Splunk 6.4x and SSD (Solid State) indexers
I feel the below answer and test blog is quite old (4 years). - https://answers.splunk.com/answers/10417/splunk-on-solid-state-disk.html -...
View Articlegrouping search results by hostname
We need to group hosts by naming convention in search results so for example hostnames: x80* = env1 y20* = prod L* = test etc.. Also can this be done by | tsats command?
View ArticleForwarder Phone Home last day
Hi there, How would I set up a table to find out which forwarders have not phoned home in the last day ? I am currently using this REST search for other related activity: -index=_internal...
View ArticleUnable to use the app : error setting up ITM TEMS instance
09-05-2016 18:18:13.584 +0200 ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/OPT/siem/splunk/lib/python2.7/site-packages/splunk/admin.py",...
View ArticleHow to monitor admin users logged on/authenticated but no session activities...
I am trying to create an alert to track admin users logged on to windows servers, but not performing any activities even after 30mins of logging in/authentication. index=main (eventtype=logon_activity...
View ArticleCSRF issue REST API behind F5 BigIP
My company deploy splunk behind F5 BigIP. I try to utilize the REST API PHP SDK no any problem to get session key. Unfortunately, while execute search/job query always fail with error: HTTP 401...
View ArticleBest Pratice to upgrade app in distributed env ? Also seeing "no inputs...
I have tried an upgrade in our test env (standalone SH & standalone HF - internet facing) by doing the following : -Backed up existing website_monitoring dir (1.5.0) -On HF - Extracted 1.6.1 tar...
View Articlewhat could be the reason for some splunk sessions observed to be in the...
Default date in the Splunk session is observed to be in the DDMMYYYY format ( ideally it is in MMDDYYYY format) Due to this Splunk session shows "No results" for these logs Some Splunk sessions do not...
View ArticleScheduling in SPLE
We’re facing some challenges with the jobs schedules in Splunk. Many of them are input>output type of jobs, however Splunk has only simple scheduler, where no dependencies are feasible (or I am not...
View ArticleEncrypting the password for JMS modular input
Hi, Is there an option to save the password for the input in a non-clear text way?
View ArticleUsing lookup file to update field value
Hi Everyone, My requirement is, using client ip's need to display Country with geomap. Here my concern is my ip's private ip's and doesnt have country value. Something USA, India, China. I got some...
View ArticleHistorical search fro security events
We have a search in our distributed environment which we are using to collect data to summary. The problem is it takes and age to run and is skipped often. Any tips on how to increase the performance...
View ArticleHow to send the output of one sourcetype into another
Hi, I am trying to run a search query wherein where in output of one query acts as inupt for the following query. Please help me with the syntax. Also,please let me know how can i view the second query...
View ArticleOne of the Search head showing down in F5 load balancer, but both the search...
Hi All, Currently I am facing the above issue, ours is **distributed system with search head pooling configuration setup**. Before the search head F5 load balancer is configured to balance the User...
View ArticleHow to get result of a scheduled saved search with rest api ?
Hello, I am using curl command to get result of a scheduled search with a specific user. This user (MyUser) has the following capabilites : rest_properties_get rest_properties_set search...
View Articlemongod process consuming more CPU on Linux NUMA machine -remediation
mongod process taking more CPU. Getting below message in var/log/splunk/mongod.log. Where should I run this command? Is there any alternate solution? WARNING: You are running on a NUMA machine. We...
View ArticleHow can we change SPLUNK web url?
Hello guys, I want to change the web url of splunk server so server name is invisible from end users. Bydefault, web url is set to http://:8080 and I want to change it to say http://splunkserver:8080...
View Articlehow to restart opsec connector ?
Splunk Checkpoint Opsec logs stopped on Thursday . how to restart the opsec connector and this problem is occurring frequently
View ArticleSplunk Add-on for Check Point OPSEC LEA: How to run the lea-loggrabber.sh...
Hi All, For past couple of days we are not receiving firewall related data in splunk, when searched **index=net_fw sourcetype=opsec** we are getting no data found and we could not find any errors...
View ArticleFinding throughput rate from warm idx to cold idx
As part of the project requirement, we have been asked to provide the evidence of traffic (events per sec) moved from warm idx (on server) to cold idx(NAS storage). Req 1: Isilon storage platform must...
View Article