Unable to bootstrap search head cluster captain
**Environment:** - Windows Server 2012 - Splunk Ent 6.3 - 3 Search Heads (all brand new instances) - 1 Instance which is both DMC and Deployer (documentation said this should be ok) - All on the same...
View ArticleHow to send different logs to different indexers from the same Universal...
I have one universal forwarder (UF) that is sending production data to the production intermediate Forwarder (IF) and then on to the production indexers. I would like to start collecting test data from...
View ArticleHow to configure file monitoring to make the full content of a file as one...
I have Login files in a folder that are overwritten each time a person logs in. I would like to read in the entire file with file change date as event date each time the file changes and have the...
View ArticleWhy are the timestamps different when indexing CSV files locally versus being...
I'm having an issues with timestamps on CSV files. Here is what a sample of raw data looks like:...
View ArticleSplunk universal forwarder v6.2.6.274160, how can I verify which version of...
We continue to get the freak vulnerability security item show up on our scans and the ssl version of splunk was identified as an issue. Does the new install package remove the old ssl version or do I...
View ArticleHow to extract fields from a specific field instead of raw data using the...
How to extract fields from a specific field instead of raw data using the conf files? Can it be done with EXTRACT-<class> = [<regex>|<regex> in <src_field>] in props.conf?
View ArticleHow do I get timewrap to ignore standard/daylight savings?
I have a splunk query that retrieves one hour worth of data for one day of the week over four weeks. This week's time change from daylight saving to standard time has caused expected results from the...
View ArticlePython SDK saved_search.py action options are unclear
I'm trying to get familiar with Splunk's Python SDK via the provided examples. However, I'm struggling to understand the format expected for actions when creating saved searches. $ ./saved_search.py...
View ArticleWhy are Threat, Traffic, and Content dashboards in the Splunk for Palo Alto...
Hi, I just recent installed the Splunk for Palo Alto Networks app. After digging around and changingthe index to match what we built in-house, I was able to see the main dashboard populating data. The...
View ArticleIs it possible to migrate data collected on a Linux Splunk installation to...
Just curious if it is possible to take data collected on a Linux install and migrate it to a new Windows install.
View ArticleWhy is batch processing not removing files after indexing them in Splunk 6.2.1?
I have an app that is not removing/deleting the files after consuming them. They are indexed appropriately, but just not deleted afterwards. inputs.conf...
View ArticleBuilt-in alias/asset table in Splunk Enterprise
This is a feature request. With Enterprise Security and ITSI both providing their own means of assigning aliases to hosts, I'm wondering if a built-in asset database in Splunk Enterprise is being...
View ArticleIf I have a single data input, how can I edit my inputs and outputs.conf to...
I have a single data input (myLog.log) and I need to send this same data to 2 different hosts, indexes and sourcetypes. I am using deployment server, so I have custom built two separate apps. **App1:...
View ArticleBase64: Parsing an XML file using kv_mode=xml, how to get the Base64 script...
I'm parsing an XML file using the `kv_mode=xml` in my props.conf and that's all good and well. However, these XMLs that are coming back as a payload from another app are formatted like this:...
View ArticleManually including the output of a subsearch in a search returns events, but...
As part of our index, we log events for every request we make to our downstream systems. Each system which receives a request appends a TraceContext (GUID) to the incoming TraceContext. Idea is to have...
View ArticleHow to use regex on a field's value in a search?
index=system* sourcetype=inventory order=829 I am trying to extract the 3 digit field number in this search with rex to search all entries with only the three digit code. I tried: index=system*...
View ArticleHow do I configure Splunk to run quick searches with certain indexed JSON...
I am in the process of creating a dedicated index for our JSON data, but I want to get it right. My goal is to allow some very quick searches on just a few of the fields in the JSON messages; the rest...
View ArticleHow to troubleshoot why the Splunk for Symantec app does not display any data?
I have been fighting this for a few days now without any luck. I started with the syslog forwarding from my SEPM. The data is getting to my Splunk server, so part one is functioning, however, the...
View ArticleHow to get logs into Splunk from Private Cloud Containers?
We are planning a Private Cloud implementation of Java applications using a Cloud Vendor. We use Splunk Forwarders on our existing static servers. I have started to research different ways to stream...
View ArticleHow do I specify a drilldown to show only the results of the value I clicked...
Hi I am a complete noob at all this Splunk stuff. I have built a search that display results in a table. What I would like to do is have a left click option to open a new search with only the results...
View Article