How to search multiple counts based on fields condition using single stat
There are multiple fields like time number description severity status restore_duration I want to take total count , count when status has true value , values of restore_duration when severity is 1. I...
View ArticleSearch events of subsearch in append displays both subsearch and parent...
Hi Guys, I have been struggling with this issue since few days, please provide me inputs. I have a search query sourcetype=my_source | search my_search_filters | eval message=case(searchmatch("account...
View ArticleHow can I find out which users have launched Microsoft Office Applications
My CIO has requested a report that shows each user (or at least the number of users) that has launched an application, specifically any application in the Microsoft Office Suite. I'm not sure where to...
View Articlealert setup for 10 sourcetypes in one alerts if zero event count
Hello, I have sourcetype list .csv files and we need to monitor if the event count from sourcetypes goes to zero or not seen last 24 hours. This is what im using but any suggestion will be much...
View ArticleSelf Servicing on Splunk - deploying TAs?
All, I have been asked to make Splunk more self service. The first ask from management is that our developers be able to code and release their own TA's for their own apps in our development data...
View ArticleSplunk Enterprise Security Post-Install Configuration ERROR
I am trying to install Splunk ES v 5.3.1 on Red Hat Enterprise Linux Server release 7.6.& Splunk Enterprise 7.2.5 We have one search head, one indexer, two HF and some other UF. All indexes are...
View ArticleHow to color the table cell based on other column cell value?
I have two columns in a table host and status my status column has value 200 and 404 So based on the status column on every host i want to color the host cell. i don't want to color status cell or...
View ArticleEval Calculate fields with null values
Hello, I am attempting to run the search below which works when all values are present "One, Two, Three, Four" but when one of the values aren't present and is null, the search wont work as the eval...
View ArticleUser Login Activity
With this add-on will I be able to see user login activity with source IP, etc.? I want to be able to monitor when and from where (especially by Country) user accounts are logging in. Splunk 7.3...
View ArticleHow to look for events within a specified time period?
Thx to @richgalloway he provided me the way forward on returning raw events in table format after a search with eventstats: index=foo | dedup src | iplocation src | eventstats count by _time City src...
View ArticleHow can I get a PowerShell script to run at startup and every day thereafter?
How can I set a PowerShell script to run on startup and every 24 hours thereafter on a UF? I have tried using `interval` and `schedule`. Most of my UFs are 7.1.4 but there are some older 6.6 UFs...
View ArticleDB Connect 3.1.4 and Oracle Wallets
Hello, I'm trying to configure a DB Connect connection that uses Oracle Wallets, but keep running into the following error: > PKI classes not found. To use 'connect /' functionality, oraclepki.jar...
View ArticleAlternative to Join Subsearch to avoid 50k results limit
I can use the following search to get 1 day worth of data, but anything longer causes the subsearch to hit its limit. Please Help index=x_default sourcetype="x.alarm.y.norm" device_type=term...
View ArticleHow to calculate the difference of two search
Following is my splunk query : index=main "rest/bi/applicationStatus" Action_Response_Time>1 earliest=-1h | eval DBCount =if(_time>relative_time(now(),"-15m") , "CurrentCount","PreviousCount") |...
View ArticleLatest ServiceNow release, "New York" breaks the splunk add on for servicenow
ServiceNow has forced an upgrade on us to the release named New York and the splunk integrations are broken. They pointed us back to Splunk for an app update. Is there any ETA on support for this...
View ArticleComparing multiple fields from multiple inputs
So I've found many questions that are similar to what I'm trying to do here but not quite the same and I've not been able to get any of them to work right for me. Apologies if the answer is out there...
View ArticleEventgen installation in a clustered environment
Hey Splunkers I'm trying to install and configure Eventgen in a distributed and clustered environment. So far I have: - installed the SA-Eventgen on the CM - pushed this app (via master-apps) to all...
View ArticleError while creating eval expression for calculated fields in data models
I have a data model and defined about 5 fields. But one of the fields doesnt always have a value. I want it to show as "null" when there is no value in the log. So for this particular field, I created...
View ArticleSplunk Enterprise Security: Post-install configuration receiving error message
I am trying to install Splunk ES v 5.3.1 on Red Hat Enterprise Linux Server release 7.6.& Splunk Enterprise 7.2.5 We have one search head, one indexer, two HF and some other UF. All indexes are...
View ArticleDuplication's from ServiceNow into Splunk?
It appears when trying to pull the sys_transaction table into Splunk (still looking at other tables), I am getting duplication's. 1st issue I see is that the "sys_created_on" field from the Splunk...
View Article