Custom Role - Unable to search any indexes
I have setup splunk enterprise 7.2.1. Custom roles are created under $SPLUNK_HOME/etc/system/local/ **authorize.conf** [role_splunk-user] cumulativeSrchJobsQuota = 50 get_metadata = enabled...
View ArticleOne field and multiple custom values and get percentages
Hi, I need hep to create table, which shows multiple custom values / field count / % example, how it need to look: ![alt text][1] [1]: /storage/temp/274512-capture.jpg
View ArticleIndex vs Sourcetype - What's faster
I am curious, does including an index help the search any when writing a search? This comes about as me and a friend are arguing over whether or not one is more necessary over the other. For example,...
View ArticleSplunk 7.2 Update sendemail for custom csv attachment names
I would like to be able to customize the name of the csv attachments sent using the sendemail function. Is there any other way to do this besides editing the sendemaily.py script?
View Articleneed a help in generating report when new process is generated
Hello, I have Win sec logs with EventCode =4688 I want to create a report that will show all new process creation in 24 hours except from the hosts those are reporting to deployment server. Any help...
View ArticleRemove trailing end of a field when field and trailing end are different and...
Trying to not sound confusing, so here are some examples of PORTs extracted from our logs: LoPPG-1-23-45-6 PORT-1-2-3-45 CONCATGRP-1-23-4-5 EthernetService-1-23-4-5 ---Convert these by remove the...
View Articlechart with KG and MB in Y -axis
Hi, I'm facing issue with chart which displays KG and MB, where MB are bigger by the number, and it shows wrong chart: Green line needs to be above. event examples: Heap: 13.2G Heap: 6208.6M How make,...
View ArticleWorkday data volume
Hi, Does anyone have a ballpark figure for data volume from the Workday add-on into Splunk?
View ArticleThe logs are forwarding from our server to Splunk server but the logs are not...
![alt text][1]The logs are forwarding to from our server to the Splunk server. But the logs are not readable format. (Attached screenshot) (-splunk-cooked-mode-v3) [1]:...
View Articlehow to exclude sending logs to heavy forwarder which ends with a specific...
The following are my transforms.conf and props.conf in my cluster master transforms.conf [send_to_heavyforwarder] SOURCE_KEY = _meta REGEX = (logtype::SAT.*id::(ABC-1|ABC-2)) DEST_KEY = _TCP_ROUTING...
View ArticleWhy are logs forwarding from server to Splunk server but not in a readable...
![alt text][1] The logs are forwarding to from our server to the Splunk server. But the logs are not readable format. (Attached screenshot) (-splunk-cooked-mode-v3) [1]:...
View ArticleHow to figure out if forwarders are utilizing props or transforms?
We have Universal Forwarder on our windows servers varying in version from 6.2.3 to 7.1.3. Our Splunk Enterprise version is 7.0.1 (upgrading soon). I was always under the impression that formatting...
View ArticleSplunk App for Web Analytics: Empty reports and lots of error in 'map'
Error message: `Did not find value for required attribute 'site' errors` Pageviews, page sessions, bouncerate, basically everything on the audience page is blank or no data or Error in 'map': Did not...
View ArticleFree Splunk download
I am doing the free training Splunk 7.x Fundamentals Part 1 (eLearning). I am trying to download the Free Splunk Enterprise app, but when I click on "Download Free 60-Day Trial" the download screen...
View ArticleConverting Time from an InputLookup
Hi, I need help converting the time provided by a lookup. I am getting the information like this: | inputlookup AD_User_LDAP_list | search cn=jon1 | fields cn, pwdLastSet cn pwdLastSet jon1 06:25.09...
View ArticleFind certain field values and changing the value into another field.
If the vulnerability column has a certain value then a new column called ‘Software_Affected’ has a corresponding value like below-- 1. “*DES*” is in the vulnerability column then the new ‘Software...
View ArticleHow to convert time from an inputlookup
Hi, I need help in converting the time provided by a lookup. | inputlookup AD_User_LDAP_list | search cn=jon1 | fields cn, pwdLastSet I am getting the information like this: **cn pwdLastSet jon1...
View ArticleHow to find certain field values and change the value into another field
If the vulnerability column has a certain value then a new column called ‘Software_Affected’ has a corresponding value like below-- 1. “*DES*” is in the vulnerability column then the new ‘Software...
View ArticleHow to remove trailing end of a field when field and trailing end are...
Trying to not sound confusing, so here are some examples of PORTs extracted from our logs: LoPPG-1-23-45-6 PORT-1-2-3-45 CONCATGRP-1-23-4-5 EthernetService-1-23-4-5 Convert these by remove the trailing...
View ArticleHow to whitelist multiple ip addresses from datamodel search? (no need to use...
Hi Guys, Can you please tell me how to exclude/whitelist multiple ip adresses from the **datamodel** search here is the example: **All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.10...
View Article