IOSTAT Error
Complete splunk cluster is in windows and was testing the roll over from Hot to Cold bucket and the bucket partition is ahred amongs all Indexer Cluster,So while looking what i found the error "RU -...
View ArticleHow retention works
Need to understand how retention works ( _time and Indexed time ) If I have set FrozenTimePeriodInDays = 30 Event: Suppose I dont have date in my events like below Event: Identity "32020" , Sys "123" ,...
View ArticleFilter Events before Indexing
I get events from a universal forwarder. If "alertd[123456]: ABC:" be in the event, i would like to index it. All other events can be ignored. Do you have a solution? 2019-01-23T14:22:45+01:00 host...
View ArticleHow to extract month and year from _time
_ time is in below format 2019-01-30 07:10:51.191 2019-01-30 07:10:51.190 2019-01-30 07:10:51.189 I need output in below format January 2019 Any help would be highly appreciable...
View ArticleCapabilities For a role to trigger an email via splunk alert
I have a role in SH where the user is not able to send an email to a specific user or groups. What capabilities does a role require that can send an alert that can trigger an email to users and to...
View ArticleCheckpoint firewall and db connect
i have checkpoint firewall logs on my splunk instance. but now i want to create alerts for it. i want it to alert when someone tries to connect to network components such as routers, switches, etc....
View ArticleIndexing salt on ID value
Hello, I'm looking for a way to not index an event if the ID is already in the index. The log will have this format : Unique ID;data;data2;etc.. Unique ID2;data3;data4;etc.. but two different log files...
View ArticleSQL Windows Databases:
I have received logs from SQL Windows database, database level only: SPLUNK received failed login logs a the following: Login failed for user 'DZIT\\trendmicrosrv'. Reason: Failed to open the...
View ArticleInput settings for Microsoft Office 365 Reporting Add-on for Splunk
Hi, we are looking to define our Continuously Monitor inputs and was wondering what settings people have done for their Production deployments. I understand it can depend on the volume of message...
View Articleremove path from source to only show file name for file monitor input
Is there a way at input time to omit the path of the file monitor to leave only the file names ? path monitored : `/opt/csv/*` in the location - the files .. filenameA.csv filenameB.csv filenameC.csv...
View Articleuncheck checkbox is not working if ON bydefault in 7.1.x
Hello, In checkbox input type when its checked by default, I am uable to deselect the value. I have seen this behavior after upgrade to 7.1.x. In earlier version(7.0.3) I was able to select/unselect...
View ArticleRun searches on app first install but not on upgrade
I would like to create an app which when installed will do the following - Run a number searches against an already existing index during first install to output data to a summary index or a csv/lookup...
View Articlecalculate % based upon the selection made in filter
we have a dashboard panel which shows overall AV compliance % for windows servers.code is as below....
View ArticleReloading Index everytime
Hello Experts, We are having an issue where we have an DB connect to connect to oracle database and getting the data from a table. The schedule which we had configured is 5 mins and we have configured...
View ArticleAdd custom eval function or macro to custom app search
Hi, I am currently struggling with a problem. I am implementing custom views within a custom app that has one input field as text. That field can contain a url. When submitting the form I trigger 3...
View ArticleNull value issue
Hi Guys, Our search query is like this **LogName=Application SourceName=Script | rex "Days Remaining: (?.*)days" | rex ": Origin=(?.+?)\," | rex (?.+?)\; | table CertificateName, DaysRemaining** Output...
View Articleunable to get events from bamboo add-on getting many errors
ERROR:bamboo:Failed on request: Traceback (most recent call last): File "/users/splunk/az/splunk/etc/apps/ta-bamboo/bin/bamboo.py", line 180, in get_bamboo_plans resp = requests.get(translated_url,...
View ArticleConnecting Oracle database and run the query
Hi, I would like to connect to Oracle database and run certain queries every morning and output the result in Dashboard, is that something possible in Splunk? Thanks, Sweta
View ArticleBasic search doesn't return consistent data
I'm doing a simple query into splunk to retrieve some data: index=my_index |table source,host I've also put a specific timestamp using the "date & time range" tab, the query return around 19K...
View ArticleRegroup Splunk events with almost similar _time
Hello all, Every 10 seconds, I send a bunch of events to Splunk. I need to count how many events I receive every 10 sec but I can't get the real number because of the fact that Splunk doesn't regroup...
View Article