splunk 6.4.1 cluster - move defaultdb/main to new location via indexes.conf
env: IDX multi-site cluster (1 master, 3 peers) 2x HF's 2x SH's I am wanting to move the defaultdb/main index to a bigger disk and I am hoping I can do this via an entry in indexes.conf and pushing via...
View ArticleWhat's the best solution for orphaned searches?
2 problems: 1) There is no change ownership option in the GUI - seems like a huge oversight. 2) The search to show orphaned searches times out with no results. So I'm left with not being able to...
View ArticleMissing search head splunkd.log during restart
We've setup our search head to forward its data to our indexing cluster using http://docs.splunk.com/Documentation/Splunk/6.4.3/DistSearch/Forwardsearchheaddata What we noticed is when restarting...
View ArticleWhat type of system health alerts or dashboard panels would be useful to...
I have a general question for those that are admins or users of Enterprise Security. I am tasked with considering what searches or panels that I will be placing in a dashboard that may be useful to the...
View ArticleEventtype style color only displays while in current session
I created 3 eventtypes, at creation I chose a different color for each one. Everything worked fine, colors were displaying correctly as expected for each eventtype and for each tag I associated to the...
View ArticleHow do I push an app to the Search Head Deployer's shcluster/ directory?
I know I would run `splunk apply shcluster-bundle` on the Search Head Deployer to push apps to Search Head Cluster Members. The apps that get pushed are located under the `shcluster/` directory on the...
View ArticleBackfill without app name
Hi, Is it possible to use a backfill script without the need of pointing to an app name? EG - ./splunk cmd python fill_summary_index.py -app APPNAME -name SEARCHNAME I want to backfill searches in...
View ArticleUF first deployed
Hello, Is it possible to see when a universal forwarder was first deployed or phonedhome? Thanks
View ArticleSearch and Indexing performance
Hi Splunkers, Any reference or benchmark on performance tuning? Gone thorough lot of post on the performance tuning. I am looking for some approximate number of events return per second and server...
View ArticleWorking on OKTA integration, failing validation due to UTC time formatting
I keep getting the following message when trying to login VIA OKTA, "The conditions saml response failed validation Verify the time in the response from IDP is in UTC time format. " but cannot find any...
View ArticleHow to decompress a single field (compressed JSON file) given the data has...
We have a compressed (via python zlib) JSON file that is "chunked" prior to being indexed by Splunk. The multiple events in Splunk (once indexed) can be pieced together (via Splunk's transaction...
View ArticleSplunk DB Connect 2: How to edit conf files to add more database connections?
I am SOOOOO slow, or this is way too hard. I am trying to add thirty new connections to my configuration of the Splunk DB Connect 2 app in Splunk (6.4.2). I get the LOCAL configuration directory...
View ArticleHow to write a regular expression to extract this 3 digit number from my...
I have these statements I am trying to extract the "200" from, but this number could be any three digit number though.<117>Sep 01 16:19:12 ip-10-255-55-21 SLAVE[prodr35e-core_24322]: 10-255-55-21...
View ArticleIs there any way to send data in CEF format from a Python script to Splunk?
Does anyone have a part of code? I can send a message, but I do not know how to send CEF. For example : CEF:0|Cisco|ASA|1.0|100|accept|1|src=10.140.10.213 dst=109.226.104.135 dport=80 proto=tcp.
View ArticleHow to capture the date from my sample inputlookup CSV file?
I have a CSV that has the setup as shown below. Date |Score 1/1/2016 | 4.3 2/1/2016 | 5.7 I need to extract that date to be able to do trends on the scoring. I have no other way to ingest the CSV aside...
View ArticleCan Splunk store a list of strings that can be referenced in a Splunk search?
I am trying to make sure all expected pm files run by a given time. For instance, if I have 5pm files, I would like to verify that those 5 specific files have completed by 5pm. My approach would be to...
View ArticleUsing webhook as an alert action, can webhook retry if http status is not ok?
I am considering using webhook as an alert action. One concern is that if the webhook URL is temporarily not available, we may miss the alert action. Is it likely to configure webhook to retry when the...
View ArticleWhy is using base searches causing major performance issues on my dashboard?
Working on making dashboards to help report on activity. To make the dashboards as performant as possible, I'm using base searches. However, it appears that using base searches throughout a dashboard...
View ArticleIs it possible to retrieve the hashes of apps pushed by the deployment server...
According to the top answer in the question titled *"Deployment Server - when app is redeployed, what is overwritten"* (url listed below), the deployment server creates a hash of an app and compares it...
View ArticleIs it possible to increase the number of values in the BY statement in tstats...
If I run a tstats command with more than 24 values in the BY part of the statement, I get no results found. If I use 24 or less, I find what I expect to see... Can this value be increased? Thx. C
View Article