Splunk loadjob fails in scheduled report
Hi, I have a scheduled report that is using loadjob and saved search stanza. It runs perfectly fine when ran in search but when I schedule that using a scheduled report, it fails. Why and how t fix...
View ArticleDoes DB_Connect work with Snowflake?
My Splunk instance is v. 7.2.1 and the installed version of DB_Connect is 3.14. I'm having trouble verifying the compatibility of DB_Connect and Snowflake. Anyone have this successfully working in...
View ArticleEvent breaking regex not working
I have a multi line file that I'm trying to get splunk to understand... note that I'm not using the conf files but relying on the add new data UI within splunk to help... geo { id: 0 internal_name:...
View ArticleSet Cisco App/Addon to specific index
I am looking at how to set a specfic index for this app as we have multiple groups responsible for cisco devices and we do not want them to see each others logs. Any idea how to do this?
View ArticleHow do you set Cisco Add-on to a specific index?
I am looking at how to set a specific index for this add-on as we have multiple groups responsible for Cisco devices, and we do not want them to see each others logs. Any idea how to do this?
View ArticlePerformance of a query
Hi I am pretty new to Splunk and wanted to know how to determine the performance of a query ? Is it through the "Inspect Job" option. And also i can anyone help me with optimizing the following query...
View ArticleHow to exclude and format unique specific fields from multivalued field to be...
Hello all, I'm having some trouble formatting and dealing with multivalued fields. My use case is as follows: - I have sourcetype-A that returns known malicious domains(through multi-valued fields) - I...
View ArticleIs "Inspect Job" option the way to determine the performance of a search query?
Hi, I am pretty new to Splunk and wanted to know how to determine the performance of a query? Is it through the "Inspect Job" option? And also, can anyone help me with optimizing the following query or...
View ArticleHow do you exclude and format unique specific fields from multivalued fields...
Hello all, I'm having some trouble formatting and dealing with multivalued fields. My use case is as follows: - I have sourcetype-A that returns known malicious indicators (through multi-valued fields)...
View ArticleDoes Splunk log deleted buckets?
We have just discovered that we have lost a large amount of data. Does Splunk log when it deletes buckets? I found [this...
View ArticleWhy is the Splunk loadjob failing when using a scheduled report?
Hi, I have a scheduled report that is using loadjob and saved search stanza. It runs perfectly fine when running in a search, but when I schedule that using a scheduled report, it fails. Why and how do...
View ArticleCan you help me fix my regex to event break a multiline file?
I have a multiline file that I'm trying to get Splunk to understand... note that I'm not using the .conf files, but relying on the add new data UI within Splunk to help... geo { id: 0 internal_name:...
View ArticleLogin to Splunk Web using API Session Key?
I was wondering if it's possible to use the session key obtained from using the 8089 port to login to Splunk Web in a browser via the 8000 port. The goal is to create a webpage where a user could login...
View ArticleHow to remove header from JSON
Hi all I'm ingesting some JSON via RESTapi but the events are all squashed into one large event. I'm pretty sure it's because there is a header at the top of the file that need to be removed for the...
View ArticleCorrelating transaction results
I have a dataset with timestamp, model, and ID. I am trying to correlate the events so that I can see all of the IDs that belong to a particular model. Typical logs look something like this: {"time" :...
View ArticleAlert time scheduling in Splunk
I have setup an alert to check if some particular services are stopped in the server. However, there are some planned downtimes everyday between 12-1 pm and 6-10pm. Currently the alert is creating lot...
View ArticleHow do you Calculate _time difference between subsearch and main search?
I'm trying to calculate the `_time` difference between the subsearch and main search; but if I try and pass the time through to the main search, it seems to want to include it in the actual search and...
View ArticleHow do you remove a header from JSON?
Hi all I'm ingesting some JSON via REST API, but the events are all squashed into one large event. I'm pretty sure it's because there is a header at the top of the file that needs to be removed for the...
View ArticleFind the details about the result of set diff.
I am using two searches Search1 search 2 1 1 2 2 3 3 5 4 Using set diff gives me the result. Dont want to use join. set diff [search index=ABC sourcetype=PQRS| stats count by x_orderno | fields -...
View ArticleHow could I chart ratio of counts of field values?
Hi, suppose my events contain this field with two possible values: Ok=True or Ok=False Every hour I'll have a certain number ('TTT') of True values and a certain number ('FFF') of False values. I want...
View Article