How to search how long it takes for data to go from a universal forwarder to...
Anyone have a quick search on how to measure how long it's taking for data to go from Universal forwarder to be searchable?
View ArticleHow to prevent my timechart search results from being truncated to display...
I am attempting to generate an area chart for the **past 15 days** using the following search: index=test sourcetype=abcd source=1234 field1=* | timechart span=1h count by field1 useother=f limit=0...
View ArticleIs there documentation on best practice for which inputs to enable for Splunk...
This is for an ES use case.
View ArticleHow to link fields with different names across sources?
I have two types of transactions, one coming from a mobile app when a push notification is sent, looks approx like this: TIMESTAMP="2016-03-29 23:39:01" DDSDKAppEventPushNotificationDelivered Msg=536...
View ArticleI need to fill missing values in a search as NULL
I need to fill missing values from search items as NULL (not the string, but actual NULL values) I see options to check if the values is NULL (isnull) or even fill NULL values with a string (fillnull)....
View ArticleHow should the term "severity" be used when logging out errors from my app?
All, Can someone talk to me about how Splunk want's the term "severity" used? Should I be logging out my errors using Splunk's CIM value severity from my app for the best compatibility with Splunk...
View ArticleSplunk Universal Forwarder and TCP Data: What exactly is Splunk looking for...
According to the doc here: http://docs.splunk.com/Documentation/Splunk/6.3.3/Forwarding/Setuploadbalancingd> Important: Universal forwarders are not able to switch indexers when monitoring TCP...
View ArticleHow to remove part of a field value?
I have a search that gives me a bunch of fields that look like: REBOOT=4/5/2016 9:17:19 AM REBOOT=4/5/2016 9:12:02 AM REBOOT=4/5/2016 8:58:28 AM How can I remove the REBOOT= and keep the date/time with...
View ArticleHow to set up 2 search heads behind 1 Apache reverse proxy with load balancing?
Howdy! I have wondered around the topic within Splunk community for a while, but did not find a definite answer. So this time I hope there's at least 1 decent setup around. Well, that is - after this...
View ArticleAny tips to quickly learn an existing Splunk setup?
I am new to Splunk and so far I find that the real difficulty is not learning Splunk itself but understanding my organisation's data and the way they set up Splunk. I wish Splunk would make this...
View ArticleIs it possible to create a search head cluster where search heads have...
We are upgrading from Splunk 6.1 to 6.3, but the problem we are facing is that now is we are supporting a search head pool with 2 physical servers and 1 virtual with lower hardware. Since each server...
View ArticleCan I override two keys in one transforms stanza?
My current situation is that a bunch of files are all being dumped into one directory for the forwarder to monitor and send to the indexers. Based on a field in the data, I route the events to...
View ArticleSplunk Add-on for Qualys: How to reindex data using Qualys API?
Hi, I was getting data from Qualys through the API and I did some adjustments to props.conf for new field extraction. I am trying to reindex the data to apply the new field extraction, so I deleted the...
View ArticleWhere are all the additional visualizations for Splunk 6.4?
Only seeing these 5 in Splunkbase, ![alt text][1] [1]: /storage/temp/122175-only-these.jpg
View ArticleWhy is my search with transaction and concurrency commands skipping over...
I'm not sure if I can get any help here, but I am going to try cause I've been wrestling with this search/data for a week now. The setup: I have log files that have fields and I need to determine the...
View ArticleHow to setting splunk an architecture of 01 heavy forwarder, 01 search head...
Hi guys! How to setting splunk an architecture of 01 heavy forwarder, 01 search head and 01 indexer? I need to collect Windows events, firewalls and Cisco routers in an environment with heavy forwarder...
View ArticleIs there a unique ID assigned to each forwarder to help me determine from...
Hi, I have set up multiple forwarders sending events to a remote indexer. I am going to use the indexed data for further processing,. I wanted to know if there is a unique id assigned to each forwarder...
View ArticleHow to create a timechart in Splunk that shows how many accounts are in...
Hello Splunkers Hope you are doing good, appreciate beforehand all the time you take helping us out here. So I'm in the dilemma of simulating a "PipeLine" in Splunk. This is to know at certain time...
View ArticleHow to get the JSON style display in Table view?
If you display in 'List' mode, you get the nice collapsible object tree for data that was loaded in from structured source like JSON. However, in this view, you do not get the nice columns/tabular...
View ArticleWhere do I add local accounts on Splunk 6.4 SHC?
Hi, If I need to add a local account on a Splunk 6.4 SHC, where is it done, and does it replicate?
View Article