indexes in distribute environment
Hi All, i have configured indexer clustering in splunk but i don't know how to create indexes that are replicated in this cluster
View ArticleHow to create an event every second
Hello, I have a set of data occuring randomizely and I would like to have an event every second. I am able to get that when I work with one single file and the following command: **timechart cont=true...
View ArticleWhy the logs are not coming in ?
I have pointed the CEF logs from Trend Micro Deep security to Splunk server. What could be the reasons that logs are not coming in although the port 514 for other apps as well.
View ArticleWhy does Splunk create multivalue fields when I upload zipped txt files?
Hi, I want to upload a bunch of txt files, therefore I've created a structured sourcetype. When I add one single file, the preview looks fine and the imported data is correct. But when I upload a .zip...
View ArticleHow to find differecne betwen columns headers
Hello I am trying to find a differecne between column headers (month to another month). Meaning if in the new month there are some new columns headers which does not exist in previous month 1) |set...
View ArticleWhy are Data Inputs not working? (no indexed data, no sign of change in...
Hello fellow splunk users! I am encountering a problem with indexing .csv files. A bit of background story: I am trying to index Windows Server 2003 data. Installing an universal forwarder does not...
View ArticleField Extractor Utility Help
Hi, I Have the following Event on Splunk: Message=WriteLoadTimeToLog at offset 259 in file:line:column <filename unknown>:0:0 message: Page...
View ArticleParse pesudo-XML data during input
Hi Splunkers, I have a question regarding the input extracion of XML-Fields (with inputs and transforms). I have tried to follow the advices in this post:...
View ArticleES App criteria behind correlation rules.
Hi, I was looking at logic behind the correlation rules that are inbuilt in ES App. But it was not so clear like for example for bruteforcing rule. I would like to know the criteria for triggering this...
View ArticleTimechart and Earliest/Latest Date
Hi, i wonder if someone could help me please with a query I have and I apologise in advance for the newbie question. If you create a timechart with a span, and then you set a 'Earliest' and 'Latest'...
View ArticleHow to create a report about each index and the sourcetypes it contains?
I need to create a report that shows each index on my system and the relevant data about sourcetypes within the index. I know I can use <code>|metadata type=sourcetypes index=myindex</code>...
View ArticleScheduled Query - change query content
**Background** I have created a query that will allow me to view all tickets created within one month. As some of the 'resolved' events occur after the month has ended I cannot use | stats count by...
View ArticleChart limit results
I'm trying to chart the top hits to a search while the rest are rolled up into an 'OTHER' column. Ideally I'd like the split to be based on a threshold value, otherwise setting the number of columns is...
View ArticleActive Directory and Splunk
I have been assigned with the task of implementing Splunk on my company network. I have Syslog communication with my server with no problems. But I would like to have my Windows devices communicating...
View ArticleWhere should I put my syslog forwarder/deployment server when regarding...
Hi folks, I'm planning on installing some new machines running Splunk instances. Two of the machines are going to run an indexer cluster, one a cluster master and one a search head. The last machine is...
View ArticleHow do I get the timestamps of the first and last events in a transaction?
Dear All, I am setting up a report of Username, Logged in time, Logged out time, Internal and External IP Addresses from a VPN node log. I have already determined how I can get the identifying marks...
View ArticlePrecision of arithmetic operations
When I execute the following search index="does not matter" | stats count AS value | eval value=123456.0 | eval x=value/(1024*1024*1024) | eval y=(value*1.0)/(1024*1024*1024) I get results which do not...
View ArticleHow to calculate daily values from sum values
Hi, I have values that are a total sum of all data processed. I need to calculate the daily values from the daily sums. Running the following search source=... | timechart span=1d...
View ArticleHow to retrieve logs from Azure AD?
Hi! I want to connect with Azure AD and get its logs into Splunk. What is the procedure of doing this? Can a Splunk forwarder be installed in Azure (and how should it be done)? Or should Azure AD send...
View ArticleErrors during search - missing data (after upgrade to 6.3)
We have Splunk Enterprise and our cluster consists of 3 search heads and 9 search peers. After upgrading to version 6.3 the following started to happen - Although the cluster in total has enough space...
View Article