Data Input - No Scripts found under the selected path
Hello, Universal forwarder install on Mac OS X and unable to configure data input to use a script. The script is in place in the directory with the proper permissions but the data input wizard states...
View ArticleHow to trigger the DMC Alert - Near Critical Disk Usage alert on the...
Hello, I've been asked to set up an alert for disk space exceeding 80%. I enabled the DMC Alert - Near Critical Disk Usage alert on the monitoring console and simply changed it to trigger for 40% (my...
View ArticleJoin Earlier Joins with Later
I'm doing a join where I want to only get subsearch events that happened before the parent search event. Thus, I'm using: txnEnd | spath output=custID path=path | join custID [search txnStart | spath...
View ArticleSeveral Thousand Skipped Searches Per Day - Splunk Deployment Monitor
Using Splunk 7.2.0. While looking at the Monitoring Console and performing this search (see below) , I see almost 70,000 skipped searches a day coming from "splunk_deployment_monitor" app...is this...
View ArticleHow can I split JSON into multiple events?
Hi, can anyone help me a bit? i am trying to split an event in more lines or more events, every events got multiple lines starting with the below {"class": what i want is to parse every line as...
View ArticleHow do you use the value of the lookup filename as a field in the search result?
Here is the search and lookup, I need to capture the value, **last_logon_lookup_20180928.csv** We need the value in bold above as a value in a field in the results called sourcefile Search is shown...
View ArticleHow do you filter results after using the tostring "duration"?
I used the answer from this thread to create my query, but I can't figure out how to narrow them down. [https://answers.splunk.com/answers/108248/tostring-x-duration-working-wierd.html][1] I'm trying...
View ArticleThough I have my script in place in the directory, why is the data input...
Hello, I have a universal forwarder installed on Mac OS X and am unable to configure data input to use a script. The script is in place in the directory with the proper permissions, but the data input...
View ArticleWhy am I seeing several thousand skipped searches per day in the Splunk...
Using Splunk 7.2.0. While looking at the Monitoring Console and performing this search (see below) , I see almost 70,000 skipped searches a day coming from "splunk_deployment_monitor" app...is this...
View ArticleSplunk scripted input to run a btool command without running shell or...
I would like to run a scheduled splunk btool command using scripted input to index configs every few hours. I cannot put this command in .sh or any script file and give it as input to scripted input in...
View Articletoken. how can I, configuring one token for filter search?
Hi I have this search in my dashboard and i want create a token filter for search the result of the field "sucursal_id" host="iperf01app" NOT sourcetype=log-4 status="error" OR ("SUM" AND sentido="*")...
View ArticleHow to extract hostname from source path /usr/home/test
Hello All , I've configured Splunk to monitor directory , i.e. /usr/home/test/* for new csv files ( periodically generated by cronjob) multiple files , multiple hostnames, etc.... csv file format =...
View ArticleAzure Event Hub connector give Permission Error
I am running Splunk inside docker on a Linux host and I have installed an Azure event hub connector add-on. I am getting an error message like this " IOError: [Errno 13] Permission denied:...
View Articlegetting multiple fields from a single field in json
the text field in my event contains A LOT of data. here's a small section (||| marks start and end of text and are separated by |) Text: *** ||| Environment data [] : normalSliceUsage=5.00% |...
View ArticleSplunk query JSON format data. (mvzip, mvindex, split)
Please help me! I have indexed JSON data, but I can not extract the data as I want. Below is the raw data. ##########RAW DATA########## { "username": "nsroot", "resourceName": "", "ns": [ {...
View ArticleLineBreakingProcessor - Truncating line because limit of 10000 bytes has been...
Hi Team, I am using Splunk 7.1.1 and i have been getting this error constantly **LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded** As per various splunk answers i...
View ArticleHow to change time range from scheduled report in dashboard panel?
I have 4 panels on a dashboard. These panels are populated via scheduled reports. They each have their own timerange that they cover. Is it possible to add a time input on the dashboard and let users...
View ArticleSmartest way to configure inputs.conf file
We use a deployment server to push out our config files, but we have several servers which house non-standard apps, in different folders, and difficult to configure via the deployment server. is there...
View Articlehow to build a search excluding the result of another line
let say here is my log: id 123456789 appear here id 123456789 something bad want to exclude id 111111111 appear here how to build a search so that it will only pickup id with "appear here" but not...
View ArticleUpdating lookup tables manually in a distributed SH environment
I have a Search Head cluster setup. Within the search app I have defined a number of lookups, which I would like to update regularly. The lookup table come from a number of sources (e.g. information...
View Article