Sum of most used application in bytes when I have multiple applications
Hi everyone, I'm pretty new to Splunk (just started a little more than 2 weeks ago). Currently I'm making a panel that would display columns with the following: User - Most Data Consumed Application -...
View ArticleChanging management port in forwarder?
Hi, can we change splunk managment port(8089) for one of my forwader in web.conf? We are using default port number for all forwarders, but users of a specific forwarder has requested to change the...
View ArticleHow to see if two different hosts have failure event records?
I need to return a "yes" if (host=A has events > 0 and host=B has events > 0) else '"no"
View ArticleHow do you replicate reports, dashboard, lookup fields etc...?
Sorry if this question is elementary but I just stood up a new search head, and then added the existing stand alone environment to it. So now I have 1 SH and then 1 indx that has all other services ran...
View Articleunderstanding search time vs index time
Despite having recently finished the Splunk Admin course, I'm still fuzzy on the terms "index-time" and "search-time" especially when it comes to actually configuring the indexer and search head in a...
View Article"log event alert action" only logs one event
Hello, I'm trying to setup the "log event alert action" within Splunk 6.4.2. I have it working except when the search (alert) returns more than one search, only one event gets logged. Eg. Search -1h...
View ArticleSplunk Add-on for F5 BIG-IP: How to clear this repeating error about...
We've recently installed Splunk Add-on for F5 BIG-IP and are successfully getting remote logs from one of our LTM servers. We've noticed that var/log/splunk/Splunk_TA_f5_bigip_main.log reports the...
View ArticleHow to create a textbox to enter comments on a dashboard panel?
Hello team, I added a textbox to enter comments in it on a dashboard panel. The comments entered need to be visible to everyone who view the dashboard. How do I retain the comments entered? Please...
View ArticleHow can I find whether an environment is clustered or distributed? If it is...
I have 4 servers in which 2 are clustered and are used as search heads, a 3rd one is Splunk Enterprise Security, and the 4th server is search head pooling. These are connected to indexers. I want to...
View ArticleHow to troubleshoot why my forwarders have stopped forwarding most data at a...
Splunk 6.4.1 We have run into an issue on Tuesday where data for over 99 clients have just stopped presenting in the search. It looks like some of the data is reporting; however, there were 55...
View ArticleHow to set up an alert to display the results with verbose mode data, not...
I have set up a Cisco BGP syslog alert from Splunk. The BGP down event triggers correctly with all indexed data. See screenshot below: ![alt text][1] But the Up message shows up with now indexed data...
View ArticleWhen setting up forwarder it stays in loading
Hi everyone, Im starting to use the DMC in Splunk (recently upgrade to 6.4) and I wanted to see data about my universal forwarders, but when I click on the Setting -> Forwader monitoring setup it...
View ArticleBar Chart Line, based stats sum
Regard's, I have a bar chart is a project cost of summation. In this chart I need to have two vertical lines where : Topline is the upper limit and the lower the minimum limit cost of a project. The...
View ArticleData log on dashboard
I currently have a table on my dashboard that filters specific fields from my data log and when you click on a specific field of table it opens the log on a new web page. Is there a way I can open the...
View ArticleExternal database query error
I have set up an oracle database login and the connection is a valid connection. However, when I try to do a simple query, I have get error "External search command 'dbxquery' returned error code 1....
View ArticleHow do I convert this search into a tstats search leveraging the web datamodel?
Here's the search: index=proxysg sourcetype=proxysg | replace \*pandora* with www.pandora.com in url | replace \*facebook* with www.facebook.com in url | stats sum(bytes_in) as MB by url | eval...
View ArticleHow to use max() aggregate function while calling other columns?
I don't understand how to use the max() in sql while calling other columns. I understand that you need "group by" to use max() but I want to create a table that shows other columns and a max(). So far...
View Articlewhitelist match issues
Hi everyone, I am having an issue where a logical AND NOT isn't working properly. Simply put I have an alert for mail servers that should be whitelisting a single IP's communication with either one of...
View ArticleSplunk Enterprise Security: How to troubleshoot why 67% of searches being...
Hi, We are using Enterprise 6.4.0 with Splunk Enterprise Security 4.1.1. We have installed the Splunk App for ES Health Check. Yesterday, we noticed ES (via the health app) 'Searches' were reporting...
View ArticleeStreamer Logs Not Appearing in $SPLUNK_HOME/etc/apps/eStreamer/log/
eStreamer logs are not populating. it was working then one day it stopped. any ideas?
View Article