How to use sourcetype to route data from a heavy forwarder to different...
Hi there, We're trying to have a splunk forwarder to send data to an intermediate splunk heavy forwarder that clones data to different indexer cluster groups based on the sourcetype. sourcetype1 send...
View ArticleHow to use the metadata command to search for hosts that have recently...
I'm trying to use the `metadata` command to find hosts that have recently started sending logs. Basically when firstTime is more recent than 7 days. This is the search I have... | metadata type=hosts...
View ArticleCan't delete a saved search - Do I have to try it with REST or is there...
I have some searches that in the `Settings -> Searches, reports and alerts` it doesn't have a delete link. I've tried googling and other searches to find a way to delete these searches without...
View ArticleHow to edit my search to detect a significant change in events frequency over...
Based on an event log we would like to find event type which frequency changed by 50% or more over a 5 min window. Using my limited Splunk knowledge and heavy Googling, I came up with something like...
View ArticleHow do I install a universal forwarder on Mac OS and configure data inputs?
It is getting installed, but I don't know how to import the data to my Splunk Enterprise. I can't find any proper GUI of the forwarder to import or deal with the log files.
View ArticleHow to edit my search to filter out events where the string values between...
Hello, I am trying to filter out events when the source username and destination username are the same, but it is not working when I use the `where` and `NOT field1= field2` function. Is it because I...
View ArticleHow to extract fields from an extracted JSON ingested string
I have DNS log format as follows:<14>May 25 23:59:19 COL02 Windows: {"Level":"4","Channel":"DNS...
View ArticleSummary index missing random events
I'm trying to set up some summary indexes, but the summary index is missing random events. The scheduled search job is running, but the data is just not in the index. For example: ![missing...
View ArticleFirst instance of timestamp
Trying to get the first occurrence of the timestamp to be used for _time LogFile: 2016/05/27 06:30; 2016/05/27 06:29:18 Test1 :Service1 2016/05/27 05:30; 2016/05/27 05:24:16 Test2 :Service2 Have used...
View ArticleCan i pass command through splunk to remote application server
i want to pass command to remote application server through splunk application for which i am trying to pass command is uses REST api command like Start stop command etc Thanks
View ArticleHow to extract XML fields combining event?
- -2013-02-09 20:40:102016-03-23 18:20:06MediumBuesiness007-123More store -Reference1Reference2ReferenceReferenceSummary of Customerpurchase anaysis 3 similer as above i modified props.config as...
View Articleunable to see all the events in visualisation
Hi We are running this search [**host=uswebserver12 |timechart span=5m avg(PercentProcessorTime) as CPU_Usage**] and getting the required events. But once we go to visualization we are not getting the...
View Article"did not return events in descending time order"の解消方法
以下のような前段のコマンドから結果を読み込み、自作の関数の結果を新しいカラムとして差し込んで次のコマンドへ引き渡す外部スクリプトを実行すると、以下のようなエラーになります。エラーにならない場合もあります。 commands.confのtimeorder_overideをTrueへ変更しても改善できません。...
View ArticleInstallation challenge: Unable to initialize modular input "jmx" defined...
3 search heads in a search head cluster, 1 deployment server, and 2 indexers. All now running Splunk 6.4.1. I'm attempting to install the SPLUNK4JMX app on the deployment server (it is also used as the...
View ArticleSplunk Erros
Hi everybody , in advance sorry for my english. I have installed two instances of Splunk , one on my Radius Server and one to a W7 on the domain, I try to search and indexe log to my W7 computers. Well...
View ArticleHow to Filter part of data in an event during index time
Hi, I have a type of following event data which is coming from forwarder. Column1=XYZ+Column2=ABC+ColumnC=GGG.... I want to remove Column2=ABC value from the event before indexing. Can help how to...
View Articlehow delete a data from an index
I try to delete data but it does not work and show me this message Error in 'delete' command: You have insufficient privileges to delete events. So I create a user who has the the "delete_by_keyword"...
View ArticleRemove deleted index cluster data
I removed an index from our clustered environment by changing the indexes.conf on the cluster master and pushing the package. However, the data itself is still on disk. Can I safely delete this...
View ArticleRemoving thawed data
What is the process of removing thawed data from Splunk? The documentation doesn't mention it http://docs.splunk.com/Documentation/Splunk/latest/Indexer/Restorearchiveddata However other threads in...
View Articleeventstats function issue
Hi, I am trying to pull data from iis logs. For retriving data from iis logs, I have used various eval statements,eventstats and stats functions. Problem which I am seeing is, when I am using...
View Article