Dynatrace audit logs indexing problem
Hello, we try to index correctly SecAudit-BackendServer.1.log from Dynatrace however the non-encrypted log files have special characters just before the timestamp :...
View ArticleRegex help, regex query works, failing on splunk query
Need assistance regex to reformat the field the field is Message. And the output is "*Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail"* when...
View Articleeventgen events stopped being indexed
The event generation was flawlessly working for weeks but went fully quiet until a sole burst on yesterday at 4pm The configuration file was not touched (generation frequency still the same) so what...
View ArticleHow to extract fields if the event is in JSON format?
Hi, I have a below event in json format, I want the fields to be created as "key1","key2",etc. I am trying the following code but it is not working: index="BBB" sourcetype=AAA | spath output=AA...
View ArticleWhy is the KVStore not loading on the search head?
On My search head I cant load the KVSTORE mongod.log says 2018-08-14T14:46:34.831Z W CONTROL No SSL certificate validation can be performed since no CA file has been provided; please specify an...
View ArticleFilter transactions that do not contain a certain Event?
I am using transaction to calculate a duration of a job. The search for the completed events is: `index="events" | transaction reference endswith="WAITING"`. Each event contains a `state` value of...
View ArticleHow to extract fields using regex in transforms.conf?
Hello everybody I am new to the regex topic. I have events with folowing information: SPIEE-WIRELESS-MIB::**bsnStationMacAddress**.0 = STRING: **a9:12:fa:13:19:8F**...
View ArticleHow to find the difference between an inputlookup and a search result?
I've a lookup file which have a mount list with respective servers. Now I have a script which logs the mount available in every 15 min. I want to create an alert if there is any mount missing from what...
View ArticleHow to suppress search results when a certain condition is met?
I need help with a very basic search concept. I need a way to suppress search results if a certain condition is met. I have a CSV file (file.csv) Maint YES I need the exact search that would follow...
View Article_time and index time are different
how can I know what is wrong when there is a big difference in _time and index time 173,518 events (2/20/13 5:27:50.000 PM to 1/1/18 12:00:00.000 AM) No Event Sampling Job Fast Mode Events Statistics...
View Articletransaction maxevents=2 returns 1 event, maxevents=3 returns 3
Hello, all, I'm trying to find the elapsed time between two events: one containing the string "/makeCreditCardPaymentSD" and the one that follows it. The transaction is grouped over a field called...
View ArticleSplunk alert if continuous count is 0 for consecutive five minutes in 10 minutes
I want to run a query for every 10 minutes timeframe. But it should alert only when count is continuously 0 for consecutive 5 minutes.
View Articledifference between field extarction and writing regex in search to extract...
Can anybody tell me what is the major difference in extraction field from the event and extracting a field using regex in search ? And what is more efficient ?
View ArticleHow to use a lookup table to identify new open ports based on source IP
I have NMAP data in Splunk that reports on open ports associated with a list of IP addresses. I'd like to create a lookup that I can then use to query against and alert/report on in a new query that...
View ArticleArchiver - Reporting reporting messages regarding ops.json
The splunkd.log is reporting message regarding ops.json file. I can not find any references to what this file is used for. Should I be concerned with the size of the file and the archiver performing...
View ArticleOn what user does splunk start after restarting it from deployment server
Hi, When we restart splunk forwarder from deployment -server does it start 1) based on user defined in boot script OR 2) Based on the UserId under which is installed. Suppose Splunk is installed under...
View ArticleError when is loading LDAP module
Hi. When I try to use this add-on I see this error on myldap.py.log (on debug mode): myldap:63 - ERROR: LDAP modul load failed with error libsasl2.so.2: cannot open shared object file: No such file or...
View ArticleWhat is the difference between extracting field from an event and extracting...
Can anybody tell me what is the major difference in extraction field from the event and extracting a field using regex in search? And what is more efficient?
View ArticleLower Memory usage
I have a query that is being blocked from retrieving all relevant data due to policy to keep queries under 500mb, is there anyway I could optimize this query? index=Nitro_server=xs_json earliest=-48h |...
View ArticleLDAP connection invalid
Hi. When I try to use this add-on, on a specific case, it shows me this error on splunklib.log: 2018-08-14 16:54:01,748, Level=ERROR, Pid=64693, Logger=splunklib, File=search_command.py, Line=971,...
View Article