Since linkSearch/linkFields/linkSearch are deprecated, how can i control the...
Hi ! According to the documentation, following options in single forms are now deprecated and shall not be used anymore: (while this still works, support may be removed in the future, and this is a...
View ArticleWhy does the appendcols command generate an incorrect stats count when...
The following search produces the expected result when querying the "Last 4 hours" timed period. However, the stats count for Important_Events actually decreases when querying the "Last 24 hours" time...
View ArticleWhy is my overlay line chart dipping to zero at points where there is overlap...
I'm doing a chart overlay with the base as a column timechart and the overlay as a line timechart by using append in the search. The base chart only has values at sparse points in time, while the...
View ArticleHow can I change the time frame for real-time alerts?
Hi I have a stream of events coming continuously, but with lag from the source which varies from 5 to 15 mins. I want to run real-time searches based on these events, so I use `rt-15m`. But after...
View ArticleIs there a way to migrate indexed data from a legacy standalone indexer to a...
I've read through quite a few pages and there are mixed partial solutions. **Is there a way to migrate indexed data from a standalone deployment into a new indexer cluster deployment**? Currently...
View ArticleHow to change the source value in my search when I change the date time range?
hi I want to change the source on my request when the timechange. I'll explain: I have a lot of directories named by date and I use this as the source. Example: index=my_index source="20160513" When I...
View ArticleUsers are constantly being prompted to "take the tour" when logging into...
After I upgraded my Splunk environment to 6.4.1, my users are reporting that they are repeatedly prompted as a new user would to take the tour for the app. I notice for users that are not getting it,...
View ArticleDo I need to make outputs.conf for all apps?
Hey just a quick question to find out if I need to make outputs.conf file for apps. I am creating a bunch of apps right now to service my clusters need for multi-tenant environment. So I am just...
View ArticleHow to index data from Azure Blob Storage in Splunk?
Hello, It seems like a basic question, but I would like to pull data that resides in files in Azure Blob Storage and index it in Splunk. This would be an automated process, once files arrive in Azure,...
View ArticleHow to reference a field value in a drop-down from a specifc row within a table?
**Problem** I am measuring stored procedure hits by system codes. I am trying to implement 5 panels in one row that show graphs and single values for each top 5 system code in the data based on the...
View ArticleI have the Docker Splunk driver running, but why are no events being collected?
I finally have the Splunk driver running successfully. At least I think so as it is not producing any errors. Only... I go to my Splunk server and I see that it is not collecting any events. Since I am...
View ArticleCan I run Splunk DB Connect versions 1 and 2 side by side?
Due to Splunk DB Connect 1 support running out, I need to upgrade from DB Connect 1 to DB Connect 2. The upgrade instructions seem to indicate that I should install DB Connect version 2 while version 1...
View ArticleHow to edit my transaction search to calculate duration?
Hi Folks, How to calculate the time below scenario(same accno). Using transaction. 20160719T181321.405 GMT MESSAGE="RES" SNAME="DEMO" ACCNO="20161234" 20160719T181320.400 GMT MESSAGE="REQ" SNAME="DEMO"...
View ArticleHow to troubleshoot why Splunk is reindexing log file data with some fields...
Hi, I have Splunk Universal Forwarder running on my BRO-IDS sensor machine and monitoring a log directory where Bro rotates the files every hour and the rotated files are kept elsewhere in a other dir...
View ArticleHow to allow the users to edit their own dashboards via "edit source XML"
The users are currently unable to edit their own dashboards via Simple XML edit in Splunk via "edit source XML". The users are still able to edit the panel. Please show me how to solve this issue! Thank
View ArticleWhy is Splunk not updating changes we have made to an alert condition?
Hi All, We have been facing a couple of issues with our Splunk recently. - **We created an alert initially with some condition and that worked. However, we tried changing the alert condition we...
View ArticleHow to use encrypted credentials (storage/passwords) in the REST API Modular...
I'm using the "REST API Modular Input" add-on (rest_TA) and it works fine with authentication BASIC. However, this uses the clear password in the inputs.conf and I would like to use the encrypted...
View ArticleHow to overlap two bars in a Splunk chart?
I have this search that counts the times a product has been purchased and the times the same product has been purchased with some other product, in this case product m. I want to overlap the...
View ArticleHow to create a Splunk alert to trigger when Tomcat is down?
Hi, We have scenario to create an alert for tomcat to trigger an alert when tomcat is down. Based on our tomcat logs, it gives PID for every 30secs when ever it is up. If it is down it wont trigger any...
View ArticleWhat is the proper way to move buckets from cold to thawed?
Hello, What is the proper way to move buckets from cold to thawed? From time to time, we have a reason to keep a particular days worth of data for extended periods of time. Is it ok to simply copy the...
View Article