Will buckets created in single cluster be replicated across multi-sites.
Will buckets created in single cluster be replicated across multi-sites when it is migrated to multi-site cluster? I briefly tested it which appears not being replicated. Can anyone confirm if it’s the...
View ArticleI am using Microsoft Log Analytics Ad-on, but data stops coming in Splunk...
Are there any specific ports or specific permissions this add-on requires/uses, so that I can inform the team, so if any modifications are made data flow is not interrupted. I have configured Microsoft...
View ArticleBest Practice to index Oracle database Audit Logs(.xml)
We are trying to index oracle database Audit Logs which is in .xml format in splunk. The docs section suggests it can be done through splunk universal forwarder and DB connect. But we're unable to see...
View ArticleIs there a way to make every alert global by default?
Hi guys, we use alerts all the time and I always want my entire team to be able to see every alert. Which is why I get annoyed by changing every permission one by one. Any way to make it global by...
View ArticleHelp to combine multiple queries into one
Hello, I have multiple queries with small differences, is it possible to combine them? Here is example: index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1) | eval...
View ArticleDifference between two date values with substraction of the weekend days
Hi All, I need to find the difference between these two dates with the removal of the weekends I have 2 date value fields as ASSIGNED_DT = 2018-08-30 15:33:51 ANSWER_DT= 2018-09-03 16:59:48 |...
View Article'if like' help
Hi, Struggling to get this to work. I'm trying to create a new field called 'severity' with specific values returned should a particular file extension be detected. Two example values would be as...
View ArticleREGEX in search to extract each line in a log event to separate events
Hi Splunk Gurus - I am new to splunk, need your help on the below. Below is how the events are getting into splunk, every event have multiple lines. Need a REX or REGEX to split every line as...
View Articlesplunk eval row with last field
Hello Splunkers i requiered eval the last field with current row. example: field 1 ...... field2.........field3........................................................................result...
View ArticleHow to investigate DL and Windows group membership
Team, If we have Windows events and AD is synced with Splunk. How can i search/investigate who modified a DL or who was added in a AD group and who added. Is there any query or how can i investigate...
View Articleoffice 365 logs are being logged intermittently. Could you please help us out?
The splunk version that we use is 7.0.5 and the add on installed is 1.0.1. This has worked in the past .
View ArticleHow to search a lookup table and return the unmatched term?
i am trying to search for the allowed urls (passthrough) and not in my list uploaded csv called url. the csv is made of only 1 column with a header called hostname `fgt_webfilter` profile=*...
View ArticleHow to change the colors in Timeline custom visualization
index="_internal" | timechart span=15m count(name) as name | eval Status=if(name>1500, "RED", if(name>100,"AMBER","GREEN")) | eval user="NA" | table _time, user, Status This is a sample query i...
View ArticleHow to rebuild Timeline custom visualization app in windows?
Need to change the date format for timeline graph and found solution. Accordingly updated the 2 js file for the app and restarted the Splunk, but it was not reflected in the app. I get to know the app...
View ArticleHow do I return values that unmatched column in Lookup table?
i am trying to search for urls that are not in my allowed list lookup csv , my csv file is named as url and has 1 column with a header called hostname, below is the search which gives a wrong output....
View ArticleIndexer fails on startup
When I try and restart one of my indexers after an OS upgrade I am seeing the following messages. My 2 other indexers are up and running. How do I fix this. I found one articale where they talk about...
View ArticleModifying the data values before indexing
Hi All, I want to remove more than 2 white spaces from events values at heavy forwarder before ingesting to indexer. Can anyone guide me with this change, so that I can able to fix the issue. **Current...
View Articlesavedsearch not working. Getting error.
The index query is runs from base query and i want to append saved search to base query. saved search is just filtration query. since i have many panels with from same index i tried to use it. pls give...
View ArticleHow to update certain time fields of lookup table without overwriting old...
So I put together a search not too long ago with help from the community on here that would run hourly to update a lookup table I have running. What this table holds is a list of suspicious IP's that...
View ArticleSPL to see all indexes and retention
Technically, this is two questions in one with the goal of solving a single problem: I need an SPL query that returns *ALL* the indexes I can search and the associated retention time for each. Here is...
View Article