How to write a search using eval to create a new field with values calculated...
Hi, We integrated Splunk to ServiceNow and looking to find a late closure incidents. For this we have 2 fields **Stopdate**, **closeddate**... we need to evaluate a new field **Late Closure** using...
View ArticleHow to search the total usage for each search from all the different apps in...
Ladies and Gentlemen, I have been tasked to write up a search that would give a total usage for each search from all the different apps. I have been digging through the master/deployment head and I...
View ArticleHow do you compare a Single Value visualization to a sum of the prior day
Greetings, My search is essentially a couple of time charts counting tweets and mentions. For final presentation I remove the tweet and mention fields and am left with the **addtotals col=t** as seen...
View ArticleHow to merge two field values into one?
I'm trying to compare two date values, Valid_Till(ex: Oct 7 12:58:21 2016) and the current_date(ex: 08/01/16). In order to create a consistent format, I want to convert Valid_Till to numeric values so...
View ArticleTimeline - Custom Visualization: Can full date time DD/MM/YY HH:MM tooltip...
We have timelines that span 30 days with events we want to see begin/end down to the minute or second on Tool Tips. Please add options for Tooltips time format: DD/MM/YY HH:MM:SS DD/MM/YY HH:MM Cool...
View ArticleSplunk App for AWS: Why am I getting SSL error "Certificate Verify Failed"...
When I'm attempting to add an account onto the Splunk App for AWS, I receive a SSL Certificate Verify Failed error when saving the credentials. I'm not sure how to proceed with configuration when...
View ArticleIs there a formal process for copying Splunk IT Service Intelligence to...
I have set up Splunk IT Service Intelligence on my standalone Splunk server, but now have a need to expand. I have recently added a search head to this indexer, so now the responsibilities are split up...
View ArticleHow to extract JSON from my sample event data?
Hello, We are trying to extract the substring (JSON) object from the one of the properties of the log: { [-] Message: EventName="MessageEvent"...
View ArticleWith the Splunk Add-on for Kafka, where can I see the consumer lag?
With the Splunk Add-on for Kafka, where can I see the consumer lag? It appears that the consumer offset is not stored in Kafka or Zookeeper. Where is it stored? How can I tell how far behind (if at...
View ArticleWhy am I missing fields in search results running the Sentiment Analysis app...
Greetings, I am running Splunk 6.3.3 and trying to get Sentiment Analysis to work with any app. I have a distributed search environment so I put the app on each of my Search Heads and Indexers. I have...
View ArticleHow to optimize a search for a non-prefixed wildcard (field=*suffix)?
I have data which contain a field with a lot of values and has duplicates on almost every one - a barcode, scanned in more than one place. In addition to being a part of a long field (a kind of a...
View ArticleIs anyone interested in closing the security holes that Splunk leaves open...
Splunk 6.4.2 (and back to 6.2.1) has the following issues: 1. "[sslConfig]" stanza with parameter setting "enableSplunkdSSL = true" is ignored by mongod and sets Mongod parameter "sslMode" to...
View ArticleHow to timechart events that occurred once in the last 5 minutes and more...
Hello Splunkers, The question here is straightforwarder :p How can I count on a timechart of events that occurred once in the last 5 minutes and more than once in the past 24 hours? The result would be...
View ArticleHow do you get ServiceNow CI data indexed in Splunk?
The plugin pushes Splunk data into ServiceNow, but what I'm looking to do is push CI data from ServiceNow into Splunk. ServiceNow has asset data that we want to push to Splunk to combine with the...
View ArticleHow to change syslog host to a specific sourcetype?
I'm getting syslog from a specific host in Splunk. How do I create a sourcetype for that host?
View ArticlePreparing for a Risk Management Framework (RMF) authorization, what RMF...
We are preparing for an RMF authorization in a few months. What controls does Splunk support? Thanks.
View Articlewhy is my serverclass not in my serverclass.conf?
Hi, We are testing some auto-provisioning with the REST API, and I noticed that the serverclass that is in the gui, is not in the $SPLUNK_HOME/etc/system/local/serverclass.conf file. Shouldn't it be...
View ArticleIf I have more than 1 lookup file with the same name, which file does Splunk...
Assuming I have a lookup file, for instance, users.csv, with different contents and is located in different apps and shared globally. If I am running `| inputlookup users.csv` from "Search &...
View ArticleBlacklist question
Hi , I am blacklisting some excessive message in the transforms.conf. Here is an example of my config: [md_client_blacklist] REGEX = (\(DEBUG,)|(Ignoring gap) As a result I do not see any "Ignoring...
View ArticleIf we are no longer using Splunk, but another department wants to use it,...
We have had Splunk implemented at my company for quite a few years. A new VP has taken over and he no longer wants to use it, and another department now wants to utilize Splunk. The old data is...
View Article