want to be able...
View ArticleTailReader - Insufficient permissions - Reindexing
TailReader - Insufficient permissions - errors in my logs - will splunk attempt to re-read those at some interval? thus far I only see it doing it once a few hours back and not since :( I also see...
View ArticleHow to add a conditional statement in searchmatch?
Hello, I'm new to Splunk, so please pardon me if this is too easy of a question. I'm trying to list attempted operation vs. passed operation and categorize it by apps. Below is the search that I have:...
View ArticleHow to delete directory in /bin of my app during upgrade
Is there a way to delete a directory in the /bin directory of my app during the upgrade process? I have an app that contains the /splunklib in the /bin directory, to be compliant with app inspect I...
View ArticleHow to automate default values to populate in a panel when the dashboard is...
I have a link list with three tabs (A, B, and C). When A is clicked three panels open (X, Y, and Z) and one drill-down (that doesn't show values unless one of the panels (X, Y, or Z) is clicked on)....
View ArticleHow to apply a regular expression that pulls multiple values from application...
Hi all, I've been struggling to extract certain values from application logs and assign them to the given field name. As I don't know how to use or write regular expression in splunk, I need help to...
View ArticleHow to resolve TailReader errors and data loss using universal forwarder (bug...
I've been dealing with this TailReader error for a while and was not able to fix it despite reading all answers and similar questions. I'm still experiencing data loss every day. As you can see in...
View ArticleHow to abort a search if lookup file is causing errors and incomplete results?
Hello all, I'm using a search that baselines user activity (looks back in time). But I've noticed that sometimes the results are incomplete, and this messes with the next search in the pipeline. Does...
View ArticleTriggered alert on scheduled search didn't send email.
Greetings! I have a scheduled rule that runs every closed minute and it matched an event at 1:30:03PM which was supposed to send an email but it hasn't. What could be the cause of this? ![example][1]...
View ArticleHow to build a lookup table based on a condition?
Hello all, I can't figure out how to build a lookup with a condition. I have the following table which is my base search: SubnetName ip_address Subnet_ABCD 10.177.99.53 Subnet_1234 10.8.183.3...
View Article