Scripted SSO auth errors on indexer cluster
We have a clustered setup with server types including an indexer cluster, a search head cluster, and a separate cluster master. We've implemented SSO with an auth script, but still receive messages...
View ArticleHow to configure EXPORT Excel (add on) if AdvanceXML is Deprecated ?
As i can see in this documentation http://docs.splunk.com/Documentation/Splunk/7.1.0/AdvancedDev/Whatsinthismanual#Advanced_XML_Deprecation Splunk Advance XML is no longer available Is there any way i...
View ArticleMonitor a file in a folder
Hi Team, We have an requirement to monitor the files is getting deleted or modified or added into a folder then we need to get an splunk alert stating that who has modified the file or deleted the...
View ArticleHelp in estimating storage size
Hello Splunkers, Below is our retention requirement while aiming to index approx 250GB of data per day in only 1 Indexer hot - 60 days - Tier 1- SSD cold - 4 months - Tier 2 - 10K RPM Frozen – (12...
View ArticleRegex string end of the url and in between
10.1.151.100 [18/May/2018:09:09:57 +0200] "GET http://example.com/DCQ/templates/GetAggregated?channel=TV&contentId=4ek4k4&lang=eng HTTP/1.1" 200 2856 hit 0.000111 hit - 154.176.135.239...
View ArticleError with Microsoft Azure Active Directory Reporting Add-on for Splunk
Hi all, We installed latest Microsoft Azure Active Directory Reporting Add-on for Splunk on our installation running 7.0. We configured inputs for Signing and Audit data. However, there is no data...
View Articletstats errors with Splunk 7.1 + Enterprise Security 5.1?
Hi. We've just upgraded to Splunk 7.1 on our ES search head, as well as upgrading ES from 5.0 to 5.1 to meet the compatibility requirements. It's not behaving - all ES dashboard panels powered by data...
View ArticleWhy am I getting this error "External search command 'WinAD' returned error...
I'm trying to 'Custom search command starter example' on the splunk's site. So, I'm getting this error "External search command 'WinAD' returned error code 1" . But, I ended normally that I'm trying to...
View Articlecreate dashboard to monistor windows event logs
How to create a dashabord for windows event log monitoring of different windows servers with categories like application, Security,System . so that it can be filtered easly from dashboard itself
View ArticleFireEye Error
During the splunk server restart and written into _internal index the error reported below is displayed - seems to be introduced by the default configuration on which the app is provided. Well, any...
View ArticleHow to append a value from lookup file to the event based on some condition
I have a lookup file in below format Product|R AAAA|/ffff/* I have some events i like R="/fff/abc" and some like R="/ffff/xyz.jsp" Using this query i am able to fetch R counts index=prod* |search...
View Articlepassing host field in custom script in alert.
I am trying to run a custom shell script with the hostname returned in my results. How to get the hostname field passed on to the custom script. I tried "1.sh $result.host$" which is not working.
View ArticleSplunk Powershell
Question about powershell, and a DEFAULT installation of a Universal Forwarder on a Windows Server. In this instance, does Splunk use powershell for any process, assuming no UF configuration other than...
View ArticleIs there a way for Splunk to read from one directory and capture everything...
Hello Everyone, The issue is that we are collecting CyberArk logs using the CyberArk add on 1.0.0. CyberArk is creating multiple sub directories on the monitored location and we are only capturing what...
View Articlef5 app report error iso partition,F5 v13.1 apm client iso
Dear all, in F5 BigIP release 13 and above, a new ISO is mounted on the system. This ISO not removable as it's system's ISO. This causes a BAD result on device's health of F5 Analytics in splunk...
View Articlehow to replace a lookup part in the splunk query with a saved search?
I have a query as below which gives some output index="summary" search_name="ABC" | dedup hostname | join type=outer ip_address [| inputlookup device_list.csv | rename devip as my_ip ] Now, I had...
View ArticleGetting ClassCastException with Service.connect for Splunk sdk Java
Hi, I am using Splunk sdk for Java to access splunk REST API endpoints. I am trying to call API as per below code: Code Snippet: ... Map connectArgs=new HashMap(); connectArgs.put("host", "splunk");...
View ArticleHow to exclude weekends from last 30 days search ?
My query essentially goes thru every event and picks a field with response_time. And then calculates the average value of it. I need to do this search for last 30 days excluding...
View ArticleSplunk Upgrade
Hi Team, We have a Splunk distributed environment running on version 6.3.0 and we plan to upgrade to 7.0.0 Could you please help me the best way to upgrade Splunk? Do I need to upgrade to versions one...
View ArticleScheduled Base Search only showing several hours of events.
I have a base search ("BaseSearch-SyslogsBro") that is scheduled to run daily in the morning which is utilized within a dashboard. *index=bro source=/opt/bro/logs/current/syslog.log | fields severity,...
View Article