Filtering the data to different indexes
Hello Guys, I have Splunk instance which is receiving data from different instances like DEV, QA, UAT and PROD. For then we have separate index like DEV_app, QA_app, UAT_app and PROD_app and they are...
View ArticleIssues with Joining: Maybe there is a better way?
We have the following search that stopped working: | tstats summariesonly=true sum(everything.rawlen) as rawBytes from datamodel=storage_billing by splunk_server,index,everything.bucketId,host | rename...
View ArticleSplunk Stream
I am streaming DNS traffic successfully from some Microsoft DNS servers, however I am unable to populate any 'Estimate' statistics in the Splunk Stream application. Data is coming in, but Splunk isn't...
View ArticleHow to average all columns in a chart for a group of results?
Here's what I'm trying to do: Imagine a search result from Splunk comes back with results: User | Field 1 | Field 2 | Field 3 | Field 4...
View ArticleSolaris 10 Universal Forwarder Install Errors
We are having problems with upgrading Splunk Forwarders on Solaris Sparc 10 hosts for vulnerability remediation. We were using 6.3.x and needed to update to a 6.5.x or later Splunk version. The errors...
View ArticleChange the color of a line representing one series based on another series
Hi, I am sorry if this has been asked previously. In effect, I look for a number of current day wires, and compare that to wires a week ago. I need to display current day wires (Total_Today) as a line...
View ArticleFilter out events Windows before Indexing
Hi Guys! How to create a filter to discard Windows logon events (EventID = 4624), but only when the LogonProcessName field is equal to 'NtLmSsp'? The logs are in XML format. I've tried several REGEX,...
View Articletcpin_cooked_pqueue blocking
I've recently made a career change, so I have a new Splunk environment where they leverage intermediary forwarders. Two of the intermediary forwarders are having their tcpin_cooked_pqueue fill which...
View ArticleSet up deploymentclient.conf during Forwarder Install
Hello, Is it possible to setup deploymentclient.conf parameters via command line? I have used DEPLOYMENT_SERVER parameter during forwarder installation via command line. It adds the target-broker but I...
View ArticleIssue with Column chart when scale is set to log
Hello, In Splunk 7.1.6, Column chart restrict the Y axis scale to 1 when using log scale. (for linear working fine) I am not setting up max value = 1 for Y axis but still it restrict to 1 even though...
View Articlecustomizing inputs for Splunk App for Web Analytics
Due to extensive lack of foresight, I am working in an environment with Splunk instance that is ingesting Tomcat logs (supporting a Liferay instance) that are not in the standard index/sourcetype...
View ArticleXyseries to display dates in descending order? (important)
sample query: index=foo "string of data"="age needed"age earliest=-5d | stats dedup_splitvals=t , values(_time) AS _time by dept, "age_needed" | sort department | fields - _span | eval...
View ArticleDispatch is less than 1GB but I keep getting warning messages of 5GB
Hello, I keep getting warning messages that my dispatch directory is full (5GB) even though the dispatch dir size is less than 1 GB. And also, my queries stop running hence I have to clean up the...
View ArticleHow to fetch events after we have got stats on the events , and we no more...
Hi, I'm trying to filter on the logs of spring boot application. I want to calculate the time that a POST request takes. The search query im trying is **index="xyz" correlationid="1234"| stats...
View ArticleSplunk Stream: Splunk suddenly stops indexing netflow data every 2 hours
Hi community, I've configured Splunk Stream to ingest NetFlow data (stream collector and splunk indexer running on the same box), and it's actually working. But exactly every 2 hours, there is a 10...
View ArticleHow can I use token in dashboard to show result with specifict time
Hello everyone, I have 3 different dashboards, one of them shows me all the events in 24 hours, the other one shows me the same events of this dat but with one hour earliest I mean from -1h to now and...
View ArticleWhy do I keep getting warning messages of 5GB even though dispatch is less...
Hello, I keep getting warning messages that my dispatch directory is full (5GB) even though the dispatch dir size is less than 1 GB. And also, my queries stop running, hence I have to clean up the...
View ArticleWhen using the Splunk Stream app, why does Splunk suddenly stop indexing...
Hi community, I've configured Splunk Stream to ingest NetFlow data (stream collector and Splunk indexer running on the same box), and it's actually working. But exactly every 2 hours, there is a 10...
View Articlehow to add the search results to existing lookup?
i have a table that has 30 columns and some rows, table 1 column1 column2 ---------- column30 ww xx -------------------------- aa expecting table will like this column1 column2 ---------- column30 ww...
View ArticleHow do we fetch events after getting stats on the events , and we have no...
Hi, I'm trying to filter on the logs of spring boot application. I want to calculate the time that a POST request takes. The search query im trying is **index="xyz" correlationid="1234"| stats...
View Article