How to set up multiple instances of the Cisco eStreamer for Splunk app?
Sorry if this is a basic question: I am attempting to set up multiple instances of the eStreamer App, so that I can connect to more than one Defense Center. However every time I either copy the...
View ArticleSearch for events in sequence over time
I am attempting to create a search to alert on when a previously disabled employee is re-enabled. Currently, my search is as follows: index=* EventCode=4738 sourcetype="WinEventLog:Security"...
View ArticleIs there any guidance on what performance hit can be expected when enabling...
Is there any guidance or detail about what sort of performance hit can be expected (on the forwarder side) when enabling forwarder to indexer communication? CPU or memory increase? I'm sure there are...
View ArticleREST and Twitter: How to pull in a Twitter feed for a specific hashtag?
Hi everyone, I'm having difficulty pulling in a Twitter feed for a specific user/hashtag. I followed a couple of posts on blogs.splunk.com and to no avail. My inputs is as follows: [rest://twiter]...
View ArticleHow to get average event size...
Is there a quick way (metadata? tstats?) to get the average event size for my events? Querying every event would take forever...
View ArticleUsing Splunk to make an ansible playbook portal
Has anyone used ansible to manage and maintain an ansible deployment? Any dashboard examples or best practices anyone can share?
View ArticleMachine Learning Toolkit and Showcase: Error in 'fit' command: External...
I have the Splunk 6.4 free version with Python for Scientific Computing Add-on installed and trying to run examples from Machine Learning Toolkit and Showcase. Outliers detection works fine, but I...
View ArticleHow do I make sure that every event starts parsing at the beginning of the line?
I'm running into a problem where some events are parsed in the middle versus from the beginning of the string. For the below data, I received the following 1. logMsgType: *dTrace* 2. logMsgType:...
View ArticleWhy am I unable to migrate custom settings in the default Search app from a...
I'm trying to migrate the custom settings in the default search app in a standalone SH to the cluster members in a Search Head Custer and I'm following this documentation....
View ArticleHow do I get the average response times for all services without specifying...
I am trying to get average response times of all services (services1.. service n). I am able to get average response time by using the following search. index = app1 "service1"|timechart...
View ArticleHow to edit my regex to capture the Nth match in an XML file?
Hello all, I am struggling while trying to write a regex to capture the second and third occurrence of a pattern. Here is my example: The Following XML file for instance:...
View ArticleHow to configure Splunk to parse a custom date timestamp in a column of a CSV...
I have a CSV file I need Splunk to consume every day that has a date time stamp in a column. I cannot figure out how to get Splunk to read the date time stamp properly since its Month is in all caps....
View ArticleSplunk DB Connect 2: Why am I getting error "No column name was specified for...
Hey, everyone! I am having some issues with running SQL queries in DB Connect. I am using the MS-SQL Generic Driver. Any query I run, even if it's just something incredibly simple, returns the error:...
View ArticleWhat the best strategy to discard all temporary data while testing on some...
We have a clustered environment that includes heavy forwarders, universal forwarders, and forwarders under Windows. The development team sometimes do performance tests and these generate a lot of data...
View ArticleIs there a Splunk Universal Forwarder 6.1.10 for AIX 5.3?
I see you have Splunk 6.1.10 for AIX 5.3, does SplunkForwarder 6.1.10 exist? Trying to close the DROWN security vulnerability.
View ArticleTwo DMCs on Two different Splunk Deployers monitoring same set of indexers...
We have 2 Search Head Clusters: a production and a stage cluster. Both share the same set of indexers but obviously the search heads are only associated with one SHC. There are separate deployers for...
View ArticleCan you define a navigation menu based on the dashboard being used instead of...
I want to create a single app where the navigation menu changes depending on what dashboard you are using. Is this possible to do?
View ArticleHow to edit my type=host metadata search to exclude a certain index?
I have this search: | metadata type=hosts index=*a OR index=os index!=aruba I want to get all the hosts in all the indexes except the aruba index. The NOT command doesn't work either. How can I user...
View ArticleHow to set up a multiple selection drilldown in a statistics table?
Hi All, I have a developed report to be shown to a set of users and everything is working well. Primarily, there is a statistics table which queries from the database and shows the results. When a user...
View ArticlesrchFilter Role Inheritance: If a user is a member of two roles, how to have...
For example, I have a user (test_user) that is a member of these two roles: [role_role_a] importRoles = user srchIndexesAllowed = _audit;_internal srchIndexesDefault = _audit;_internal srchMaxTime = 0...
View Article