For Splunk Enterprise, pre 6.3, default root certificates expire on July 21,...
Does the default root certificate expiration on July 21, 2016 effect the "universal forwarders" ? What is the expiration date of the new root certificate that we are asked to replace the July 21...
View Articleupdate.sh not returning redhat (satellite) repo updates via inputs.conf but...
I am encountering an error I haven't seen before. In our environment we have Splunk_TA_nix and have enabled update.sh (sourcetype Unix:Update) it works going into the Splunk but the output is...
View Articleupdate.sh not outputting all update information on Redhat with Satellite
I am encountering an error I haven't seen before. In our environment we have Splunk_TA_nix and have enabled update.sh (sourcetype Unix:Update) it works going into the Splunk but the output is...
View ArticleCan't run more than 6 scheduled real time searches
In the splunk app for cef I can't seem to get more than 6* searches to run even though I have more scheduled. If I check the job window I can see the 6 running. If I disable some in the gui others that...
View ArticleIs this the correct way to use appOrder in user-prefs.conf on a search head...
I want to sort everyone's apps in the Launcher, so on my deployer I created an app called MY_user-prefs. It contains a single file `MY_user-prefs\local\user-prefs.conf` that looks like this:...
View ArticleHow to troubleshoot why my heavy forwarder is unable to keep up with...
I have a heavy forwarder running on a RHEL 6 server that has 16 processors and 16GB. This heavy forwarder has usually kept up with all of the logs that were sent to it, but a few months ago, I am...
View ArticleHow to create a time chart that is not based on numerical values?
I am trying to create a graph for status history of some machine. Values I have are the name of machine & its server health (down/alive) over a time period. This has become tedious because...
View ArticleHow to change Status Indicator size
Hello Splunkers. I have 2 questions about **Status Indicator Viz** and believe you guys can help me. 1) Is it possible to limit the size of the icon? I know that with Single Value I can resize it using...
View ArticleCisco Networks App for Splunk Enterprise: Why am I not getting Cisco devices...
Hi, I have configured the Cisco Networks App for Splunk Enterprise for monitoring Cisco syslog trigger. As I expected, the app is building a charts with respect to syslog data. However, I am not...
View ArticleHow to edit my search to return a list within a list?
Hey guys, So what i am trying to do is put a list inside of a list to get an output such as the one below Comapny | Count1 | Group | Count2 | Environment | Count3...
View ArticleHow to edit my search to calculate percentage of a multivalued field for...
I'm trying to craft a search that will show the percentage of quarantined messages by country, but I'm struggling a little on how to complete it. I have the following: index="email" `MACRO` [search...
View ArticleWhy is my custom navigation menu disappearing when I drill down to new views...
I am using Splunk 6.3.3 I have several custom dashboards, and whenever I am using a drilldown to move to a completely new view, the custom navigation menu disappears from the top. However, when I use...
View ArticleHow to determine if a process has been executed?
Hello, I have a requirement to: 1) detect if a process is executed 2) was the process closed, and 3) how long the process was running? The purpose is to know if a user opened any browser from the...
View ArticleUpgrading my Splunk Enterprise 6.2.x to 6.3.x did not upgrade the expiration...
I upgraded my instances as per https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html#answer-403312 , however, my default SSL certs ca.pem and cacert.pem are...
View ArticleHow do I suppress alerts until the next day at 12 am and not 24 hours?
I have a couple of alerts for License usage set to check every hour when they exceed 75 %. At the moment, I receive an email every hour after it reaches the threshold. I only want to be notified one...
View ArticleSearch Head Clustering: Artifact proxying fails for real time alerts
Hello, We have 5 search heads in cluster and have a few (5) alerts in real-time. I know it is better to have scheduled searches, but please understand these alerts must be in real-time. So, according...
View ArticleHow to build dynamic columns using a Splunk search for data from an indexed...
Our application has CSV log files and the CSV is indexed in Splunk, but our CSV does not have any column headers. How do I build a search to read the below data and create field names myself with a...
View ArticleHow to edit my regex to remove all text before an optional character?
I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present. The usernames in a...
View ArticleHow can I compare two multivalue fields from two different sets of events?
I have events (call them "approvedset" events) generated on a regular interval which each containing a field called **listofIDs** which is a string made up of a comma separated list of IDs of approved...
View ArticleLooking for solution of one alert calling script to execute second saved search
We want to do a search every minute on some logs. We want to identify those hosts whose events have http_code=5xx more than one percent of the time. And we want to see the actual events. What I...
View Article