crcSalt entries getting deleted on Forwarders inputs.conf, when changing...
Hello and good afternoon. I did run into the following issue and was wondering if anybody experienced the same and/or probably even has a solution: The Splunk Indexer and Forwarder we have are on these...
View ArticleAutomate report using script
Hi, The report is scheduled to be run every 10 days from search head, the report itself is too big to be send out through email. Is it possible to add a script that on completion of the report will...
View ArticleI want to combine two chart query output as 1
Part A: index=web splunk_server_group=hotel sourcetype=hotellog eventname=hotel-book earliest=-3d| eval dateyearweek = strftime(_time, "%Y-%U")| stats count(eval(like(success,"false"))) as F,...
View ArticleHow can I connect multiple database in Splunk DBConnect?
I have installed and configure Splunk DB_Connect in my Splunk instance, connect one database with it and it's working successfully. But I want to connect multiple database server without creating...
View ArticleHow to Flatten nested XML attribute data
We have data coming in XML in the following format: Sample Event 1: Sample Event 2: Please note that the data is coming exclusively in XML attributes, and not in elements. We need to flatten out the...
View ArticleHow can I join two searches on a common field?
I'm trying to append a two tables on a common key. I am using `|appendcols` but the two tables are not internally joined, just placed side by side. Am I correct to use `|appendcols`?
View ArticleSplunk 7 upgrade - "ERROR DispatchThread - Failed to read runtime settings:...
Hi All, We just upgraded to Splunk 7 and a subsearch started auto-finalizing after 9000s timeout. Running this search by itself takes ~220s. Search.log shows a long list of (900s worth) entries of:...
View ArticleHow do I filter results based on approximately 115 partial values of a field?
I have a list large list of products. I need to search the list but filtering out some results based on the partial values of the **ProdDesc** field. Examples of ProdDesc would be something like :...
View ArticleSplunk DB Connect: Why am I getting "The value is not set for the parameter...
As I go through the manual process of trying to migrate queries from dbConnect v1.x to dbConnect 3.1.3, I'm having issues with the Edit Input panel. I follow the steps. 1. Choose a valid connection -...
View ArticleHow to set up Slack alerts with Linux Hostname Environment Variable...
I'm setting up Slack alerts and would like to deploy uniformly to our heavy forwarders. To do so, I'd have to add a placeholder to their alert_actions.conf [slack] disabled = 0 param.from_user =...
View Articlesplit _raw data into multiple table fields
I have the following data in _raw and I need to split the data at the semicolon into multiple fields in a table LOG INPUT (_raw) 2018-08-22 10:45:19,834 ;Application 1;Status...
View ArticleForwarding specific data to third-party system
I am working on a POC third-party system for some of our data and need to get data from Splunk forwarded over to it. I was looking through this link...
View ArticleWhy is Splunk Cutting off data received with collect command?
Splunk is cutting some data that is received through `collect` made on a server. I have already reviewed the props.conf and inputs.conf files. Has anyone seen anything about this? Thankful.
View Articlewhen writing a report what are the important parameters
please let me know the important parameters and how they should be set with out a mistake.
View ArticleHow can I combine two chart query outputs as 1?
Part A: index=web splunk_server_group=hotel sourcetype=hotellog eventname=hotel-book earliest=-3d| eval dateyearweek = strftime(_time, "%Y-%U")| stats count(eval(like(success,"false"))) as F,...
View ArticleHow can I connect multiple databases in Splunk DBConnect?
I have installed and configured Splunk DB_Connect in my Splunk instance, and connected one database with it and it's working successfully. But I want to connect multiple database server without...
View ArticleCan I use join by using multiple fields from the main search to match a...
I have a search with the following table as output: time customer circuit_id parent_circuit device_card 8:10 zzzzzzzz aaaaaaa bbbbbbbbbbb ccccccccccc Is it possible to use the values of the fields...
View ArticleSuming two numeric fields results in a concatenation of the two fields.
Hello Splunk Ninjas, First time I've seen this: I have two fields, clearly regognised as numeric fields by Splunk. They are named: "Put Count" "Put1 Count" I want to sum these fields, so I do this:...
View ArticleRegex extract just ID inside of Brackets
So I have this data> Aug 22 09:13:46 someservername <118>1 2018-08-22T09:13:46.743+00:00 ip.address LOGSTASH - - -...
View ArticleAdd LatestEvent Column to Sparkline Chart
I have a search that is currently working to give me a spark line for different event types. The search looks like this: eventtype=PS-* | chart sparkline count by eventtype Now I can take the fields...
View Article