How do I use results from a search in my custom command?
I'm trying to use data from a search in a custom command. source | scrapy url=uri This gives me the following error: Error in 'scrapy' command: This command must be the first command of a search. It...
View ArticleField Extraction Problem
Hey, Splunkers I'm having issues attempting a field extraction. The field extraction with appending data is a complete string based. Example: Signature ( Apple) Signature (Orange) The variable in the...
View ArticleWhy am I getting error "'newline' is an invalid keyword argument" using the...
I'm accessing my python script in $SPLUNK_HOME/bin via command line (in a VM) to see if the code runs correctly. Whenever I run the file outside of commandline, the code works perfectly, but when I run...
View ArticleDoes Splunk have a collaborative notebook capability?
We're looking for a capability similar to IPython or Apache Zeppelin, where queries can live together with documentation and users can collaboratively work on them. Is there anything like that out...
View ArticleHow to edit additional fields of an app using the Splunk Python SDK?
Here is the documentation I am using: http://docs.splunk.com/DocumentationStatic/PythonSDK/1.1/client.html I am able to successfully create a new app using: applications.create('appName') It will show...
View Articlefill_summary_index.py not working
I'm running the command below: sudo -u splunk /opt/splunk/bin/splunk cmd python /opt/splunk/bin/fill_summary_index.py -app search -name eligible -et -y -lt now -j 2 -owner admin -auth admin:password I...
View ArticleShould I use a heavy forwarder or indexer for this scenario?
Greetings, I'm trying to figure out if there is an advantage to having a heavy forwarder over just an indexer in the following scenario: - All of the infrastructure is virtual and is on the same...
View ArticleHow to configure the JMS Messaging Modular Input to use MQ binding mode?
We have the JMS Messaging Modular Input configured for WebSphere MQ topic. We are not allowed to use client mode to connect to the queue manager for security reasons. Could you please help me with a...
View ArticleHow do I get Unique users per day and per month in one query and then divide...
Hi, I have a field called "UserID" and a DateActive field. I'm looking to make a bar chart where each bar has a value equal to the average # of unique users per day in a month divided by the total # of...
View ArticleHow to display multiple fields on the x-axis of a chart?
Displaying the multiple fields on X-axis of chart. Below is my current search: index=home | eval Value=substr(Name,-1) |stats count(eval(Value=="A")) AS AValue,count(eval(Status=="B")) AS...
View ArticleLookup iplocation on ingest
I would like to have iplocation fields added to all events when they're ingested and have verified the lookup works in the search app. I've done something similar with dnsLookups in props.conf, but...
View ArticleHow to search and trigger an alert if the same value repeats more than once...
For example: :Report=99,10,99 In this case value `99` occurred twice in this field, so I need to pick this event and then create an alert. Please help in solving this issue
View ArticleIs it possible to run attribution modeling in SPLUNK?
"An attribution model is the rule, or set of rules, that determines how credit for sales and conversions is assigned to touchpoints in conversion paths. For example, the Last Interaction model in...
View ArticleLooking at the job inspector, why is startup.handoff taking majority of the...
Pastebin of search.log: http://pastebin.com/aAzw697G Job inspect statistics: 0.00 command.fields 15 197 197 0.08 command.search 15 - 197 0.04 command.search.index 24 - - 0.01 command.search.filter 2 -...
View ArticleUsing "stats count by" after "case eval", why am I not getting any results?
Hello, I'm trying to change a value of a field using `eval case` then do a `stats count` based on that field. I'm getting no results. In the code below I'm searching for an event with 2 specific field...
View ArticleHow to prevent Splunk DB Connect 2 from disabling a database connection if...
Hello, all. Does anyone know if there is a way to keep the app from disabling a given database connection if there is a network disruption or if the database is offline briefly? I've had to restart...
View ArticleSplunk DB Connect: How to get McAfee ePO audit logs into Splunk?
Has anyone been successful in getting McAfee ePO audit log information into Splunk? We are using DB Connect and are getting client events, but the audit logs (i.e., Deploying EE to 164 computers, Moved...
View ArticleWhy do I get this error when configuring the universal forwarder: SSL...
Hi, I am installing the universal forwarder (6.2) on redhat. I am running into several issues with the SSL setup. I am using my own selfsigned certs. This is working fine in an old 4.2 universal...
View ArticleHow to get rangemap to change the color of bars based on evaluated heap...
how do I change the colors of my bar chart to red, yellow, and green? Here is my query: index=xyxy env=PROD profile=blah heap_used=* total_heap_size=* | stats last(heap_used) AS heap_used,...
View ArticleIs it possible to add the ability to process CSV file attachments with the...
Is it possible to add the ability to process a CSV file attachment with this TA? It appears that it is not supported. The other IMAP app doesn't support CSV attachment importing either. Regards Robert
View Article