How to check "WMI:WinEventLog:Security" if there are any Active Directory...
Good Afternoon, Can someone provide a way to check "WMI:WinEventLog:Security" to see if there are any users that have passwords that are set to never expire? There appears to be a field in those logs...
View ArticleHow to eliminate and prevent duplicate logs in my environment?
I have an application that has 2 environments. Specifically, there are 2 databases that replicate to each other so that each environment has the same data. However, I only replicate one time per day....
View ArticleSplunk DB Connect 2 RPC Service down
All of the sudden the RPC Service went down. This is what I see in the rpc.log: 2016-04-20 13:00:57 ERROR ServiceSocket:134 - org.apache.avro.AvroRemoteException at...
View ArticleAny plans on adding ability to dynamically update the subject/body based on...
I really like the sendresults command as it can send multiple rows together in a single email that all have the same email address (and not show the email address in the results table!). It takes the...
View ArticleCan I add a condition around a drilldown link that is NOT using chart...
I have a panel that is providing a link to another page, passing a few tokens. The link will never change, but I only want it active under certain condition.Informatica [|inputlookup splunked_nodes.csv...
View ArticleHow to set the default value of a multiselect input box to the results of a...
I want all results from a search to be the default for a multiselect input box. I don't think it can be done with SimpleXML but I suspect it can happen with JavaScript using the val method. How would I...
View ArticleHow to configure props.conf for a Unix timestamp in a JSON log file?
All, I have a json log file we're bringing in. Its time is logged as: "start":"1461191869.576” Any idea on where I would start with props.conf for timestamping?
View ArticleOverlaying images on a location map
Hello, I have a location map/image of a large factory, and would like to show on the factory the areas where specific sensors are generating data, and overlay that error message or metric on that...
View ArticleDynamically set global search bin span based on time range?
I have a dashboard that contains multiple timecharts. (Splunk Enterprise 6.4.) All of the timecharts present performance metrics from the same events, in the same time range. For example: average CPU...
View ArticleIndexer cluster master Rolling restart heuristics
Can someone describe the conditions the cluster master will wait for when scheduling restarts of cluster peers when I have run "splunk apply cluster bundle" ? We have 8 peers in total. 3 in site1, 2 in...
View ArticleSearching results based on time from lookup file ( csv )
I have a .csv file as a lookup file that gets updated daily with new records. It has a number of fields one being date_added ( example field format : 2016-04-17T04:23:40 ) . I am after an easy way to...
View ArticleEnable IAM Role to use cloudtrail app
I don't want to add Secret Keys, instead of it want to use IAM Roles. I have install CLoudTrail app and AWS Add-On App. Please guide how to enable IAM Role.
View Articlehow to store search output to Database
i wrote a splunk query which manipulate data and display result.now i want to store that result into database is it possible?? eg search result->> id val1 val2 val3 1 3 6 9 now i want to store...
View ArticleMore help with regex
I am again in need of help with regex. In a scrubbed example (there are thousands more lines) of the following dns log I have the following: 4/13/2016 5:22:38 AM 062C PACKET 000000FE74EC0260 UDP Rcv...
View ArticleWhat are the possible gains from an index-time extraction of a large JSON log?
All, I have a JSON log coming in from Akamai. 99% of searches against this data are using the field **cliIP**":"1.2.3.4" . Mind you, it's a dump from a cloud service, so there is no **host** field...
View ArticleHow to create a timechart on license usage to show the max usage and the...
I have been trying to create a timechart on license usage. I did try this search below.. index=_internal source=*license_usage.log* type=Usage NOT idx=sos| timechart span=1d...
View Articleuniversal forwarder on windows: installation directory must be on a local...
I've installed the universal forwarder on two of my domain controllers without issue. For some reason, on the remaining two, I'm getting the following error on the screen where you specify install...
View ArticleUnable to remove member from search head cluster
We need to migrate members in and out of a search head cluster. It is documented here ( http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/Removeaclustermember ) that the command is "splunk...
View ArticleSplunk Add-on for Box not timezone offsetting correctly
It seems there may be a timestamping issue in the Splunk Add-on for Box. The timestamp from Box is 26 characters long if you include the timezone. However the app is set to a `MAX_TIMESTAMP_LOOKAHEAD =...
View ArticleHow to extract a value of a field, when the field contains quotes(") Inside?
I have an index with multiple fields, however one of my field could contain multiple quotes. Id="0001", Message="The data "test" is not present", Result="This is a result" When I check the fields, I...
View Article