Multi-Field Subsearch or Pivot or Join on sources... I'm Lost.
Short story, alert results to populate proxy query of dependent time ranges. Longer story- So essentially lets say I have a string that shows in my repository of SEP:IDS logs. I have a query that shows...
View ArticleUsage Analytics of Splunk App
All, My boss is asking that we start getting more detailed tracking of our Splunk instance as a way of better justifying our various expenses. Effectively adoption and cost monitoring. Any apps worth...
View ArticleDashboard panels not loading upon page refresh
I'm using a SQL query to populate panels in a dashboard. When I paste my query into the "edit search string" box, everything works. The data and plot display as expected. When I click "done editing",...
View ArticleSummary Question
So if I add a single search head and add my existing indexers/search peers to it. BUT DO NOT set data forwardering on it. Any summary searches I create will store the results LOCALLY on my search head,...
View ArticleRetention Limits on a index question
All, I am on a roll for questions today. Just learning Firebrigade here, cool app. But I don't understand how it's possible that I can have data in an index older than the max age of the index? I have...
View ArticleJoin 2 tables for matching field values
Hi, I would like to join 2 tables with multiple fields based on common field Column 1 where Table:1 will have fields like **Table:1** **Column1 Column2 Column3** xyz_sss_12 ghcgvcvb dsdffgcg...
View ArticleAdd Threat Intelligence to Enterprise Security search head cluster
We have looked at adding some threat intelligence apps to our Enterprise Security instance and have decided that we can consume the information that we are looking for via TAXII feed. The instructions...
View ArticleHelp with Stats based on Conditional Multiple Values - foreach (potentially)
Here is my raw data: advisories=[Advisory@51046c2f[advisory=6,rule=LOGIN_3,passive=true], Advisory@2f9ea478[advisory=32,rule=LOGIN_30,passive=false],...
View ArticleHow to embed HTML in XML for color single value visualization ?
How to embed HTML in XML. Requirement: I need to change the color of the single value visualization in 6.2 version without CSS or Java script.I know it can be done by css or Javascript or in 6.4...
View ArticleExtract fields/subfields into table pipe and ":" delimited and name columns...
My search string "[.Id.IdCreateService] - Promotion Created, Promotion Settings For PromoCode=121509PromoId=3550966 : ***17429150|Gillette|111082|9999999|Save $5.00 on Gillette|Save $5.00 on ONE...
View ArticleRegex for complex search string
Search String - Promotion Created, Coupon Settings For PromoCode=121509PromoId=3550966 **: 17429150|Gillette|111082|9999999|Save $5.00 on Gillette|Save $5.00 on ONE Gillette Fusion...
View ArticleExtracting fields and SubFields in following complex search piped
Search String - Promotion Created, Coupon Settings For PromoCode=121509PromoId=3550966 **: 17429150|Gillette|111082|9999999|Save $5.00 on Gillette|Save $5.00 on ONE Gillette Fusion...
View ArticleIs the Splunk TA_Windows automatically installed with the ufw?
Hi, Am I imagining things, or does the Splunk TA_Windows automatically get installed with the UFW? Is there any way to stop that? It appears to automatically turn on some events, which I don't want...
View Articlefieldformat individually is a pain
Related to my previous question on arbitrary lists of variables... sum(CPU*) seems to pull off an interesting trick of 1.) enumerating all possible variables starting with CPU Is there anyway to...
View ArticleSpeed up LDAP / Active Directory searches, specifically Asset or Identity...
My AD query for Asset or Identity list generation takes a long time to run, is there any way to speed it up? For instance, suppose my version of the search Splunk supplies as a starting point looks...
View ArticleWhy is there a necessity to have a different app - Splunk DB-Connect?
Hi All, Im very new to DB Connect for splunk app. Please help me understand the below. Appreciate your help on this. When we run a query from splunk does that mean the splunk query gets converted to...
View ArticleUser Workflow in Splunk
Im hoping someone can help me out here? Apologies if I break any community rules - first post here! Trying to create a workflow (not workflow actions) that provides the user a table of results (from a...
View ArticleHow can I Rex to match until a string
Hi folks, I'm new to regex and am struggling to extract a number from a field. I basically need the amount extracted from the following; *Date Name Amount Curr Type Status* *-------------------...
View ArticleTroubleshooting Data Model Network_Traffic
I am trying to set up ES and having some issues with Network_Traffic data model. I am getting logs from the firewalls with tags network and communicate, and I also created field alias for some of the...
View ArticleSearch Head Clustering SHC - Push config, restart myself?
All, Is there a way to push a config from a deployer to the search head cluster, then retart the members on my own time? Background: We currently have a 24 node search head cluster and are largely...
View Article