How to monitor changes made to the inputs.conf file?
Hello, We update the inputs.conf file periodically. I want to keep track of changes made in the inputs.conf file. Any suggestion, how we can upload the file to Splunk whenever changes are made in...
View ArticleHow to edit my search for process flow analysis to sort and group values as...
Hi, I followed instructions here: https://answers.splunk.com/answers/132016/process-flow-tracing-point-to-point-latency-calculation-visualisation-swim-lanes-is-it-possible.html to analyse users stuck...
View ArticleHow to configure and use the Splunk Add-on for McAfee with Splunk DB Connect?...
Hello. I am attempting to use Splunk DB Connect with the Splunk TA. I have successfully created identity and connection in the DB Connect gui. I have tested and am able to run queries etc... Now I copy...
View ArticleHow to search the duration between the time a user logged in to a host and...
I'm having a hard time wrapping my head around this, and after a few false-starts, I'm hoping the community can point me in the right direction. My goal is to search some logs by User ID and show the...
View ArticleHow to run different timerange in subsearch versus the original search?
Hi, I'm trying to execute this query: index=index_cbo [search index=index_cbo 12018955000155 "An error ocurred during \"Conexão com servidores\" initialization step."| dedup CNPJ| table CNPJ]...
View ArticleHow to detect TCP Connection time_taken, TCP Connection Refused, and TCP...
I have several questions regarding Splunk Stream for TCP protocol: 1. How to measure time_taken for TCP Connection establishment between TCP SYN and SYN-ACK using Splunk Stream? 2. How to detect TCP...
View ArticleUsage Report - Previous 30 Days shows only 3 days of information.
Hi, When I access the "Usage Report - Previous 30 Days" I am being shown only 3 days of information. Is there something that needs to be set to rectify this?
View ArticleSorting String with Number in Splunk Table
Hi, As far as i know Splunk does not have inbuilt functionality to convert/format number in 10000 as 10K or 1000000 as 1M. So i wrote few eval statements which does the task and i am able to get the...
View ArticleUnable to merge multiple lines for a non json log file into a single event.
I have a log whose sample format is similar to below. There are some cases where not every line starts with a time stamp. I want to break every time this occurs as a separate event. I tried below...
View ArticleCalculate weekdays assuming Saturday as 1/2 day
Hi. I want to calculate the weekdays in a month, using this: | gentimes start=11/01/16 end=11/31/16 | search starthuman!="Sun*" starthuman!="Sat*" | stats count My problem is that i need to count the...
View ArticleSplunk add-on for opsec (4.0): Handling fields containg escaped pipes (\|)
Hi, I'm trying to find a good way to handle a situation with logs from CheckPoint URL filter and Application Control. They contain the relevant URL's in the `resource` field. The field separater is by...
View ArticleWhat scripts are available to run against splunk log files to identify error...
There are such a variety of log files and I am uncertain what logs contain things that a splunk admin needs to address immediately. Are there scripts that have been developed to look against the...
View ArticleDoes Splunk have something like Elastic's Sense plugin?
Hi, Does Splunk have anything like Elastic's Sense plugin, which is a gui for the REST API, with auto-fill-in, and such?
View ArticleWhy am i getting error " Error initializing SSL context - check splunkd.log...
My splunk default CA Certificate expired after 3 years. I generated new ones using this procedure. http://docs.splunk.com/Documentation/Splunk/6.4.3/Security/Howtoself-signcertificates. They worked on...
View Articlestreamstats: reset_after function didn't work,[streamstats]: reset_after...
Hi, I try to use the function reset_after="("<'eval-expression'>")" of the command streamchart but it didn't work. I want to use this function when the field "description" contains "session is...
View ArticleFor a time input on a form, how do I match the "latest" field in the...
I have a form with this input:Time Range-60d@d@d@d What I want to do is that, whenever someone picks a time range where `time_tok.latest` is "now", I will force it back to **@d** (because our index...
View Articlerename the filed values
Hi, I have two fields salesorg and dist. whenever i have salesorg=2220 and dist=10 i want to change salesorg as xyz. can you please tell me which command suits for this?
View ArticleWhy am I unable to send audit logs from Linux to Splunk via rsyslog?
hi all, I need to send audit logs from RedHat 5.8 to my Splunk Indexer - both machines on the same network. On RHEL 5.8, I installed rsyslog and configure the following: rsyslog.conf file $UDPServerRun...
View ArticleHow to edit my rex statement to these two fields from my sample SNMP trap data?
I have an SNMP trap that I'm trying to extract two fields from one string with a comma in the middle, but I'm getting no output from the segment of a field extraction for the comma separated pair of...
View ArticleSplunk App for EMC Isilon file system auditing: Why are some Isilon logs in a...
Hello, I have two issues with the Splunk app for EMC Isilon file system auditing; 1. I believe the app is meant to automatically lookup the fail_code and SID in the respective lookup tables and create...
View Article