Index count on a single Indexer
Hi , We are running apps in docker world and looking at docker log growth - app / engineering team wants to adapt app + environment level indexing. Meaning each app per environment will have a separate...
View ArticleSearch for anomalous file names based on entropy?
Can anyone recommend a way to search for file names based on entropy? I'd like to run a search that looks for funky/anomalous .php file names if possible. Thx
View ArticleDynamic Index creation using Rest API
I am doing this to create Index of maxsize but it keeps throwing error - curl -k -u admin:pass https://localhost:8089/services/data/indexes -d name=mymetricsindex -d datatype =events -d...
View ArticleWhy does isnotnull command return true for blank Country field added by...
I am using the **iplocation** command on an IP based field to add new fields to each event, most importantly the **Country** field. I want to then filter the output to only entries where the...
View Articlemigration of 6.6.3 to 7.2.5
We have Splunk 6.6.3 on a Windows 2008 server and need to migrate to a windows 2016 server. At the same time we are upgrading Splunk to version 7.2.5 What would be the best approach to this migration?
View ArticleSplunk query OR condition
Trying to parse the following line: newCount 20 OldCount 10 The following is my splunk query: index="server" | rex "newCount"\s+"(?\w+)" | rex "OldCount"\s+"(?\w+)" | search newcount>0 | search...
View ArticleDisk space issue on Indexer
Hi All, We have Replication factor as 2 and search factor as 2 in 2 different sites in clustered environment. For an index with 11 GB of license consumption per day, it consumed 40 Gb of disk space. I...
View Article2(+) Apps 1 Site
We have one site that has several 5+ apps on it. We are needing to send the logs from each app to a different index. Does anyone have a good suggestion on how to do this? We had thought maybe something...
View Articlepagerduty app
Hello, We installed pagerduty app and when we try to launch, it is showing a blank page. We installed the latest version 1.5 and we are running 7.0.2 version splunk. Please let us know if anyone have...
View ArticleTwo time period search with summary index or kvstore
We have a rare query from a team and situation is - The team needs to immediately get an alert (within 5 minutes) - The team don't want to miss an alert (even if there is a network delay or indexing...
View ArticleSplunk data are cut of randomly
I am having problem with UF data ingestion. There are 36 servers (18 server are prod and 18 are test-prod) I have deployment server who deploy configuration files to the 36 servers. But the logs i get...
View Articlecomparison between errors count for 25 stores count in a week
basesearch AND storeNumber=* | search (body.status=200 OR body.status=404) | chart count by storeNumber | head 25 | sort -count I need to get output as time chart graph and also another out put as...
View ArticleSplunk Web SSL Certificate Error from 3rd party
Hi , I am in a situation , we have 3 search heads clustered using a 3rd party SSL certs placed in web.conf after the splunk web ui is not accessed. i received 2 certs from a 3rd party company one is ,...
View ArticleMonthly Occupancy Report with Daily Events
Hello All, I am trying to generate a Monthly Occupancy Report of users with Daily events. The issue is the Daily events consists of Multiple entries of a user, so I have to use "dedup user" command to...
View ArticleHtml output in splunk dashboard
In my splunk dashboard, I want to call a webpage and display the output of the webpage in my dashboard. When I go to the link, it displays a long text and I want to see the text in the dashboard. how...
View ArticleHow to reset sorting when using column header to sort table in dashboard
How to reset sorting when using column header to sort table in dashboard?? I have a dashboard with submit button. When I sort the table on my first search and run another search, the new search acquire...
View Articlehelp on subsearch in order to match a common field between 2 lookup files
hi In a first lookup (host.csv), I have a field "host" In a second lookup (toto.csv), I have also a field "host" Is it enough to do `| inputlookup host.csv | appendcols [| inputlookup toto.csv]` for...
View ArticleHow to get the Health Report to alert to slack
Hi, am trying to get the Splunk Health report to alert to Splunk. I have created health.conf in etc/system/local: [health_reporter] alert.disabled = 0 alert.actions = slack [alert_action:slack]...
View Articleunclear things in index location when I use batch data input ( input csv file...
Hello, let me explain that what issues going on. My splunk environment is same as below. **UF -> HF -> Indexer** and I'd like to do some ** 'csv file input test' UF to Indexer** I 'd like to use...
View Articlehow to extract only numeric values from field into table ? it fetching the...
for example: dport=86 pattern: 0 tcp && dst port 86 && dst 345 here dport is field and pattern is non field value. in the report command im getting "86 pattern: 0 tcp" i just need the...
View Article