How to prevent Splunk from mixing event timestamps from multiple concurrent...
I have 6 scripted inputs that use the same script, but with different arguments and I'm noticing that it's mixing the events. This seems to happen when the previous script instance finishes after the...
View ArticleAnonymize only some Email Addresses
Hi, I need help writing a regex which must anonymize email address which doesn't below to the company domain. I already did some tests but with no success. Please find below the regex I tried: ^(.*)(?:(?
View ArticleWhat will happen to already indexed data if we add props.conf?
Hello, I would like to know the effects of adding props.conf, in order to get relevant fields automatically? How this will affect the view of already indexed data? Will we then see the new relevant...
View ArticleHow to set up Table Cell Highlighting with Different Conditions for each...
Hi, I am referring to Table Cell Highlighting example in Splunk 6.x dashboard and below is my requirement. ![alt text][1] [1]: /storage/temp/140201-splunk-question.png I want to color cells of Column2,...
View ArticleHelp with regex..?
Need help with regex...should start with " end with space or ? Need entire string in a field starting with " and end until j.prod or c.cat etc... "GET /brit-pocket09fress/cprod121000019___/j.prod...
View ArticleHow to override Splunk universal forwarder license acknowledgement?
How to override Splunk universal forwarder license acknowledgement on enterprise installation script?
View ArticleWhat are possible causes of intermittent line break failures?
I am trying to solve a problem where a particular JSON data feed/source has intermittent line break failures. In a 24 hour period, there are about 100K events parsed correctly (i.e., the line breaks...
View ArticleHow to search for errors that contain asterisks (*)?
I have what I hope is a simple question. We have response logs from different payers. If they are having system issues, they will respond with a “AAA” code. In this case `AAA*Y**42*`. How can I filter...
View ArticleHow to display my source data format in Splunk?
I have data that is feeding to Splunk from x source. That x source data is formatted like discussion points whereas if we pull the same data out in Splunk, it's showing like a whole paragraph. I guess...
View ArticleIs there a recommended method for removing deployment clients and apps on the...
Hi, What is the recommended practice (via the gui) to remove clients from a serverclass on the deployment server? Same question for removing an app from the deployment server? If I try deleting a host...
View ArticleAnalytics for Nagios: Help sending alerts from Splunk 6.4 to Nagios XI. Where...
We have 3 clustered search heads with 5 clustered indexers. We deployed the app to each search head to /opt/splunk/etc/shcluster/apps/SplunkForNagio For the directions below, we placed the send_nsca...
View ArticleHow to remove zeros from appearing on my stacked column chart?
I am trying to get a stacked column chart with items sold by agent at each location. I have the below search: stats count by "Locations","Emp_Name" |chart sum(count) over "Locations" by Emp_Name where...
View ArticleIs it now possible to use plain text MIBs for the SNMP Modular Input?
Is it now possible to use plain text MIBs for the SNMP Modular Input? Saw a Post from 2013 saying this was going to be done.
View ArticleHow to configure props and transforms.conf to rename a dynamic set of field...
Hello! I'm struggling to understand how I can use the transforms.conf stanza's to rename dynamic set of field names, ideally using the output of of a separate extraction (or just a regex which may be...
View ArticlePie Chart: How to set token row. in contextual drilldown?
Regard's, I have a dashboard with a pie chart . This chart has a contextual drilldown that displays a table with data of the clicked field. The problem is that I'm displaying the count field with the...
View ArticleWildcard in Lookup: Why am I getting error "The lookup table 'ssIdlookup'...
All, I've seen this: https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html and it doesn't work for the case I'm trying. The lookup files live in the...
View ArticleWhy am I getting error "Argument "cron_schedule" is not supported by this...
Hi, I'm creating a saved search as follows. SavedSearch savedSearch = service.getSavedSearches().create(name, query); savedSearch = service.getSavedSearches().get(name);...
View ArticleCan I match multiple patterns with regex in the same search to extract fields...
I have a requirement where I need to search all logs to match a set of patterns and extract some values. Is there something in Splunk to help with same? For eg: below are various search patterns I...
View ArticleSETUP.XML URL encoding lists values and updates correctly only if slash (/)...
I'm using setup.xml for some `script://` and `monitor://` endpoints. I use `%252F` for `/`, `%2A` for `*`, `%24` for `$`, and `%20` for space. All information is displayed correctly from the conf files...
View Articleデータ取り込みファイルの変更時のエラー
データ入力のファイルとディレクトリから取り込んだファイルのパスをファイル名を変更したのですが、 その後データを取り込もうとしてもエラーになってしまい取り込みが行えません。 何か特別な設定が必要なのでしょうか? inputs.confでcrcSalt =を指定してみたのですが、改善されませんでした。 (設定を変更しただけですので、再起動等反映するための作業等ありましたら教えてください)...
View Article