Converted SimpleXML dashboard to HTML, trellis not working for single value
I have a dashboard that I have converted to HTML. The dashboard contains a single value element with trellis enabled:| ess index="sandbox_report*" scan=true $only_high_score$| stats count by...
View ArticleSplunk Indexes Bucket Management
I have a question about managing the buckets in my volumes configured for indexes. Below is my current configurations: [volume:hotwarm] path = /data/splunk/homedb maxVolumeDataSizeMB = 900000...
View ArticleHow to collect log within 1 hours from file log rotate
Dear all I have file log access /var/log/secure . Use log rotate ( setting daily) I need collect log login fail 3 times on 1 IP within 1 hour from file log /var/log/secure. I use query: >...
View Articleneed to change the ip address of the host on which splunk forwarders are...
In deployment server, i can see the windows host with the old IP address. I want to update the IP address of that host . Please guide me
View ArticleWould monitoring files with logrotate and delayed compression cause reindexing?
If I'm monitoring files that are being rotated with an added timestamp, and the rotated files are being compressed after a couple of days, could this cause reindexing of log events? I know that Splunk...
View ArticleWhat are the capabilities required for a role/user to appy shcluster-bundle...
We need to create a role on deployer server to create the users since admin access is blocked. What are the capabilities required for a role to appy shcluster-bundle from deployer server using below...
View ArticleKV Store field type cidr
Hello Splunkers I just noticed that there is a field type "cidr" for the KV Store. According to the API documentation this should handle any kind of IP ranges nicely in canonical form....
View ArticleHistogram and bucket size
Hi I have some proprietary log data that gives 3 different response times for each event. These are extracted into Timer1,Timer2,Timer3 What I want to achieve is to count the number of timer events...
View ArticleIf I have two timestamps in my log file, how can I choose one timestamp as...
I have two timestamps in my log as shown below: "#01#20180626-125301;969#19700101-000028;723#0046#01#GROUND#Y#4Y1651" My sourcetype is written in a way to pick up the second timestamp within 5000 days....
View ArticleCan 6.5.2 indexers co-exist with 7.1.2 indexers?
I will be upgrading 4 indexers from 6.5.2 to 7.1.2. Will I need to stop all 4 indexers, upgrade them all, and then start them all again on the same version? Or can I stop indexer1, upgrade, start, and...
View ArticleHow to connect to shared group outlook mailbox using TA mailclient in Splunk?
We are trying to connect to shared group outlook mailbox using TA mailclient. We are not able to connect to it. when we try individual mail box it works fine but can not connect to shared mailbox. How...
View ArticleHow do you retroactively make an unmanaged app a managed app on the...
Hello everyone, I have a deployment server that manages most of our Splunk apps, but when everything was setup, some apps were installed unmanaged. In particular we have a Checkpoint app on one of our...
View ArticleWhy is eventtype not tagging 100% of events?
In an attempt to explain this right... We have set up multiple eventtypes to different occurrences. For example: eventtype=major eventtype=warning major works just fine.. When running a simple search :...
View ArticleHow do I keep the Splunk CLI from disapearing in Windows so I can read the...
Hi I have two Splunk deployments, one running Splunk 7.1.0 on Windows Server 2016 and Splunk 7.1.2 on Windows 10. When I run Splunk from the bin folder, or any Splunk command, I see the Splunk window...
View ArticleWhy can't my UF send data from /var/log/messages?
***Question: why is /var/log/messages not forwarded to index?*** My deployment: ---------- UF: version 7.1.2 RHEL 6.10 **/opt/splunkforwarder/etc/apps/_server_app_linux-server/local/inputs.conf**...
View ArticleWhat's the output of the following eval and now() function query?
Hi All, Could you please help me here in confirming what would be the output of the below eval command? "eval age = (now() - _time )" Would the output be in minutes or seconds? Thanks in advance,
View ArticleHow do I measure the amount of data in cold buckets?
I am using the following search ,and it seems to works with hot buckets but not when changed to cold. I need to have the output from cold buckets for a billing purpose. Been working on this forever it...
View ArticleRunning SecureAuth 9.2 and app is not working
all searches are not working - return zero results, but data is flowing into Splunk
View ArticleCreating a List of Email Addresses and performing a search loop
Pretty new to Splunk and looking for advice. I’ve tried reviewing subsearches, map and foreach looping but I just can’t crack the syntax. I have two indexes, one that stores computer hostname, ip, and...
View ArticleField Extraction from Source Field in props.conf
Hello, I am going bananas trying to figure out the error in my props.conf. All of my logs are collected using Splunk Enterprise and forwarded to a centralized server that I do not have CLI access to. I...
View Article