How to implement "not in" in splunk?
How to implement "not in" in splunk? I want to find out the data that is not in the collection, as shown below ![alt text][1] But always make mistakes, as shown below. ![alt text][2] [1]:...
View ArticleHow to create an alert when process appears in multiple IPs?
Say I have a table of processes and IP addresses. I want to make an alert when a certain process was monitored in multiple computers during the last 24 hours. How can I do it? Very specific question I...
View ArticleHow to implement "NOT IN" in Splunk
1. I have an index that is populated by and extensive, long running query that creates a line like "Client1 Export1 Missed. Expected Time: 06:15:00". 2. I have another index that is populated with...
View ArticleHow to get top 20 results by aggregation method used in Trellis Layout?
Hi Below is a query which returns the latency over month by cust_id. Events contain fields as month=April, month=May etc ...| chart max(Avg) as Avg, max(Max) as Max, p95(P95) as P95 over month by...
View ArticleWith a full list of class C IPs, how can i get Splunk to show me how many...
We are searching new environments monthly this means we are blind going in. I can get Splunk to stat out a total list of ips, but i'm not sure how to get it to find all the VLANs. Here is an example...
View ArticleWhen will Splunk App for Windows Infrastructure be compatible with splunk...
Lost a lot of functionality after upgrading to 5.0.0 and I need it back.
View ArticleForwarder install failing using MST through group policy
Hello all, I'm running into an issue with installing the universal forwarder on my clients through group policy. I've attempted multiple ways with no success. Now I decided to use Orca to create a MST...
View ArticleJenkens Splunk app is blank (but events are indexed)
I followed the jenkens config steps recommended here: https://wiki.jenkins.io/display/JENKINS/Splunk+Plugin+for+Jenkins Events show up If I search index=jenkens* But jenkens app in splunk shows "No...
View ArticleHelp me find where my sourcetype is getting broken ?
All, My Windows Event Log items are coming in as sourcetype=WinEventLog and not sourcetype=WinEventLog:Security as it set in my inputs.conf # inputs.conf [WinEventLog://Security] source =...
View ArticleHow do I update a dropdown token (and all associated nested tokens) upon...
Hi, I am trying to perform a search in 3 different ways using a dropdown. Depending on which search criteria is selected, tokens from the relevant search inputs are all passed into the dropdown token...
View ArticleHashing an entire lookup file (detecting change to lookups)
I have several critical lookup files that I want to monitor to determine if they are altered in ANY capacity (lookup editor, outputlookup command, command line, etc.) One idea i had was to call...
View ArticleHow can I get common value
Now ,I want to get common values from data. I use this command: `index="new_1" |stats list(oper_field) as gn by department Now ,I want to get a column to show values which count >=2 For example :...
View Articleprebuilt panels
i have a 4 to 5 prebuilt panels in dashboard with same search only filter conditions are different. How to create a base search for prebuilt panels
View Articlehow to higlight cell within html dashboards on splunk 7 ?
hi, i upgraded the splunk version from 6.4 to 7 i use a lot of html dashboards and i have some eventlistener "onlick" to highlight cells and rows. that's work perfectly with splunk 6.4 but not on...
View ArticleCreate alert in Splunk to send events in Service Now
Hi, I am creating alert in Splunk And I want to send this as event in service now So I am using Service now add-on for Splunk. Under Trigger Actions i am using ServiceNow Event Integration but here I...
View Articlepass a token to a time picker
Hi at all, I tried to pass a token in a drilldown to another dashboard to the default values of the Time Picker but I received the message "invalid earliest_time". In the Time Picker I have "Custom...
View Articleseperate splunk logs
whats the best practice in case of having different groups that each group dont want to see another groups logs, but they have the same assets ,all of them have cisco switches,linux servers,.. how can...
View ArticleUnable to read logfile
I am trying to read log file from a server. I have made all the configuration in Splunk but data is not coming in Splunk search. When I checked Splunk internal log, getting permission denied error for...
View ArticleI've heard that once data is indexed, it cannot be modified. Is that...
I know that once an event is indexed, it cannot be modified. But is that specifically stated somewhere in the Documentation? I need to provide proof of it for security documentation.
View ArticleHow to use subsearch without a field name?
We have got data for particular data which contains field in many places **Events** 2018-09-05 01:00:00 logged in by USER1 2018-09-05 01:00:01 logged in as USER2 by USER1 2018-09-05 01:00:02 logged in...
View Article