Could anyone provide me with the download link for Splunk enterprise 6.5.,...
Hi, I want to install Splunk enterprise 6.5.0 software that is compatible to a Windows server 2012. I was just referring the release note, but i didn't find any relevant information. Could anyone...
View ArticleStats sum command experiencing strange behavior after 7.2.0 upgrade
Hi Folks; So getting a very bizaare issue here after our upgrade to 7.2 index="app_rocket_dxs" sourcetype="fluentd_json" source="vbs-dxs-int*" | where message like "%Summary%" | eval...
View ArticleWhat does KV Store do?
I recently realized that we've been getting the error message "Failed to start KV Store process. See mongod.log and splunkd.log for details." for several months and have never fixed it. I've found...
View Article[replicationBlacklist] Not working
We have a list of large lookup files that are not supposed to be included in the search bundles, as configured below and found they are still in the bundle. [replicationBlacklist]...
View ArticleHow can I get a range of one month since days vary from 30 to 31 days?
You can make ranges by months to show it in a drilldown since the days of the months are varied
View ArticleSearch a field with multiple values from a Input BOX
Hi, I currently have a working report as: `Master_Search` |eval Upper_Element = upper(Element)| rex field=Upper_Element mode=sed "s/ //g" | search(Upper_Element = "*K21A*" OR Upper_Element = "*DG23*"...
View ArticleSome events missing from data model - only if accelerated
Sometimes specific events are missing from an accelerated data model. These events can be found with a regular SPL search. When searching the data model, the events are only returned when the data...
View Articleunable to parse log
Hi All , We are using splunk 6.6.6 version . Whenever we run a query with the log size of each event more than 10 KB in size, so we are unable to parse it . We analysed our search.log and found the...
View ArticleREST API twitter returns messages 420: Enhance your calm
Hi all, We have RET API for a long time in our Splunk enviroment, but since last month of May, we are experiencing some troubles. Currently we have 12 different REST connections to twitter, with...
View ArticleA Different Kind of mvexpand Limit (Total Output Limit?)
I like and need `mvexpand` to work with some of my data. Sometimes our input events contain information about multiple, underlying events (esp. rich JSON data sources). I understand that `mvexpand`...
View ArticleSorting chart headers (dates) by descending
I am trying to sort the column headers of a chart (dates) so they appear with the most recent date on the far left. I was able to use eval strptime/strftime to get it to treat the values as a date...
View ArticleUnable to set the "action.threat_activity" to "1" from the advanced edit...
Hi Splunkers, I just created a saved search and my agenda is to write the event to threat_activity index. To do this i need to enable "action.threat_activity" param to 1. But when i change the...
View ArticleTrying to plot a line over a timechart using an average taken of 6 out of 7...
Basically I want to plot a baseline (average count per host over 1 week) over an existing graph I have of my "top 10 talkers". Dropping this problem down to two hosts for simplicity, let's say I have a...
View ArticleHow do you access the custom endpoint from dashboard javascript?
I have configured my REST API custom endpoint within a new app, and tested successfully through the service web's UI (:8089). But got 404 from javascript. Splunk version: 7.2.0, User account has admin...
View ArticleHow come [replicationBlacklist] is not working?
We have a list of large lookup files that are not supposed to be included in the search bundles. Their configurations are below. However, we have found that they are still in the bundle....
View ArticleExtract a non-strp timstamp across multiple pipe delimiters
Hi everyone, Given an event like the following, is there a way to get this to successfully parse as _time at index time? I've tried including the pipe in my STRPTIME format but it does not work....
View ArticleSplunk App for Infrastructure for non-Internet Facing Systems
I've been reviewing the Splunk App for Infrastructure and it appears that the script created by the App to setup the Universal Forwarder for metrics data ingestion attempts to go to the internet to...
View ArticleThawing frozen buckets not what expected
Running Splunk v.7.0.2 in a distributed environment with 3 clustered indexers. Trying to restore frozen data to my stand-alone test environment. As a test-I recovered two different db_ buckets from...
View ArticleHow do you change the token value before a search?
Hello, In my dashboard I am using the custom drilldown where I want to pass a filename to a search. For Windows, it seems I have to replace the single backslash with a double backslash in order for the...
View ArticleHow to reset timepicker?
I have a dashboard with a panel with a table that depends on $time_tok.earliest$ from the time picker. I have an option in a dropdown, token=deployment, to reset the time tokens and thus hide the...
View Article