still getting "did not return events in descending time order" with...
I have a custom command written with the Python SDK 1.5. It takes in events, and then emits multiple events for each incoming event (with the same _time value). I have overrides_timeorder = true...
View ArticleWhat does this mean "ERROR SHPRaftConsensus - 1250000 consecutive...
Getting this in splunkd.log, failure to all the nodes in the search head cluster. 10-30-2015 19:57:57.527 +0000 ERROR SHPRaftConsensus - 1250000 consecutive appendEntriesFailures to...
View ArticleHow much scripting knowledge is required to work as a Splunk Administrator...
Hi Everyone, This is my 1st question on Forum. I have made up my mind to go for Splunk training. I am not really good in scripting languages like Perl and Python. How much is scripting knowledge...
View ArticleCan you enable Event Actions for Real Time Searches?
Can you enable Event Actions for Real Time Searches? We see Event Actions for historical searches. We're looking to implement a "View Source" for real time searches.
View ArticleIs it possible to use regex in an inputs.conf monitor stanza?
Hi Is it possible to do something like this: [MONITOR:///some directory/WE\d{8}.log] for indexing the following filenames: WE93820493.log WE37245293.log I don't want to index the following filename:...
View ArticleTop command causing issues with stats commands
I am trying to audit bandwidth usage, The following search works as expected, except the URLS flood the URL field. I want the top 5:<code> Search here | stats list(url) as URL sum(sent) as...
View ArticleHow do I extract raw data only highlighted text in my search
Once I have highlighted key text at my search , I wish to extract only these text into raw data excel file or csv file. How do I do that please?
View ArticleHow to change name of attachments in email alert action?
Hi. In 6.2 in alerts with email action all CSV Attachments had name like "splunk_results.csv" by default. After installation of 6.3 default name was changed to $name$ token(name of alert). If I use...
View ArticleHow can i monitor the number of current artefacts (search jobs in dispatch)...
Hi, For trouble shooting and Alerting purposes, i would like to be able to monitor the number of current active artefacts objects in the dispatch directory of our search heads...
View ArticleDBQuery and timepicker
I have created a dashboard that has a few filters on it which are used to retrieve specific rows from the MSSQL database. I have managed to substitute the filters into the query, except a timepicker...
View Articlesplunk for AWS data inputs blank
When I go to the configure menu, all the data source inputs are blank for my splunk enterprise environment: ![alt text][1] [1]: /storage/temp/68179-screen-shot-2015-11-01-at-82525-am.png
View Articleestimate the event whether or not happened in the time range duration of...
HI , i want to correlation two sourcetype, The first sourcetype is VPN logged event, for examples, userA logged event as follows, ***2015-10-18 18:06:45 1.1.1.1 userA logged in , connected to...
View ArticleResponse Handlers
Hi Damien and Others, I'm using the REST API Modular Input to pull data from Twitter's streaming APIs, and other REST sources using a Heavy Forwarder, and then pushing that data into indexes that are...
View ArticleUnderstanding distributed search replication blacklisting behaviour
I'm trying to understand what happens to distsearch when you black list something. For example a csv file. I've been looking into what is the best methodology for stopping large csv files from being...
View ArticleSplunk Add-on for MySQL: How do I deal with truncated MySQL General logs that...
Using the following time format from props.conf included with Splunk MySQL TA; TIME_FORMAT = %y%m%d %H:%M:%S Used to split the following log format by timestamp; 150803 7:27:03 102983 Connect...
View ArticleCan I safely remove old cluster remote-bundle directories to free up disk space?
I am using up a lot of disk space under `${SPLUNK_HOME}/var/run/splunk/cluster/remote-bundle` on our Cluster Manager/Master and noticed that it seems like all of the Remote Bundles ever created are...
View ArticleAre there issues with deploying the Splunk App for Unix and Linux (5.0.3) &...
I have a distributed non-clustered Splunk Enterprise environment. I am planning to implement Search Head clustering and a multisite indexer cluster. I know that the current Nix and Windows Infra apps...
View ArticleHow to migrate applications from one Splunk environment to another?
Hello Can anyone list all the steps required for migration of applications from one Splunk environment to other environment? thanks..!!
View ArticleParsing the following sourcetype for a custom field extraction on a single...
When parsing the following sourcetype, the field Example1 results in "Nov" instead of the full date. The rest of the fields are extracted properly. I'm wondering, is there anything specific I need to...
View ArticleHow to join two searches that have two common fields and put a condition on...
I want to do a join of two searches that have a common field ID and time, but I want to have a condition on time when IDs match. Consider two tables user-info and some-hits user-info name ipaddress...
View Article