Blacklist files greater than a certain size from inputs.conf
Hi All, I have to monitor a folder where there are very huge files with file name automatically generated. Is there some way (instead of write a custom UNIX script that moves only small files to...
View Articlewhat is the difference between crcSalt and CHECK_METHOD=modtime?
I know both of the two settings can help me to index the whole file, What the difference between the two? Is there some thing one can do but the other cannot?
View Article"Parameter name: Path is not readable" - Splunk Add Monitor Command Error
Hello Team Splunk, I am trying to add a monitor to a log file. When I do this as either the 'splunk' user or the 'root' user I receive the following error: "**Parameter name: Path is not readable.**" I...
View ArticleTranslating string in search string
In my search strings I often rename columns using "AS". Is there a way I can expose those as parameters or something so that when I generate a message.pot file they are included? Thanks
View ArticleCombining three (x,y) coord series into one graph
Hi, I have 3 simple graphs generated by these three queries respectively index=“app_event” | eval starttime = strftime ($$payload.beginVal$$, “%F %T.%9Q”) | chart count(starttime) as BeginVal by...
View Articlecannot see all splunk servers using rest
Trying to get a list of all servers - i have a 3 tiered solution SH, IDX, HF | rest splunk_server=* /services/server/status/resource-usage/hostwide Only shows the SH and IDX If i run the cmd locally on...
View ArticleDrop field name from lookup table similar to return function
Hi All, To give some context, the return function in Splunk when used with a subsearch allows you to drop the field name when used with the "$" symbol. So for example in the subsearch: [search index=A...
View ArticleMultivalue field extraction
Hello, I cannot configure multivalue field extraction. I have a following event. the last 4 lines Time Stamp and Message shall be extracted as separate values togather with value following the FROM:...
View Article"ttl" in alert_actions.conf is ignored.
I configured like below in `etc/system/local/alert_actions.conf`. [email] ttl = 1209600 I thought job of scheduled alert that action is sending email, would be expired after 14 days. But my scheduled...
View ArticleSplunk Add On for Google Cloud Platform - message="Not enough time to send...
Hi, Splunk Version - Splunk 7.0.2 (build 03bbabbd5c0f) - Role: Heavy Forwarder Splunk_TA_google-cloudplatform version = 1.2.0 I have configured pub/sub inputs to collect logs from a Google Cloud...
View ArticleAWS logs via Kinese splunk destination Http Event Collector getting indexed...
I have AWS cloudtrail, vpc flow logs and cloudwatch logs being indexed and are searchable in splunk via kinesis firehose->splunk destination-> HTTP Event collector->index but the splunk app...
View ArticleHi All, I would like to know how to hook the callback to Splunk light weight...
While pumping the logs from the device to splunk through light weight splunk forwarder( LWF ), due some issues if device lost the connectivity to splunk machine, the LWF has to notify via calling the...
View ArticleDashboard panel is empty ,on running search shows result
My panel in a dashboard is showing nothing,completely blank,no error nothing.However when I enable search in the panel and runs it in the search app,the query is showing proper result. Any idea what is...
View ArticlePrevent tstats from truncating large fields
I have an accelerated data model with a field with large strings in it. When I use the spl | data model dm_name ds_name search | table * I can see the whole fields. When I use tstats: | tstats latest...
View ArticleIs there any way to resolve similar multiple alerts assigned in alert manager?
Hi, We got 100 alerts for similar issue. need to resolved those at one go. when alerts triggers,we assigned it to our name, but when applied filter to title description , we find 100 alerts for those...
View ArticleIs the timestamp from which the setting value of ttl starts as the report...
I made the following settings in `alert_actions.conf`. [email] #14days ttl=1209600 And I thought that the expiration date of the report executed at `6/11 AM 8 o'clock` was `6/25 AM 8 o'clock`. However,...
View ArticleEnchance search results with subsearch on different sourcetypes? (DNS src ip...
Hello Splunkers! For some time I'm trying to figure out how to feed results of a DNS blacklist check versus DHCP logs with respect to the time of event in DNS log and it's counterpart DHCP log. Let's...
View ArticleHow to create the below alert?
I have below two events for a host which shows eventcode=6005 meaning PC ON and evencode=6006 meaning PC OFF. I want to create an alert for sending an alert if the host or computer is Off for more than...
View ArticleJoining four tables into one?
Hi, I have a dashboard which in which one of the panels features a table, currently made out of 4 separate searches (technically 4 tables just next to each other), like so: ![alt text][1] The searches...
View ArticleHow to modify timewrap legend ?
Hi ! I am trying to modify the legend generated by the timewrap command. I saw that we could slightly change it with the parameter "series" but it's not really giving me what I want. Let's say I want...
View Article