Add multiple fields count values
Hello, I have 6 fields that I would like to count and then add all the count values together. For example I have Survey_Question1, I stats count by that field which produces. (NULL) 5630 1 2 3 4 4 24 5...
View Article¿Is Google Analytics Reporting for Splunk compatible with Splunk 7.3.x?
In splunk web just mentions that is compatible with Splunk 7.2 and oldests versions of Splunk.
View ArticleError on maclookup command -- netaddr not found.
Trying to use the maclookup command offline and getting the error: command="maclookup",: failed to use the netaddr module! Using version 2.5.2 to TA-maclookup on splunk 7.2.5.1. Have installed the...
View ArticleStats aggregation with potentially a eval-where clause is ideal
I am trying to work a set of data that looks like this: ![alt text][1] I want to display it like so: ![alt text][2] My problem is getting the mv list of failed sessionIds. I wish we had something like...
View ArticleREST API: How do I limit saved searches to a specific app?
I'm trying to list names and ID all the saved searches in a given app by specifying the app in my HTTP request, like so: curl -Lsk -H "Authorization: Bearer ${LONG_TOKEN}" -d "output_mode=json" -X GET...
View ArticleQuery For Earliest Logon and Latest Log Offs
Hello! I need to build a Splunk query that displays the earliest log on and and latest log off times for a user in the same table / chart over the span of 60 days - and let's use Event ID 4624 for log...
View ArticleNeed help in extracting results from two indexes?
In the below query, I'm using indexes "abc" and "def" and extracting the results only for the accounts which are present in index "abc" and not in "def" for each hour. The query works fine but I've an...
View ArticleSearch killing _audit
Our _audit file keeps growing and growing. We have identified what is filling it up but cannot figure out what is causing it. The user is stripa. If I search index=_audit stripa, I find 100's of...
View ArticleDrilldown in Dashboard ??
Hello,... i have created Dashboards in Splunk Enterprise with Statics table, bar, line pie charts. i need a drill down option which will take me inside to the selected field or value. for EX: i have...
View Articleafter indexing data can we change the time stamp year in splunk ??? in same...
Hello,... i have loaded my data into splunk thats 2017 data i need to change the year of the data in index. because i have alraedy created some reports and dashboards with the variables. is that...
View ArticleWhy does Splunk custom REST endpoint time out automatically after 500 seconds
Hi, We have distributed Splunk deployment running version 7.3.0. We have a custom REST endpoint which runs some searches and returns the search results in JSON format. When we run searches for long...
View ArticleHow to sum 2 rows in a table?
Hi, In the logs i am analyzing, one of the field's value has changed (change is from '-' to '_'). For example if it was A-1 before, now its A_1. The rest of the entries are as is. So my table looks...
View ArticleAny insights on getting the following error " "Save changes failed. Settings...
In Phantom, when adding an External Splunk under Administration Settings -> Search Settings, getting an error that test connection failed and when saving getting error "Save changes failed. Settings...
View ArticleProofpoint Syslog missing logs
I have a distributed environment. We send proofpoint logs via syslog. We have contacted proofpoint support and they say that the logs are being sent to the syslog server. I am using TCP 6514 to send...
View ArticleReceiving the error in Phantom when adding external Splunk under...
In Phantom, when adding an External Splunk under Administration Settings -> Search Settings, getting an error that test connection failed and when saving getting this error: "Save changes failed....
View ArticleWhat causes a forwarder to become inactive and stop forwarding logs?
We have set up "Splunk Forwarder Management" and apps are being successfully deployed to the clients that are polling the Splunk server on port 8089. We have ensured the check-mark "Restart Splunkd" is...
View ArticleAny reason why the TCP_REFRESH_MODIFIED and TCP_MEM_HIT response codes aren't...
I have a squid access log that has entries contain with status codes of TCP_REFRESH_MODIFIED and TCP_MEM_HIT - all with a HTTP status code of 200. These events don't have an 'action' field as the...
View ArticleArrange non-null values in a field
Hi, I have the below events 100, ABC, , , 110, DEF, , , , , , , , ,120 ,GHI, 130, JKL, , , , , , , , ,140 ,MNO , , , , , , , 150,PQR , I need to assign this to a field and move all null values to one...
View ArticleMix Path and Cluster Maps
Is it possible with this app to have some of the markers rendered as paths and others are rendered as just markers? My data contains static features, cell phone towers, and moving features, cars....
View Articlequeue are getting blocked
I have one Heavy forwarder and one indexer+search head. I am monitoring (high amount of) zip files in heavy forwarder and parsing it using indexqueue and null queue to reduce number of logs to reduce...
View Article