Palo Alto Networks App for Splunk: Why are all dashboards blank except for...
I set up the Palo Alto Networks App for Splunk, but all of the dashboards are blank except for the overview. The firewall is configured to send the log data via syslog (not using 514 as it is already...
View ArticleWhy am I getting error "CONFIGURATION ID MISMATCH" trying to add another...
I'm trying to add another search head to my search head cluster. I'm receiving the following error when I try and bootstrap it. [labsplunk-sh:/opt/sh2a/bin]$ ./splunk bootstrap shcluster-captain...
View ArticleSplunk Add-on for Microsoft Azure: Where are connection log files stored?
I have a Splunk instance up and running and I have installed a Azure Connector to retrieve azure audit logs against Azure Government Cloud. I have modified AzureAudit.py on the Splunk server, but still...
View ArticleHow to edit my search to display Min, Max, Total, and Sum at the end of a...
Hi This is my current Splunk search: index=pqaestore source="/log/jboss_jmx_stats.log" | dedup host | rex field=_raw "(?memory=(?\d+))" | rex field=_raw "(?httpthreads=(?\d+))" | rex field=_raw...
View ArticleHow to convert JSON Keys and values as columns in splunk
Hi, I want to flatten json data to columns for my report purpose. I might not be explaining my requirement properly, here is what my data and result has to be. Input: { "name" : "srini", "value" { "1":...
View ArticleESXi Events Splitting line by line
Splunk is splitting each line into an event instead of grouping the whole block as one event. I've tried a few fixes for this host in C:\Program Files\Splunk\etc\system\local\props.conf. (I removed the...
View ArticleAverage and maximum time between events by location
Given public transit log data of the form: 2016-08-01 13:34:03 GMT vehicle_id="1234" stop_id="5678" I would like to calculate (and plot) the following: * The average and maximum times between any...
View ArticleConfuguring events for AS400 logs
Hi... I have a AS400 syslog file. for which I am want to configure splunk to pick up the events at every 2 lines. Please advise which is the best way to do it Sample log 5761SS1 V6R1M0 080215 History...
View ArticleReplaceing NULL string for null()
Hi, I'm trying to reuse an old app for a new environment and, of course, data and fields similar but different, so adapting this part is where the big efforts come. It's 90% done already but, however,...
View ArticleHow do I use this Adaptive Response framework? What are its capabilities?
I just came across [this app][1]. And I want to try that out. How do I use it? I have installed this framework, and have also installed AR-Log app. I went through "Getting started" pages and all, but...
View ArticleDescribtion of _internal index fields -...
Is there some documentation including the definition and description of fields in the _internal index. For example: - /opt/splunk/var/log/splunk/license_usage.log field; - h - i - idx - s - st Kind...
View ArticleHow to edit my regular expression to extract a field from my sample data?
Hey Fellow Splunkers I'm looking to possibly create a regular expression that can be used to extract a field. The data associated with the field that I'm attempting to extract is a complex string with...
View ArticleHow to report on how long a field equaled a specific value, and show the...
Here is the sample set of data, simplified: Aug 8 11:00:00 host=host1 status_code=UP Aug 8 12:20:00 host=host1 status_code=UP Aug 8 14:15:00 host=host1 status_code=UP Aug 8 15:00:02 host=host1...
View ArticleHow to hide "Create new dashboard button" in an app?
I am creating an App on Splunk and need to hide "Create new dashboard button" from the app users. I tried editing the dashboard.css, but it doesn't work. D:\Splunk...
View ArticleWhere do I enable HTTP Event Collector (HEC) and create a new token in an...
Hello, We have a Splunk Enterprise environment that has separate tiers that are clustered; Search Heads and Indexers. Where/which tier do I enable HEC on and create tokens? Search Heads or Indexers?...
View ArticleIs appendcols or join better for search performance?
Hi there, I am trying to decide which Splunk command I should use to give better long-term performance on the search and the search head and am looking for advice. The functions are `join type=left` OR...
View ArticleI installed the Fire Brigade app on a search peer, but why am I not seeing...
I have installed Fire Brigade app on a search peer, but I'm not able to see host or retention data. 1. Do I need to install the Technology Add-on for Fire Brigade? If yes, where should this be...
View ArticleIs it possible for the Splunk SDK to connect to the instances by tunneling...
Hi, Is it possible for the Splunk SDK to connect to the instances by tunneling through a bastion host? We have a pretty locked down environment where we only allow access to instances via a bastion...
View ArticleHow to add or sum values in a timechart?
Hi Splunkers, How to add or SUM values in timechart as shown below: Search I used: base search|transaction....|timechart sum(duration) as duration by stage Below is my current output: _time stage1...
View ArticleWhat meant by a silent installation of Splunk on Linux, and how do you do it?
Hello Splunkers Can any one help in understanding what is silent installation for Splunk on Linux? Is there any specific way to achieve it? thanks in advance
View Article