Splunk service won't start after upgrading Palo Alto Networks App for Splunk...
I ran the upgrade to 5.0 of the Palo app and now Splunk won't start. When I try to start the service I get the below error. Checking prerequisites... Checking http port [8000]: open Checking mgmt port...
View ArticleHelp with regex to extract a field from my sample data
Need assistance with Regex to parse the user from the event below. I'm looking to get the value of a string between `=/com` and `src_host`. user=JOHN TEST SMITH. would this be possible? Apr 11 11:03:55...
View ArticleHow to preserve externally updated lookup files in a search head clustering...
On our Search Head Cluster, we have many home-grown apps with dozens of lookup files each. In some cases, the lookup files are generated with the outputlookup command. In other cases, these files are...
View ArticleHow to append zeros to the beginning of existing numeric values for a field...
Hi I was wondering if anyone may be able to help. We have an existing field with numbers from 2 up to 6 digits. 09 03 465 498 3895 6409 85939 37624 847809 783906 I would like to be able to append...
View ArticleWhy is Splunk line breaking a single IDS Alert event into two events?
Splunk is breaking ids single event into two events, such as: 4/11/16 2:42:46.152 PM 04/11-14:42:46.152985 00:05:00:00:00:00 -> 00:00:00:05:00:01 type:0x800 len:0x222 10.20.30.40:59406 ->...
View ArticleIs there a way to schedule a Python Script from Splunk?
I currently have a Python script calling an API and returning the results to Splunk. I can use the `|script` command in Splunk and the Python script works as expected. I have a dashboard built on the...
View ArticleWhat will break if I set coldPath to /dev/null?
I've been asked to size a Splunk installation with only 30 days of hot/warm data - no cold data. I've never heard of this before. I could probably set `coldPath=/dev/null` so warm data is deleted...
View ArticleIndexing and Searching Performance issues
Hi, I'm writing here out of desperation. We're having significant performance issues with our Splunk environment. I'll share as much info as I can and welcome any input or suggestions greatly: 2...
View ArticleIs it possible to add HttpEventCollectorTraceListener in .NET config file?
I am going off the question here: https://answers.splunk.com/answers/312914/httpeventcollectortracelistener-doesnt-flush.html The user is adding his listener programmatically in code, e.g: var listener...
View ArticleCertificate for answers.splunk.com is expired today. Please renew!!
Hey Splunk Team, I just found out today that SSL cert for answers.splunk.com is expired. May be this need to be monitored using Splunk :) :) Thanks Hemendra
View Articlewhere to get Icons for architeture and deployment diagrams?
I need Splunk icons for drawing deployment diagrams in my project. I could not find any downloads available for the various components. Does anyone have Splunk icon set or a downloadable link ? I need...
View ArticleHow Do I Extract The End of String
Hi, I wonder whether someone may be able to help me please. From a field called 'detail.input' there are two potential outputs as shown below: **Request to /for/submissions/1234567890** and **Request...
View ArticleHow to configure inputs.conf to monitor a directory with multiple folders,...
Hi Now I'm working with many sub directories. I want to monitor some directories and don't want to monitor others. This is example folder that I want to monitor and ignore some folder....
View ArticleWhy is UDP port 514 not showing its state?
![alt text][1] [1]: /storage/temp/121228-capture.png UDP port 514 is not showing state.
View ArticlePalo Alto Networks Add-on for Splunk does not parse out user and src from...
I was working on building a dashboard showing users who failed logons to the Palo Alto. That's when I notices the authentication events do NOT parse out user information log. event-id="auth-fail"...
View ArticleSplunk App for Windows Infrastructure: Why am I missing green check marks for...
Running Splunk Version 6.3.3 installed on CentOS. New implementation and trying to configure the Splunk App for Windows Infrastructure. Running guided setup, I get Warnings for "WinPrintMon" and "WMI"....
View ArticleUsing Exchange logs, how to alert when someone emails more than 50 recipients...
I'm trying to make an alert for when someone emails more then 50 people within a one hour time span. The issue is that I have multiple values in the recipients field per event. I am dealing with...
View ArticleHow do I figure out why custom conf files are not being imported?
I am in the process of moving my indexer to a new server, and in the process, I thought it would be a good idea to combine the multiple configuration files that were scattered through $SPLUNK_HOME. The...
View ArticleTrying to apply the Splunk Add-on for Microsoft Hyper-V to an indexer cluster...
Hi, We are trying to apply the Splunk Add-on for Microsoft Hyper-V to an indexer cluster bundle. When running the command, we receive the following error: In handler 'clustermastercontrol': The Master...
View ArticleHow to write a search to return unique field values for a certain time range...
Hello, I am trying to make a search that will return the messages from logs from one set, but not from the other. Unfortunately, I only want the unique results of one set, not the unique results of...
View Article