How can I watch a file a CSV file?
All, I have a CSV being laid to a file system by a database. A basic monitor stanza brought the file in perfect with sourctype=csv. How ever when a new file is loaded with the same name Splunk does not...
View ArticleEnabling Duo in Splunk breaks local admin login. Is there a way around that?
I'm on the 6.5.2 release and have Duo turned on in the Splunk configs. It has been working great, but I just found out that I cannot login as user **admin** in Splunkweb. I get this message: `Access...
View ArticleHow do you make a multiple cumulative time series?
I can make mulitple summed time series. source="splunk-source" | timechart sum(figure) as figure by category I can make a single cumulative summed time series. source="splunk-source" | timechart...
View ArticleWhy am I getting a "File in use" error when trying to upgrade our forwarder...
I'm trying to upgrade our forwarder version to splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi, but it is failing with a "File in use " error. This is the command i used: msiexec.exe /i...
View ArticleHow can I watch a CSV file?
All, I have a CSV being laid to a file system by a database. A basic monitor stanza brought the file in perfect with sourctype=csv. However, when a new file is loaded with the same name, Splunk does...
View ArticleWhy does enabling Duo in Splunk break local admin login and is there a way...
I'm on the 6.5.2 release and I have Duo turned on in the Splunk configs. It has been working great, but I just found out that I cannot login as user **admin** in Splunk Web. I get this message: `Access...
View ArticleCan I use an average in maps+ instead of count?
While using maps+ the clusters it makes show count of events in it. How can i use average of the values for a particular kpi? Like when it shows cluster count can I display average of a KPI like I am...
View ArticleHow do you bucket two events starting using a timespan that starts with the...
My question is a mix of using the transaction command with the bin command. What I would like to achieve is capturing when 2 consecutive POST requests are made in proxy logs within two seconds of each...
View ArticleMemory Tracker not working as expected.
Hi Splunkers, We have set search_process_memory_usage_threshold to 3GB, but noticed that searches are terminated when the usage reaches much higher values, example below. Is this expected behaviour, or...
View Articlewhich index volume should be more ?
i have upgraded my indexer to 2TB from 450GB to increase my data retention. Below is my current indexer volume configuration: hot volume : 70GB cold volume: 35GB should i increase my hot volume or cold...
View ArticleDisplay last 8 hours from now () ..?
Hi Splunkers, i want to display last 8 hours data with 1 hour different without any index or kv table .like `makeresults` or `gentimes` Eg:- **suppose now time is "2018-09-14 13:31:42"** ` |makeresults...
View ArticleHelp on table count
Hello I use the table count below : index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" | dedup host | table _time SourceName host | stats count by host | sort - count...
View Articlesplunk ta for linux
as I installed linux TA and app , received logs are in the form of raw event and they dont indexed with this TA, linux servers send logs to universal forwatrde by syslog and when i search in the...
View Articlehow to display multiple column headers.
hello everyone I'd like to display multiple column headers on the table like below image. I can create the table, but the problem is column header. It doesn't matter what color is. I'd like to make...
View Articlehow to execute a search where there are two patterns, first pattern host(is a...
I was executing my search on a log file, This is the pattern i want to search ** END ABCD234** **hour>00** where this shouldn't be searched on several **host**(servers). host need to be ignored can...
View ArticleIs it possible to make Monitoring Console app display on the Apps list on the...
Is it possible to make Monitoring Console app display on the Apps list on the left side on the Home page? Thanks.
View ArticleWebhook when a search background jobs completed
Hi, I am trying to automate Splunk search and export the result to our database. Is it possible to do a search as a background job and webhook to my API when it completes?
View ArticleFinding and removing strings in logs from the Forwarder
Hello, I'm trying to send some antivirus logs from the forwarder into splunk. The logs I'm sending have a tendency to spam, for example: 13/09/2018 16:06:53 No usable rule found Blocked...
View ArticleChanging UI in Enterprise version
Hi Guys, I may sound stupid, but since I am new here wanted to know if Enterprise License of Splunk allows us to change the UI (look and feel)? Thanks
View ArticleMicrosoft Azure Active Directory Reporting Add-on for Splunk - Traceback...
Hi everybody, I installed the Microsoft Azure Active Directory Reporting Add-on for Splunk. When I enter the Client ID and the Client Secret, I am getting the following error when clicking on "save":...
View Article