How do I put over 100 results into one line?
Good morning Splunkers! I need help please! I am working on a dashboard that shows a list of MAC Addresses and sometimes the list is over 100 different addresses depending on the area. So basically, I...
View ArticleIs there a way to use radio buttons to select a range of results/values?
Good morning Splunkers! I need help sorting through a list of MAC Addresses. I have a dashboard that lists them in a drilldown table. I have some list of 900 MAC Addresses and using the command below...
View ArticleHow do you make a query to see logs not sent by a forwarder?
Guys, I need to see which forwarders do not send events in a period of 3 hours. For example: if a forwarder does not send logs, or does not connect with an indexer, in the last 3 hours, I need to...
View ArticleHow do you use the rex command to parse out the IP between fix characters?
Hi all, I was wondering how can i write a Splunk rex to parse out the IP between two words. for example 8.8.8.8, 2.2.2.21.1.1.1, 2.2.2.2, x.x.x.x I am able to write a search but in results it parses...
View ArticleHow do you verify that multiple indexes are time synced?
We have upwards of 50 different security technologies reporting into Splunk. I'm being tasked with verifying that all the technologies reporting are properly time synced. Without going into each...
View ArticleHow do I check my KV store size?
I have a search head cluster and one of my searches is consuming full memory, which is running only in KV store, not going to even an indexer. I'm just looking for a command to check the KV store size,...
View ArticleHow do you exclude all lines with INFO or WARN from being indexed?
I have been reading through a lot of the previous answers to exclusion, but none match what I need. I need to exclude all INFO and WARN lines from one of my indexes, so that they are never processed....
View ArticleCan you help me to Install the Splunk Add-on for Unix and Linux?
Hello, This is what is listed in the documentation for the **Splunk Add-on for Unix and Linux**. [https://docs.splunk.com/Documentation/UnixApp/5.2.5/User/InstalltheSplunkAppforUnixandLinux][1] Create...
View ArticleSplunk SAML SSO unable to logout
Splunk is configured to use SAML auth with ADFS v4. Login works fine, but logout throws an error: "Failed to validate SAML logout response received from IDP" _internal shows: "No extra status code...
View ArticleJoin using ldapsearch
I am trying to create a search against our LDAP strategy, to show the capabilities, indexes, and users assigned to each role. Capabilities and indexes are easy enough to get, however, I'm stuck on the...
View ArticleWhy am I getting an error message when installing the Splunk App for VMware?
I am trying to install the Splunk App for VMware app. When I am trying to set up the page and save it, i get an error message: Encountered the following error while trying to update: Error while...
View ArticleHow do you use the join command in an LDAP search?
I am trying to create a search against our LDAP strategy to show the capabilities, indexes, and users assigned to each role. Capabilities and indexes are easy enough to get, however, I'm stuck on the...
View ArticleUnix TA assumes that only Unix/Linux make files named *.log?
The Splunk Add-on for Unix and Linux (v6.0.1, the current version) contains a couple of curiously broad eventtype definitions in default/eventtypes.conf: ` [nix-all-logs] search = source="*.log" OR...
View ArticleCan you help me with an Issue building a Splunk cluster?
I manage a couple of small Splunk clusters, and for the 1st time, I need to build one form scratch. I am testing in our sandbox environment, but when I bring the cluster up, I end up with index issues...
View ArticleHow do I find the top 3 fields per dimension (for all dimensions) grouped by...
Let's say I have dimensions like country, content, subscriptionType, and I'd like to get the 3 most common fields grouped by platform say web, app, etc. How would I go about doing this? An ideal output...
View ArticleHow do you CIDR Match a subnet in a list of subnets?
So IP to a subnet CIDR match has always worked in Splunk. No issues there. BUT a request came where we need to do a subnet to subnet CIDR match, and other than hacking my way out of it, I don’t think...
View ArticlePalo Alto App : sanctioned_saas.csv update
Palo Alto App : Is there any best practice to update sanctioned_saas.csv with sanctioned SaaS app list?
View ArticleExclude item from lookup table and additional condition
I have a lookup table that I'm using to exclude some devices from search results. `index = my_index | lookup my_table local=true device_id OUTPUT device_id as ignore | where isnull(ignore)` This works...
View ArticleAppend static data to a field for charting
Hello, I am trying to append static data to a chart that splunk generates and i'm not sure how to do this with a lookup or anything. The end goal is to have additional x-axis entries (`ProjectNames`)...
View ArticleImpacts of Cluster Master being down for some period
Hi Team, We would like to know what would be the impact on the Indexer Clustering tier if our Cluster Master (AWS EC2) will be down for some period of time. The reason is that there will be some AWS...
View Article