How to combine the result of 2 search queries?
Hi All, I have a scenario to combine the search results from 2 queries. For Type= 101 I don't have fields "Amount" and "Currency", so I'm extracting them through Regex in separate query. I can't...
View ArticleHow to get data/logs from a Web or application server and do search and...
I wanted to index logs from Web/application server and do all the search, report, alert from my machine. How this can be done? Either i need to install a Splunk instance where the server is placed or...
View ArticleHow I can monitor the local group memebrs using Universal Forwarder on remote...
I have used WMI.conf file to monitor Local groups using below stanza [WMI:LocalAdmins] interval = 3600 index = myindex wql = SELECT * FROM Win32_GroupUser disabled = 0 However, on local Splunk server...
View Articlecsv file could not be read.
I created a csv file and placed in splunk/var/run/splunk/csv/ folder and using the command |inputcsv filename.csv I am unable to get the results. It says file could not be read. I have not applied any...
View ArticleNeed Guidance on Configuring Splunk InfluxDB Connect App.
I have installed the app. Now while configuring I am providing below information: **InstanceName**- *unq_instance_name1* **Hostname**- *IP of the search head. I have also installed influxdb there. In...
View ArticleReschedule saved search by api
I need to change schedule time using POST rest api. To do it I used command from example in documentation. It looks like this: curl -k -u admin:pass...
View ArticleDnslookup to output multiple event list in one query
Hello Team, Can someone pls help me to built a query using dnslookup to output multiple evnt from the event list in a single query. index=pan_logs source="udp:51401" |lookup dnslookup clientip AS...
View ArticleSplunk DB connect 2.3.0 input does not index data
I have a Splunk Enterprise License version 6.4.3 I have installed DB Connect 2.3.0 I have created an INPUT (I can see the table, the columns, ....) DB connect are the app of the index and the...
View ArticleGet or create Jira ticket - depending on result
Hey to everyone, i have some questions about splunk and the JIRA alerts addon. **What i'm doing right now:** I'm uploading a log-file and every entry with the log-level WARN creates a new jira ticket...
View Articlesearch join: won't sort, and any alternative to join?
Hi, Looking at Linux syslog data, I am trying to summarize the core dumps we see into a table like: binary,total,count_per_server /bin/ary1,5,server1(3) server2(2) /bin/ary2,3,server1(2) server5(1) I...
View ArticleWhy are warm buckets rolling with BucketMover "because maximum number of warm...
The majority of my indexes are using the default maxWarmDBCount setting of 300. I have a handful of indexes that I have maxDataSize set to auto_high_volume. All other bucket rolling settings aside,...
View ArticleHow to edit my subsearch syntax to combine the results of my two searches?
Thanks in advance for any assistance.. I am trying to create an alert that creates a table that shows sourceIP, country, LogMessageID, VPNuser and VPNgroup for attempted VPN connections. I get the...
View Articlehow can i add jquery.min.js to use on dashboard ?
hi, i have some source code jquery using jquery.min.js but when i try to add this, splunk reject it and get an error. so how can i use it for splunk dashboard thx
View ArticleWhy am I getting "ERROR BTreeCP - failed: failed to rename... Access is denied"
Has anybody ever had this error? If so, can you explain the meaning of it? Thanks 08-28-2016 22:03:18.924 -0400 ERROR BTreeCP - failed: failed to rename C:\Program...
View ArticleWhy did my "| where not" saved search start to error?
I have a saved search that started to fail like so.... ERROR SavedSplunker - savedsearch_id="nobody;search;Powered On VMs Without UF", message="Error in 'where' command: The 'not' function is...
View ArticleSplunk Add-on for Cisco UCS: Why is the timezone offset for certain sources...
I have two sources in Splunk that for some reason started to offset and I don't know why. sources - source="cisco:ucs:etherTxStats" OR source="cisco:ucs:etherRxStats" props.conf...
View ArticleHow to count events with specified id, if there are three events successively
Hello I would like to make a search for a SLA who does the following: (id 700 is ok, 702 is nok) - Count number of events if there are three nok events (702) successively Example: 700, 700, 702, 702,...
View ArticleIndexer clustering through application
Hello, I'm trying to create a work in progress environment for our Splunk setup so we can test developed apps on that before it goes to the live environment. We're using AWS and I'm running Chef to...
View ArticleData extraction/export in terabytes size
Hi all Splunk expertise, I got some technical concern from data export/extraction, hope can get some technical advice over here. Can search head extracting raw event available according on certain time...
View ArticleHow to set cron job to run last Thursday of every month at 2:00 AM
How to set cron job to run last Thursday of every month at 2:00 AM
View Article