How to embed a Splunk dashboard in an iframe?
Hi Experts I want to embed my Splunk dashboard in a webpage as a iframe. I am aware we can embed individual saved searches. Is there any way to embed completed dashboard?
View ArticleHow do I search by multiple lines in a log?
Right now, my search looks like this: index=4_ip_cnv source="*ATL*Pack*" FirstWord=SDA | rex "\s(?201,.*)$" | eval Msg=split(Msg,",") | eval ActualDest=mvindex(Msg,5) | eval ContainerID=mvindex(Msg,13)...
View ArticleHow to compare data in 2 time buckets and alert based on results?
bucket 1 -> Last 30 mins (say 10.30 AM to 11 AM)
 bucket 2 -> Get avg count of events for the same time period for the last 7 days (10.30 AM to 11 AM)
 compare bucket 1 and bucket 2. If bucket 1...
View ArticleHow to count the number of events by unique value by sourcetype?
I'm new to Splunk and am not quite sure how to approach this. I have several different automated jobs such as generating checksums, tar and ffmpeg transcodes and they all write job information to log...
View ArticleWhy does running ps.sh and ps from the host show more data than running a...
Running the search `hostname=hostname index=os source=ps` doesn't show all the information that running ps.sh from the host shows. For example, I don't see my Java command. Can someone help w/ this?
View ArticleHow to add Sparklines to a status dashboard?
I currently show data for one server at a time on a dashboard, with panels for RAM usage, CPU Load (1min, 5min & 15min averages), CPU Utilization, Memory Usage by Command, and some data from the PS...
View ArticleAlert when count is less than a certain threshold
Hi...here is my search: sourcetype="isc:dhcp" earliest=-10m@s latest=now | stats count as dhcp_count by _time | where dhcp_count<5000 I'll usually get returned stats: 4800 10,000 11,000 I have this...
View ArticleHow to troubleshoot why index size on disk suddenly jumped by 2.5TB overnight?
On May 4th, the disk space used by our default index jumped from about 400G to about 3TB. This doesn't seem to be related to actual indexing-- we don't index anywhere near 2.5TB a day, and we didn't...
View ArticleHow to combine lists of source and destination IPs into one unique list to...
I have a list of source and destination IPs that I'm trying to concatenate into one unique list and check against a CSV file. I'm trying to make a list of all the unique source IPs (I don't need the...
View ArticleIs there a way to configure an alert to be sent to multiple recipients using...
I'm digesting some Windows event logs and have an alert set up with the criteria that I want to look for. The alert works beautifully, but I'm adding another layer of difficulty with how the alert goes...
View ArticleApp Exporter: Local directory files got merged to the default directory, but...
It seems the local directory files got merged to the default directory, but the default.meta file did not get updated to have the local.meta information. Why?
View ArticleHow to troubleshoot why previously working scheduled reports and new...
Previously working scheduled reports are not working AND newly created reports are not working. Creating a new test search works: index=test1 | timechart count by status The timechart is created, but...
View ArticleSplunk addon for Bro IDS not automatically extracting fields
Hi, I have the a linux box running Bro 2.4 and the Splunk Universal forwarder (6.4.0) configured to monitor my bro logs and forward to an indexer running Splunk 6.4.0 with the Bro Addon installed....
View ArticleMicrosot SQL App vs add-on
Hi, I'm a little confused which app/add-on I should install. I have a customer like to monitor their production SQL server instances. However I saw MS SQL app is in abandonded status from its page....
View ArticleNotification On Change
All, So I just installed the alert_manager but I don't thin this question is per se Alert_manager specific. How would I get a email notificaiton of moves/add/changes in the alerts for this app context?...
View ArticleWhere do I install the Cisco eStreamer for Splunk App in an indexer...
Hey folks! I'm attempting to get Sourcefire/FireSIGHT data with the Cisco eStreamer for Splunk app and I'm having trouble deciding where to put the app. It seems if I put it on both indexers in a...
View ArticleWhy does my search not return some of events older than 30 days?
Hi, I have a very easy search to see how many events with field A have happened in each month. index=X sourcetype=Y | dedup A date_month | stats count(A) by date_month When I use this search and set...
View ArticleSplunk Add-on for Microsoft Azure: Why am I getting Start Date/Time error...
Getting an error when trying to read generic Azure Storage table logs. Even tried with the Start Date/Time blank and still get the error below. Any Ideas? 05-10-2016 18:49:42.195 +0000 ERROR...
View ArticleBest approach to move data to a different index?
Using Splunk 6.3.1, 1 search head, 4 indexers, 1 UF. I have ALOT of data that got put into the wrong index. We have to segregate our data into different indexes based on the value of a specific field....
View ArticleHow to merge 6 fields into one field, but still return unique values?
Hi, I have 6 fields A B C D E F - Each have multiple unique numerical values.. I need to merge these unique numerical values into one new field.. basically to make it seem as if the 6 fields don't...
View Article