Do I have to backup $SPLUNK_HOME/var/run directory for a reliable backup?
When I make a backup of a splunk server every few days, I just usually tarball the whole /opt/splunk dir. This works fine for recovery purposes when I may need it. But each backup is several GBs. So, I...
View ArticleHow to set the threshold value for each value in the Field
I have results in the table, As shown the below Name Time Settingname value OEK 09-16-2019 PWD.length 8 ELC 09-16-2019 timeout 400 CMG 09-16-2019 PWmaxAttemts 3 --> I need Eval function ( for...
View ArticleHow to get total count of events excluding specific time range for certain days?
Can anyone please help? I want to display the total count of events occurred in a week (but excluding specific day/time i.e. exclude 04-06 PM for Monday and 06-08 PM for Wednesday) I am running below...
View ArticleHow to get the plain text of pass4Symmkey?
Hi, Please help us to get the plain text of pass4Symmkey. Is there a way to decrypt it?
View ArticleHow to divide each line each data row?
ServiceTitle KPITitle kpis_key SmartCas ServiceHealthScore SHKPI-17c3399b-d559-4e91 CPU Utilization: % 793faace-3431-4d54-a54c-f07fbb520425 IOWait % 9e984025-b4ba-43c1-a165 Storage Operations: Latency...
View ArticleWindows Perfmon data routing issues
I am trying to get Windows Perfmon data in. I have been successful for some servers but not others, despite using the same inputs.conf configuration. For instance, I am getting Memory stats from our...
View ArticleHow to compare search result for first 15 min and last 45 min?
Following is the result we got Action_ Name Time Count ABC 1:15 AM 100 ABC 1:30 AM 200 ABC 1:45 AM 300 ABC 2:00 50 Now I want to compare the row2 (1:30 AM) Count : 200 with row4(2:00 AM) Count 50 I am...
View ArticleHow to set the threshold value for each value in the Field?
I have results in the table, As shown the below: Name Time Settingname value OEK 09-16-2019 PWD.length 8 ELC 09-16-2019 timeout 400 CMG 09-16-2019 PWmaxAttemts 3 --> I need Eval function ( for...
View Articlesplunk pager duty integration
How can I troubleshoot why this is not working? I'm seeing the alert firing in Splunk and a log event showing that it works on the Splunk side. Example: INFO sendmodalert - Invoking modular alert...
View ArticleInputlookup/lookup compare to Search results and return the results from only...
I am searching a user list that I have in a inputlookup/lookup CSV. I need to compare results from a search to the inputlookup/lookup list which is over 80k users and return only the new results that...
View ArticleConfig Documentation Sites Not Opening
When one searches a config on Google, e.g. props.conf, the first result is almost always the page you'd want. However, all of a sudden today, the pages don't load and redirects me to...
View Articlehelp with AD user search where user!="*$"
Hi, I'm doing searches for account login failures using EventCode="4625". The problem is the search returns a lot of results of user "$" trying to log onto itself or other hosts. I believe these logon...
View ArticleTransform field extraction work from default but not from local
I'm using the Splunk TA for Symantec Endpoint Protection 2.3.0 and for the latest version of SEP some of the log file formats have changed and so the field extractions aren't working. I've taken the...
View ArticleCommunication log: Convert from object name to IP/port
Hi all, Currently, I using non-audit input to collect log from Checkpoint SD to Splunk but it provide object name rather ip and port. For searching easier, I would like to collect only Ip address and...
View ArticlePerformant method for referring to original event field values *after*...
I am working with computer systems—for this question, the *type* of systems is not important—that forward events to Splunk (7.3). These events contain periodic snapshots of system performance...
View ArticleField Alais created were not working
We have created several Field aliases based on different source and source types in our splunk query. Most of the Field alias created were working without ant issues, but some of the alias created were...
View ArticleMonitor Or MonitorNoHandle ?
Hi, If one wants to import DNS query log on windows server, Which is appropriate to use..? Monitor or MonitorNoHandle stanza.
View ArticleTIMESTAMP_FIELDS for different sources and timestamps using same sourcetype...
Hello guys, TIMESTAMP_FIELDS must be setup in props.conf on indexers side, therefore how to use TIMESTAMP_FIELDS for different sources and timestamps using same sourcetype _json? Must we define...
View Articlerex in sed mode to replace special chartacter
Good morning I need to replace special characters with a line return command but I am having difficulty getting the rex mode=sed working correctly - example foo fields hr$D362$processing long$trip |...
View ArticleForce python3 on custom commands
Hi all, I´ve a custom command but it requieres python3 for launch properly. Errors on job inspector: `09-17-2019 13:49:30.497 INFO ChunkedExternProcessor - Running process: /opt/splunk/bin/python...
View Article