help with regex
How to capture everything until second period.I have the below sample data.I want to capture the one in bold YYMPv2-SOI::curators."9.9.42.1.3.2.1.8.**2059119261.2164944.1.1**" = "0x0aa0a04b"...
View ArticleignoreOlderThan Invalid for batch input
Does `ignoreOlderThan`stanza in inputs.conf is Invalid for batch input? I am getting error as-"Invalid key in stanza" [batch:\\D:\...\*.zip] move_policy = sinkhole index=abc ignoreOlderThan = 72h
View ArticleConfiguring a role for Health Checks?
All, I am creating a weekly task for a jr NOC staffed to run the management console's "health check" weekly and note the results. Can you tell me what permission I'd have to set on this role to ensure...
View ArticleCan I use a deployment server to scale my Splunk Enterprise deployment?
Where can I find more information about using a deployment server and configuration files to manage my Splunk Enterprise deployment?
View ArticleAlert if Index is getting more than 10GB of incoming data
I am using below query to find size of index , how can I modify it to alert me if index is getting more than 10 GB of incoming data index=_internal [`set_local_host`] source=*license_usage.log*...
View ArticleSearch for a value in a set of results, then indicate in a new field if the...
I have a somewhat complicated search whose results I present in a dashboard, and looks a bit like this: [ search ( _raw IN () ) AND event_name=process.start | fields video_id ] (event_name=processor.*)...
View ArticleField extraction
gauge="ProcessorResponse.Country[US]Processor[ApgProcessor]PaymentType[VISA] DECLINE" is one of the field. I am trying to get Country, Processor, PaymentType and reason fields. my search | rex...
View ArticleCapacity planning best practices for Splunk Enterprise?
I'm looking for resources to help plan my deployment. Does anyone have capacity planning best practices for Splunk Enterprise?
View ArticleForcing data to freeze
We, up to now, have never frozen data. However, we have a requirement now to freeze some data for years. I need to show in a development environment how this works. I have created a new index. Defined...
View ArticleSplunk Kubernetes Create index by Namespace
Hi Little background I have a EKS cluster and On Premise splunk cluster. We have 5-10 application micro-service running on EKS. I want ingest logs into the Splunk from EKS K8. Splunk Connector has been...
View Articlesubnet information
I have subnet lookup in cidr notation. so i am trying to print subnet detail with dest ip but not getting result. query:- index=xyz | stats count by dest | lookup subnet.csv subnet as dest output...
View ArticleIs it possible to update the Splunk Universal Forwarder but not change...
I have some old versions of Splunk lying around and want to just do an update, not change the directory being monitored or anything else. How can I do that? The Sudplunk required items in the pillar...
View ArticleAnyone have a good search to compare todays hosts against yesterdays?
All, I'd just like a report sent to me daily of hosts appearing in Splunk in the last 24 hours. Guessing I have to search metadata twice and then diff them, but through someone might have an app or a...
View ArticleWhere did Splunk 7.3.1 go?
I need the installation RPM of Splunk 7.3.1 specifically, in order to be version-compatible with another 7.3.1 instance that I already have. However, the official download page only gives me 7.3.0 now....
View ArticleAppend the columns of a search onto the results of another search many times
Search A returns many events for each ID. Search B returns a single event for each ID. My end result is a table with each event from search A, with the values from a few fields in search B appended as...
View Articlefacing issue in field extraction for regex
Hi All, I wish to create a regex that should work with multiple log format using 2 type log format. 1) log format: 5 auth_mechanism: SSO_ISE auth group [syslog_pass1] regex...
View ArticleLookup table for lot of fields
My event log has comma separated field values of 100+ fields. Each field can have about 2-15 different values. Example if field10=3, I need to map to earth, field10=4, map to mars so on. If field11=4,...
View Articleplease help on how to achieve the below kind of lookup/rename for 100+ fields...
mylookup.csv . field1,1=mercury,2=venus,3=earth field2,1=brown,2=blue,3=red,4=yellow,5=green my basic search gives 3,2,a,b,c.. how to get output like earth,blue,x,y,z.... or 3_earth,2_blue,p_x,q_y,r_z....
View ArticleSplunk Forward Issue
Hi Everyone, am currently facing an issue which am not getting my head around it. I have installed the universal forward in win srv 2012r2 to send every log to Splunk server. However, In the Splunk web...
View ArticleI want to exclude events before a certain date ( not timestamp).
Lets say i have a column called as birthdate in my events and i do not want to see the events or birth records which are before 01.01/2015. can somebody help me to do this?
View Article