File/Directory Information Input add-on: How do I set this up to monitor a...
Does anyone know how can I get the following set up? I am trying to set up the ability to monitor when a file changes. I do not need to know what changes were made, only that the files changed. I...
View ArticleSplunk_TA_aws을 설치하여 S3 데이터수집시 whitelist에 대한 옵션이 걸리지 않네요 .
하나의 bucket에 대해 whitelist를 이용하여 , 경로별로 인덱스를 분리하기 위해서 테스트를 진행하였습니다. 설정에 대해서는 아래의 문서를 참고하여, whitelist를 이용하여 데이터를 선택적으로 가져오려고 합니다. http://docs.splunk.com/Documentation/AddOns/released/AWS/S3 inputs.conf에...
View ArticleSome splunk events indexing without any date in them which makes manually...
Some splunk events indexing without any date in them which makes manually insert the date in search query to search.. Now how can I make them indexing with certain date format? Splunk version ;-6.1.8...
View ArticleSplunk query to list the events without date ?
Also it would be great if anyone can lgive a search query to list out the top 10 hosts with those events? Thanks in advance
View Articleis there a way to get metadata about a search result with loadjob
Hi, I am trying to get the metadata info of the search artefact that is returned by loadjob. e.g. the earliest time and latest time of the search job that generated the result set that is loaded by...
View ArticleSplunk Deployment
Hi , We are deploying Splunk in our environment and have been stuck up at a point. We have deployed Indexer cluster in one network it consist of the following details 2 search head 4 indexer Master...
View ArticleScheduled Saved search or queries within saved search issue with app
We have few scheduled saved searches defined in our Splunk app "CCMS-TA-onprem-reporting". One of the scheduled saved search "device_summary_index" - when it triggers - is continuously showing status...
View ArticleREX for Multilined event + extract where line where match is found
My splunk system is reading in logs as mutli lined events which is by design. So 1 event could have 300 lines or so. Here is an extract from that long log file of 3 HDDs 1 of which is faulty. 15.5 :...
View Articlestats count issue, mismatch with search query results
Hello, i'm using a query to find all traffic hitting a singe firewall rule. it's something like this: host=fw_host_name rule_uid={uid} action=accept i wanted to create a list of all sources,...
View Articlefetch between 2000 to 3000 events in query
Hi, In splunk query 'head' command is used to get the first 'particular' number of events. I want to get the events between the specified numbers. My query should be something like index=myindex...
View ArticleMonitoring a directory, why is Splunk not indexing a new file that has the...
SPLUNK is monitoring a directory with below configuration in inputs.conf: [monitor:///*/*/*] sourcetype=exampleA_sourcetype index=exampleA_index blacklist = \.(gz|zip)$ ignoreOlderThan = 1d...
View ArticleHow to configure Splunk to prevent line breaking events on ASCII character...
I have syslog messages arriving at the indexer with embedded ASCII form feed characters (#012). Splunk is breaking on these characters, and I want to avoid this. How can I tell Splunk not to break on...
View ArticleHow to set up a drilldown using the Status Indicator - Custom Visualization app?
Hi, I am not able to drill down while using the Status Indicator app. PFA ... all form_1?Capability=$Capability$ the code using to drilldown. Thanks, Payal
View ArticleIs it possible to set retention policies on indexed data based on sourcetype?
We are in a slight dilemma where we are trying to reduce down the number of indexes we have, understanding that this impacts retention and security. Security is not really an issue, it is retention we...
View ArticleHow to figure out what fields our Splunk users are searching for in their...
Hi, I need to figure out what fields our Splunk users are searching for, either in their reports or dashboards. Is it do-able? If so how? Please help.
View ArticleHow to edit my search to chart the count of how many sources were indexed in...
I want to create a scheduled report that would count how many log files we’ve received in last hour. This is what I’ve written: tstats dc(source) as "source" where index=“myindex” Its working well, but...
View ArticleCan I insert multiple regexes into .form file for kvform?
I'm trying to extract some keys and values from a field that can assume multiple formats - both keys and length change according to the meaning of the content. I'm wondering if using the kvform...
View Articlereporting on numerous key value pairs in buckets
i have the following log data coming in from our spam filter. ndrscore=0 suspectscore=3 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 adjustscore=0 adultscore=0 i have the fields extracted and...
View ArticleToken is not working in dashboard but it works when the search open in a new tab
Hi i have this form tha conteins an input for the month number and it sets de value of earliest and latest depending if the month is the actual month, and if the day is the firts day of the...
View ArticleIs there any documentation on Splunk Enterprise Security that we can use?
This is nuts, I downloaded the ES 4.1.1 Overview and it's two pages basically telling me how to login. No kidding. HP has too much with ArcSight (which is better than nothing) and this is the overview...
View Article