Charting the results of joined queries
I have two types of log events: FIELD INITIAL VALUE Message: { "FieldName":"Field_A", "OrganizationID":1234, "FooDocumentId":01, "WasAutoPopulated":true, "FooAutopopulateInitialValueId":567, } FIELD...
View ArticleConfigure Proxy for Forensic Investigator
Is there a way to get Forensic Investigator to use a proxy for the web calls, like Virustotal? When configuring other apps like the REST client for Splunk, when configuring a data input you can specify...
View ArticleClik here to view.
How to show a token value in an HTML dashboard?
Hi, I have a basic HTML dashboard with 1 panel. My search (search1) returns 1 value. I want to represent this search with a filler gauge + a single value and an image. ![alt text][1] [1]:...
View ArticleHow do I parse this XML output into splunk?
How do I parse this XML output into Splunk? Currently Splunk treats the whole chunk as a block. Here is my props.conf: [ciscofaults] DATETIME_CONFIG = CURRENT KV_MODE = xml LINE_BREAKER =...
View ArticleIs there an easy way to disable indexing for a source instead of filtering to...
There are some situations in which we know that a certain source is going to be creating a lot of garbage data since we're running a test. So it would be ideal if we could disable indexing on this...
View ArticleHow to search the difference of first and last value of an extracted field...
I'm trying to build a search to show the difference of the field **total** across a 120 day interval. The search I have below works, but its taking the min and max number across the whole 120 day...
View ArticleHow to search in a JSON array of hashes?
I have a JSON entry as follows: { [-] name: change_user_access parameters: [ [-] { [+] } { [-] name: target_user value: me@corp.com } { [+] } { [+] } { [-] name: owner value: peter@corp.com } { [+] } {...
View ArticleSearch Alias
Hi I'm new on Splunk It's possible to give an alias to a search? I'm trying to do something like this: index=Obs1 AS A or index= sourcetype =OBS2 AS B | eval mynormalizesidField=(If(index=="A",ID,ID))...
View ArticleXML parsing with multiple paths or depths?
Hi, We are evaluating Checkmarx tool that export data in XML. It has multiple paths or depths, and essecial information is presented only on "parent" path. I can parse via props.conf only on path at a...
View ArticleSplunk DB Connect 2.2.0 - "Method not supported" exception while connecting...
I'm running Splunk 6.2 and trying to connect Hive through DB connect. I am able to add the DB type in (db_connection_types.conf) but i am not able to create any connection successfully. It looks like...
View ArticleSplunk DB Connect 2: Getting error "Cannot crate JDBC driver of class " for...
This is the Problem I've been facing while I connect my Splunk to the Oracle 11g using Splunk DB Connect 2. Could you please help me to get through this? When I click on validate after filling all the...
View ArticleSplunk DB Connect 1: How to parse a dbquery search string to convert Unix...
I have a string like this; | dbquery MYDATABASE "Select trunc(ph.x_rqst_date) bp_date,count(ph.objid) bpcount,ph.x_ics_rcode _code, X_AUTH_RESPONSE paymen_code,ph.x_payment_type type from...
View ArticleHow to edit my eval statements to find the difference between Start and...
I'm looking to show the duration of logons through VDI logs. I convert _time into something better for the Start and Finish Times, but I'm unable to evaluate the difference. I have tried to convert the...
View ArticleHow to programmatically add an application to a server class in deployment...
I have to create and configure a few dozen serverclasses. Trying to script it. I can create the serverclasses just fine with the deployment/server/serverclasses/{name} REST endpoint, and can use the...
View ArticleWhy are empty emails being sent using map & sendemail commands in my search...
Hi. I tried to send an email for each event when triggered. I used `map` and `sendemail` commands, but there is an empty email always sent out, regardless if there is any event found. How can I stop...
View ArticleHow to blacklist a single host for a single event?
I'm currently collecting Powershell event 4104 across all devices on the network and one sysadmin host has been found to be exceptionally chatty. I would like to blacklist event 4104 on that box while...
View ArticleWhy am I getting Duplicate logs on all indexers
I am seeing the exact same log on each of my production indexers I can even see _internal logs from each indexer duplicated on all three indexers. I checked using btool and there is nothing in...
View ArticleHow to view Splunk data retention without access to indexes.conf?
Hello- I am auditing a company and am trying to determine the retention time for Splunk logs. I have been reading that you need access to the indexes.conf file, but I am unable to access it. Is there a...
View Article/apps/splunk/var/lib/splunk/kvstore/mongo - Why is this used?
Hi, I have came across this path `/apps/splunk/var/lib/splunk/kvstore/mongo`. I tried to understand why this is used, but I couldn't find solution to it. Can anyone help me? Also, (excuse me if am...
View ArticleHow to get a CIDR Lookup to work with Splunk DB Connect 2?
Hi. I'm trying to make a database lookup with CIDR match. I created the database lookup, and it works, but when I put the attribute match_type with value CIDR(), this lookup stops to work. For example:...
View Article