How do I merge the following searches together?
Hi Experts, I have a confusing situation in terms of handling two searches. The situation is like this: 1) We get a Windows event log(TYPE=1) when a server goes down, and we have one saved search which...
View ArticleComparison and condition function help. Multiple If, case or like statements...
index=foo | eval Compliant=case(like(AppVersion,"14.12%"), "OK", like(AppVersion,"14.11%"),"OK" , like(AppVersion,"14.10%"),"OK" , like(AppVersion,"14.9%"),"OK" , like(AppVersion,"14.8%"),"OK"...) |...
View ArticleWhy are events not sorting in Chronological Order with a basic search?
Today, I noticed that, when performing a basic search, the events are not sorted chronologically. Additionally, not all events 'match up' correctly to the timeline. I have not found any other posts...
View Articlecombining fields from two log entries which have a common id that is named...
Base, How can I combine two log entries that share a common ID when the field name of the ID is different between both entries? Currently I'm using re-name to change my field names into strings that...
View ArticleMultiple Emails From Real Time Alerts
I configured an alert to send an email every time a user is added to the Domain Admins group. I have this alert triggering on eventcode 4728, 4755, etc. The problem is that adding a single account will...
View ArticleHow to use datamodel field values in tstats to filter resultant data
I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can't seem to get the search right. Is this possible? | tstats count from...
View ArticleSplunk App for AWS: using one index per client (multi-tenancy)
Dear splunk community members, I want to configure the Splunk App for AWS for multi-tenancy. For a new customer AWS account I - created a dedicated index for this customer - configured cloudtrail and...
View ArticleHow to change table height when no results are found
How to change a Simple XML table height when no data is present? The table should be much smaller when no alerts are triggered. `Table need not be hidden to show any other custom message/panel`. The...
View ArticleCreating static column in table
I would like to create one column with labels that should not be changed. For example: column title: my_own first row value: A second row value: B third row value:C Is it possible to do it?
View ArticleSending AWS data from heavy forwarder to indexer
Our splunk environment consists of a Universal Forwarder, Heavy forwarder and Indexer. We are importing our AWS cloudtrail data from an S3 bucket using SQS via the AWS Add on. I have configured this on...
View Articlefortiweb app
we have fortiweb, but splunk doesn't have any app for fortiweb. can some one help me to make report from logs of my fortiweb? thank you
View Articleshow one instance of an error (out of many errors coming repeatedly) from a...
I am getting many errors while just writing keyword error when searched from a single log file like Retrying connecting ES, AutoReconnect, AttributeError, etc I want to take out the distinct errors,...
View ArticleCustom search command displays only 1000 events
The following custom search command displays only 1000 events in Splunk; while should return 100,000; the rest of the events seems to be accounted for, but are not displayed; Splunk 6.x and 7.x: import...
View Articlecompare field values Device_ID
I have a log: **date time USER User_IP Device_ID** *02.09.2018 18:01:34 user1 ip1 2C5DFVG78930R7JOAHP19S8USO* 02.09.2018 18:02:34 user2 ip2 androidc78697991 02.09.2018 18:03:33 user3 ip3...
View Articleprops/transforms not taking effect
Hello, i have a single Splunk Enterprise instance with a 9997 listener. I have a single Windows Server with a UF forwarding data to the Splunk Enterprise. This is all good, data is being forwarded as...
View ArticleSplunk and external javascript
Hi guys, I want to display in browser console the number of page selected from my dashboard panel pagination. I included that script to my dashboard ``: require(['splunkjs/mvc/simplexml/ready!'],...
View ArticleAdd-on Builder Blank Screen and Argument validation for scheme=validation_mi
Hello, I'm having issue validating any Add-On's within the Splunk Add-on builder app. While looking in the splunkd.log I discovered the following errors and was hoping that someone had a fix :...
View Articleupgrade version splunk
Hi ALL! Every minute I receive the error : msg="A script exited abnormally" input="./bin/instrumentation.py" stanza="default" status="exited with code 114" I get this error after upgrading to splunk...
View ArticleWhy my searches are hitting only one indexer in a cluster ??
Hello everyone, I have a two indexers IDX 01, IDX 02 in a cluster connected to a search head cluster what I observed is IDX01 is having high CPU usage like 100 %, many time's in a day but IDX02 does...
View Article