Pcap from Palo Alto add-on
Hi, as requested from splunk partner support I bring up the question in this forum. We have a question from a customer that want to analyse pcap files from the threat function on palo alto panorama. We...
View ArticleAutomatic lookup, matching range field?
Hi, I would like to enriche netflow data (i.e. dst ip, dst port) with "service name", using automatic lookup. My lookup looks like the following example: IP PORT_RANGE SERVICENAME x.x.x.x/32 1024,1048...
View Articlei want to create a alert on avg disk read/write latency
Below is the example for an event. below are the values available.i want to calculate avg value with span 30 secs and and if value crosses continuously 0.30 for more than 5 mins. the alert should...
View Articlehow to know the search history by user, but only the searches you type
Sorry for the inconvenience, but I'm looking for a query that only shows the searches typed by users, because when I check in the audit it shows me the querys programmed. your attention is appreciated....
View ArticleDiscrepancy between datamodel, summaries, & raw search
We are running SE 6.5.4, ES 4.7.1, Splunk_SA_CIM - 4.8.0 I'm getting a discrepancy between 3 searches over the exact same 15 minute period (any given 15 minute period) for the following 3 searches: |...
View ArticleWhy are users from an LDAP Authenticated group not showing up?
We have created a group through our Active Directory team that contains ~6000 users. We have mapped this group through LDAP authentication on a single Splunk instance as we would normally do with any...
View ArticleIs there an alternative to using > in a search string?
**My basic question is as follows**: Is there a text alternative for specifying greater or less than, rather than using the symbol? This is why I ask: I have a search that queries failed login attempts...
View ArticleView full source of the log file
I have a need to view/export the source a log file. Requirement is to export all lines of the log file within a date/time range. Can you help?
View ArticleUsing chained eval or separate eval statements, any performance gains?
Is there any performance benefit in : using one eval with several chained statements v/s using separate eval statements ( which may be split to improve SPL readability for extremely large SPL's) | eval...
View Articlesearch heads failing because of huge knowledge bundles
currently half of my searchheads are shutdown (auto shutdown due to issues within Splunk) and the remaining are not able to query the indexers The problem is caused by a large knowledge bundle. when i...
View ArticleExport indexed data from splunk index to Kafka in real time
Hi, I have an use case where i need to export data indexed in splunk to kafka in real time. So far based on the documentation i can see that it is possible to forward the raw events to a port. 1....
View ArticleHow can I define customize sourcetype that I write logs in _internal?
My custom script writes log in /opt/splunk/var/log/splunk/script.log. I want the log to be indexed in _internal but have to define a customized sourcetype for the log to write in a proper linebreak....
View ArticleUniversal forwarder - multiple inputs.conf stanzas on the same folder
Hi I'm attempting to configure my universal forwarder to read log files from a single directory with multiple subdirectories. We use log rotate so the files will be renamed with (1) up to (4) before...
View ArticleHEC Curl Command Not Working?
Hello all! I have a weird problem occurring that I would like to get some feedback on. I currently am running a Splunk Enterprise instance on my local machine. Using the curl command and sending data...
View ArticleInputs not working
Hi, I have the following input setup and it won't work. I cannot figure out what is wrong with it. Any ideas? Thanks, JG [monitor:///C:\Program Files...
View ArticleError sending logs - ERROR TcpOutputFd - Read error. An existing connection...
Hello everyone, Currently the following error occurs with a group of universal forward that should send their logs to a Splunk Indexer by TCP/9997 port. **Stage** Splunk Universal Fowrard Version (...
View ArticleTrying to execute Showcase Examples in Splunk MLTK - coming up with error.
Whenever I try to run fit against my data, I receive the following: Error in 'fit' command: Error while initializing algorithm "LogisticRegression": Failed to load algorithm "algos.LogisticRegression"...
View ArticleAlert on low average when comparison with other events
Hi, Please help. Step1 : Calculate combined average of an event (event name : mytest here) from source file a,b,c. Step 2 : calculate average of mytest event from each soucve file a,b,c individually....
View ArticleTroubleshoot page loading slowness
Hi, Is there a way to trouble-shoot page loading slowness? I've been debugging SSO/Siteminder/LDAP issues, but I don't see any specific issues. However, the local account responsiveness is...
View ArticleAdding evaluated token breaks searchWhenChanged="false"?
I have a dashboard where the input fields are set to `searchWhenChanged="false"`. This was working as expected until I added an evaluated token from the value of one of these fields. Now, when I change...
View Article