Problem with data retention policy
Hello, I have 2 IDX and one CM which is acting as a deployment server and License master aswell, and 2 SH in cluster. I did the data retention for 180 days period. That means, whatever is older than...
View ArticlePanels in dashboard disapprer
Dear Experts, I created one dashboard with many searches. I spent almost 5 hours to build that. I created that on 7/05/2019. now today when I visit. most of the panels are disappeared and the remaining...
View Articletimewrap compare last week with avg last three months
Hi team! I want to compare last week with avg last three months. This is my code right now. I need some help pls. sourcetype="sophos*" * severity=high earliest=-90d@d | timechart span=1month count |...
View ArticleSplunk Web server recv-q filling up, unable to connect
I have a heavy forwarder running on a dedicated RHEL 7.5 server, I'm trying to connect via the web interface running on port 8000. I have tested this port from the client machine and by all accounts...
View ArticleIs it possible to create a chart like this in splunk?
Hi All, I am trying to do up a chart which consist of 4 different fields as well as the total for each month. Am wondering if it is possible to do up a chart like this with splunk? Thanks. ![alt...
View ArticleCan anyone help resolve the issue with my search for events relating to USB...
![alt text][1] [1]: /storage/temp/273648-usb-event-search-results.png
View ArticleInsufficient permission for Splunk service now addon
For `eventtype="snow_ta_log_error"` I am getting below error- ERROR pid=89870 tid=MainThread file=rest.py:splunkd_request:53 | Failed to send rest...
View Articleerror in clustering and replication
Hello, I am getting the following error in my deployment server or Cluster master. Eventhough ouputs.conf is correct. outputs.conf : [tcpout] defaultGroup = indexers [tcpout:indexers] server =...
View ArticleI am writing a subsearch to get a user details as input for someother search...
index=* [search index=_internal [| rest /services/authentication/current-context splunk_server=local | fields username | rename username as user ] |top user limit=1 | fields user ]
View ArticleUsage intermediate forwarders with load balancer
End of last year we migrated from Splunk 6.5.3 to 7.1.3 The universal forwarders on the different source systems delivering our inputs, send data via a load balancer to 2 intermediate forwarders,...
View ArticleAdd-On builder: migration tool error on windows
Hi, I have the following error when I try to run project_migration_tool on windows: C:\Program Files\Splunk\etc\apps\splunk_app_addon-builder\bin\aob\aob_tools>project_migration_tool.bat...
View ArticleDisplay a time chart for the distinct count of values in a field
I am beginner to Splunk and could you help me with the following scenario. Lets take I have a table with the field name "Computer". The field Name "Computer" when searched for different time period...
View ArticleHow to integrate Incident management ticketing tool with splunk enterprise?
I have tried to find an app that can integrate Incident management ticketing tool with splunk but couldn'd. Is there any other option that can be used to do so?
View ArticleSet given preset value in time range picker
Hi, I'm using Splunk Enterprise 7.2.3. I have a time range picker on my dashboard to set the date/time range to search between. I want to set its default value to "Previous week". In the XML code of...
View Articletrigger correlation rule for past event occurance
there was one event occured yesterday and we have one correlation rules against that. unfortunatley it was not triggered. I fix it and update the correlation rule. is that possible to trigger against...
View ArticleExtraction issue with dynamic field names
Hello there, I am stuck with a dynamic field name extraction. The data is partly JSON and sometimes contains nested JSON in the JSON part: log-group=abc [2019-05-12 12:23:16,074] - INFO - {"time":...
View ArticleWhat is the REST API Post command to append existing native user's role?
Hi all, Is there any REST API command to add/append single or multiple roles to specific user. For e.g. user "SplunkUser" is already present in Splunk with role assigned to it as "role1". Which REST...
View ArticleDB Input with two raising columns
I have a SQL query pull relied on two raising columns (see below). In DB input, is it possible to set two raise columns? I am using DB Connect 3.1.4. SELECT * FROM table_1 WHERE (timestamp > ? AND...
View ArticleXX events missing due to corrupt or expired remote artifacts from search head
Hello guys, I can see some errors from clustered search head : "events missing due to corrupt or expired remote artifacts" What does it mean? Thanks.
View ArticleHow I can split single event into multiple events?
I have configured Rest api and it is giving data in json format as a single event. I wants to split it into multiple events ie, for example the data is in this format now { [-] queryResponse: { [-]...
View Article
