how can i extract specified fields from the log files uploaded in SPLUNK thru...
I have created an UI which loads the user selected log file in splunk. Now i have to extract some fields from that file and that too in table format.How can i do it. For UI i am using jsp and servlets
View ArticleIs it possible to clone Splunk config files / settings?
I would like to set up a 2 node Splunk implementation: 1 Indexer and 1 Search Head. The indexer will hold all roles accept for Search. Search head will do search + house ITSI. Instead of having to...
View ArticleNeed help with props on multiline event
We're bringing in syslog's from datapower units, and they have a rough log setup: Jul 22 09:00:20 10.214.8.104 [0x80c0003f][xxxxxxSSOSPDebug][info] xmlfirewall(SSOAuditLogFW):...
View ArticleHow can I parse and index fields from XML data?
I input an XML file and indexed it, but found there are fields that contain XML. How can I parse and index fields from XML data?
View ArticleHas anyone used Splunk for WebSphere to monitor and search failed events?
Has anyone used Splunk for WebSphere to monitor failed events? The default failed event manager for WebSphere is too slow to load and search. Would like to index the failed events in Splunk. Thanks,
View ArticleIs it possible to access directories such as $SPLUNK_HOME/etc/apps remotely...
Hi, I'm currently looking into developing a custom visualization and am trying to follow the steps provided in the Build a custom visualization tutorial:...
View ArticleWhat causes splunk to decide to make a new hot bucket?
What are the conditions that cause splunk to create a new hot bucket? I have maxDataSize=auto (750MB) set on my index. I was expecting that data would get written to the same bucket until the...
View ArticleHow do you recreate new splunkweb certificates?
During the upgrade to 6.4.2 the certificates were renewed for splunkd, but not for splunkweb "/usr/splunk/etc/auth/ca.pem": certificate renewed "/usr/splunk/etc/auth/cacert.pem": certificate renewed...
View ArticleCompare 2 field values from different sources.
**Scenario** We process emails looking for order numbers (ON). We need to be able to compare the order numbers we seen in the emails to our database. We're looking for matching and not matching order...
View ArticleCSV File with inline field data extracting headers incorrectly
I have a csv file that we're getting from an ALU application that is proving incredibly difficult to work with. This csv file represents metrics collected from various pieces of the system and...
View ArticleHow to write a search to alert if our Tomcat server is down?
Hi, We need to create an alert to check if tomcat is up and running. This we could identify using pid. If tomcat is up and running, then we would receive tomcat events (logs) with pid. If tomcat is...
View ArticleWhy are the emailed results of my search not formatted the same as results in...
I have a real time search that sends an email if there are any results. In Splunk, the search is formatted as I would expect. ![web results][1] In the email version, however, the rows don't format...
View ArticleCan you assign multiple serverclasses to one server?
We have a serverclass set up to ingest WinEventLog:Security logs for multiple servers (contains a blacklist for account names and ID's). The consumer is looking to add the WinEventLog:Directory Service...
View ArticleWhat system logs are needed to deploy Splunk effectively and cover the SANS...
Hi I am deploying Splunk in an environment and would like to capture as many security aspects from the SANS top 20 as possible. I am not too technical, so I am hoping someone will be able to help me...
View ArticleHow to configure Splunk to break events after an empty line or before certain...
We have the logs like below pattern. We want to break the events after an empty newline or starting before `ERROR:` or starting before `TypeError: ` Can you please tell us how to adjust this props.conf...
View ArticleHow do I get Splunk to Monitor my Windows Websphere Application Server (7.x,...
I'm new to Splunk, so excuse my lack of knowledge :) We have Splunk Enterprise 6.4.1 and I have the Universal Forwarder installed on my Windows WebSphere (WAS) machine and it shows up fine in my Splunk...
View ArticleHas anyone done hardware benchmarking with Splunk and these m2 interface disks?
All, Has anyone done any hardware benchmarking with splunk and these m2 interface disks? http://www.tomshardware.com/reviews/kingston-hyperx-predator-480gb-m2-pcie-ssd,4113.html#p4 Seems like they...
View ArticleHow to set up a maintenance window in Splunk IT Service Intelligence?
I am configuring Splunk IT Service Intelligence. I have defined Services, Entities, and KPIs. I find that during a certain time, some KPIs are breaching the thresholds for valid reasons - because of...
View ArticleHow to create a single value trend to show the difference based on the...
Hi , I need to create a single value visualization with the trend indicator. The trend indicator should be the difference based on the previous day difference. Below is the search and the response from...
View ArticleHow to edit our forwarder inputs.conf for NetApp to forward data to our indexer?
We have moved some of our jobs over to a NetApp configuration on a brand new server, but I cannot get the data forwarded to my Splunk indexer. I installed the forwarder and verified that I can...
View Article