Dashboard Statistics Table Not Showing
I am building a dashboard and I've been having an issue with presenting Statistics Tables on the dashboard while logged in as another user. I wanted to set it up on the big screens in the SOC using...
View ArticleExcel Export Not Working
Hi, I installed the app Excel Export without any issues. But when I try to export any search results, it returns below "page not found" error. Any suggestions? Thanks, Wei * > 404 Not Found Return...
View ArticleA search that makes searches and executes them
So I have this search that I believe makes other searches from a list of regexs that I have stored in a csv. [| inputlookup regex_test.csv | eval search_this = "[search sourcetype=proxy | regex...
View ArticleWeird Regex issue
All, I was using rex field extraction at search and did exactly what I expected | rex field=_raw "\[(?_.+)\]\s" How ever I placed the extraction in props.conf and I am not getting the same results....
View Articleextract one field from one index and pass to another search
Background: My windows AD users are in index "windersAD". All of their web traffic is logged in index "wsa". I would like to have a table with the timestamp, userID, source_IP, the URL, and the Web...
View ArticleHow do I use a large input in a query?
I am try to write some query[ies] so that I find user who had done action A in one type of event and action B in another type of event. the time span is simply too long to use transaction command....
View ArticleWhy does my query blow-up in size with a join?
Why does my query blow-up in size with a join? I have a query which without a join (for further analysis) runs in 2MB with 200K events. I added a metadata inner join on hostname (or so I think...) to...
View ArticleUniversal Forwarder has not removed itself from the DMC
I have had a host go down in aws that was not recoverable a few weeks ago and the universal forwarder is still showing as missing in the "distributed management console". Does anyone know how to force...
View ArticleHow to search for sources with a timestamp pattern
Hi, I want to search for a set of files that end in YYYYMMDD_HHMMSS_PID.log format and I want to search on files that match today's date. How would I do that?
View ArticleHow do I subtotal processor utilization?
**Disclaimer**: I'm not saying this particular example is useful analysis - I'm just not sure how to think about solving a problem like this in Splunk properly. I have thousands of events of Zabbix...
View ArticleCan I determine the size of a source without reading the entire source?
Hi, I'd like to determine the size of certain sources, but don't want the overhead of reading the entire file. Is there a way to do this?
View ArticleHow to configure Splunk Windows Event logs through command line?
Is it even possible to configure Windows Event Logs through command line? PS C:\Program Files\SplunkUniversalForwarder\bin> .\splunk.exe add monitor WinEventLog://Security In handler 'monitor':...
View ArticleRemove port from email link hostname
I'm running a search head cluster behind a load balancer. I'm migrating some servers to using a non-root splunk user which has made this fairly obvious to me, but I believe it's happening anyway. When...
View ArticleQuickest way to ensure data is coming in for a sourcetype across dozens of...
Hi, I have an app that creates lots of files (roll over at 50mb, about every 2-3 min during business hours), and has lots of servers (50+). I've had complaints that data and/or files are missing on...
View ArticleProblem with Geospatial lookup and geom command
Hi All, Posting this question, as I am new to Geospatial lookup and trying to configure it as per Michael Porath's blog (http://blogs.splunk.com/2015/10/01/use-custom-polygons-in-your-choropleth-maps/)...
View ArticleWhat will happen to running jobs when i initiate rolling-restart on SHC
Hi, Could any one help me understand, what will happen to my running search jobs when i initiate a rolling-restart. Are the searches cancelled? Paused & resumed after restart? Thanks in advance for...
View ArticleScripted Input and not working well with linux "Find" Command
Hi Guys, Am i not sure if anyone has a solution for this. But I am not able to get any output when i run the linux find command with the "-ls" flag through a script. find . -maxdepth 1 -type f -name...
View ArticleRegex: How to extract multiple fields with the same name?
Here is an example of the log I am dealing with:<123 Main St><456 Center St.> I'd like to simply extract the names and addresses as seen below, but I'm not sure how to deal with the fields...
View ArticleWhy am I getting error "The "id" field found in app.conf does not match the...
I get the above mentioned error when I try to upload a new version of my app. I have also looked at...
View ArticleHow do I filter my time chart results to only display devices that have a...
I'm fairly new to Splunk and have a search that basically returns a count of the number of times a device logs in to our system and uploads data each week. The time chart looks similar to this. _time...
View Article