REST API Modular Input: Where do I need to make configuration changes to set...
All, I installed the REST API Modular Input add-on ( app 1546) and configured it to get twitter feeds from http discoveredintelligence . ca / stream-twitter-splunk-10-simple-steps .... sorry I do not...
View ArticleSplunk Add-on for Microsoft Azure: Is there a reason Splunk keeps retrieving...
I currently have the Splunk Add-on for Microsoft Azure for Splunk installed, but have noticed that each time it polls, it only retrieves the same set of events repeatedly and has not retrieved any new...
View ArticleHow to troubleshoot why a Universal Forwarder is not sending data to the...
I installed a Splunk Universal Forwarder on a Windows Server 2012R2 using following command: msiexec.exe /i splunkforwarder-6.3.2-aaff59bb082c-x64-release.msi LOGON_USERNAME="domain\account"...
View ArticleHow to get the last value from a previous event filtered by host?
My problem stems from how the last value functions, where it pulls the last value from the previous event. While I want it to do that, I also want to have the events filtered by another value (ex:...
View ArticleHow do I multiply a search result with dynamic value entered through a form?
I have a value called total produced by this search: index="_internal" source=*license_usage.log type=Usage st($st$) | bin _time span=1d | eval KB=round(b/1024) | eval MB=round(KB/1024,2) | eval...
View ArticleWhat happens if I restart the universal forwarder while it is processing a file?
Here's my setup: 1 search head, 4 indexers, 1 universal forwarder The UF is trying to index a large file (2G), I'm seeing the "Current data throughput (256kb/s) has reached maxKBps. AS a result data...
View ArticleHow to duplicate data to another index without resending back to tcpout?
I have a situation where I'd like to duplicate some or all events going to one index into another. The only point at which I can touch the data is as it hits the indexers. I can't use another heavy...
View ArticleHow to configure the Splunk Add-on for Microsoft SQL Server to use event_time...
It appears that the Splunk Add-on for Microsoft SQL Server is using using current _indextime instead of the value of event_time available in all audit events for SQL. Seems to me that audit related...
View ArticleWhat Splunk stats should I look at to determine if my indexers should use...
Hi, What Splunk stats should we look at to determine if our indexers are candidate for multiple pipelines? SoS cpu usage?
View ArticleCan I convert a back-referenced value to lowercase in a regex replacement?
I think the answer is "no" (as of Splunk Enterprise 6.4), but I thought it was worth checking, because this might affect what fields and values I send to Splunk (typically, in JSON; via TCP, or...
View ArticleIs anyone else getting "Splunk could not get the description..." after a...
Not so much a question, but an observation looking for confirmation. If true, looking to spread the word. Recently our Windows Security event alerts for group changes have been blank. The event log...
View ArticleHow do I get the zeromq add-on to send data to the indexers?
The subscribestart.py is running and I see data print out in the window, but the data is not being sent over to my indexers.... I have data from that search head that makes it to the indexers just fine.
View ArticleAdding 2 search heads in our environment to create a search head cluster,...
Hi, We are changing the current Splunk setup a bit and adding more Search heads (for clustering) into the Mix. Currently we have 1 SH and roughly 5-6 Indexers. 2 Additional Search Heads have been added...
View ArticleIs it possible to modify "chart" command results
Hello, Our index has the following data: method name (amf_name), execution time (call_dur), application_version (app_version). I am trying to build a statistics table of average values for every method...
View ArticleHow to search a range of numbers?
In Splunk, how can I search for a range of numbers (e.g. from "Test213" to "Test220")? I tried 'test2[13-20]" or 'test2(13-20)" but it does not work? Any idea?
View ArticleHow to set up a central syslog server and Splunk forwarders without...
All our many Unix servers are already set up to send syslog data to a central syslog server for archival. I have a Splunk forwarder installed on the central syslog server sending /var/log to Splunk....
View ArticleEfficient way to search splunk_server in pre-6.x Splunk?
I'm looking for a way to find out which splunk_server contains data for my index for older versions of Splunk. tstats doesn't work and metadata is lacking for splunk_server. Any suggestions?
View ArticleWhy am I unable to run this search in the background, and how do I get around...
Why cant I Parse my search in the background? I have a fairly large search that I am trying to run and it will take a few hours to complete. It will be great to run this search in the background, but...
View ArticleHow to edit my search to display all events of the current day with a sum...
I have a bank transaction XML log with date, card number, and amount. I need print all transactions of the current day in an amount exceeding the average of the last month. Here is my log: 21052016...
View ArticleWhy does Enterprise Security Asset/Identity Imports not work with KVStore...
I'm running Splunk 6.4 and Splunk Enterprise Security 4.1. I have a method of populating KVStore collections remotely, validated I can see the data from the lookup definitions via inputlookup. However,...
View Article