When setting up a heavy forwarder, do I need to create an index locally as I...
When setting up a Heavy forwarder, do I need to have the index created locally as I do in my indexer cluster? So I am setting up Splunk DB Connect and McAfee and have configured the Splunk server to be...
View ArticleI have a forwarder and indexer set up, but why am I unable to search logs...
I have a forwarder and an indexer. I see the app is deployed in the forwarder at location etc/apps/. Forwarders are up and running. And log files have data as well. But still the logs are not coming up...
View ArticleWhy my timechart command is truncating the results in linegraph?
Hi Splunkers, I have a panel with timechart command and visualization is line graph .If I select the timerange picker for one day it is showing fine.when i select for 7days or 30days(or larger...
View ArticleWhy does the C# SDK 2.0 only work when a query produces results?
Perhaps similar to: https://answers.splunk.com/answers/206372/enumerating-empty-searchresultstream-causes-invali-1.html When I do: var job = await Service.Jobs.CreateAsync(searchString); using (var...
View ArticleExtract fields using regex
I have the data like: 2016-09-09 06:21:31,858 ... blah ... blah... ... ORA-00001: unique constraint (AN_FIELD.CODE) violated... ... ORA-06512: at "AN_FIELD.DATA_TRANSFER", line 5523... I would like to...
View ArticleQuery for scenario with status change
Hi All, I have a scenario where an entity when enrolled has many status i.e. EntityName Date Status Entity1 01-03-2016 In Progress Entity1 21-03-2016 Active Entity1 04-04-2016 Blocked Entity1...
View ArticleConfiguring Azure Table Storage App in SPlunk
I am trying to setup Azure Table storage logs. There is a field I do not know how to populate: Date/Time Column * A date/time column to use for checkpointing and quering for new data. Does anyone have...
View ArticleHow to specify color the donut chart? Could anyone please share the xml?
Need help to color my donut chart with specific color. I'm getting default color as blue is there any option like how we specify in bar chart?
View ArticleAlerts page: add enabled status column
How can I add a column to the alerts page in Splunk? Specifically I want to see the enabled status in the alerts listing without clicking on "i" for each alert.
View Articlewhy splunk doesn't resolve stats count on postprocess ?
when i try to run a stats count using postprocess splunk doesn't resolve the query search and i don't know why ? this is my dashboard : Post Process SearchEach panel post processes the base search...
View ArticleHow to create a number of dummy events?
I was trying to find an answer for this in other threads, but unfortunately to no avail. I'm trying to create dummy events imitating log entries. Say I had two real log entries, one from 9/1/2016 of...
View ArticleHow to configure data input from tcp port to splunk ? I have performed...
Here are the steps that i have performed 1. Installed splunk forwarder on my local machine (say machine 1 ) with receiver index port 9997 (default). 2. On splunk, configured forwarding and receiving...
View ArticleWill I get faster/slower queries if my lookup table settings are changed to...
Question on this setting: [lookup] max_memtable_bytes = * Maximum size of static lookup file to use an in-memory index for. * Defaults to 10000000 in bytes (10MB) **Lookup files with size above...
View ArticleSplunk Add-On for Cisco ESA: How to create props.conf and transforms.conf for...
Has anyone created props.conf and transforms.conf for the Splunk Add-On for Cisco ESA/IronPort AMP logs? Each step creates a log entry and the ESA App only does the MID. Each of the other events need...
View ArticleUnable to start Splunk on Windows after upgrading - "Splunkd: Unable to start...
We recently updated from Windows Server 2008 SP2 to 2008 R2 SP1 so we could upgrade from Splunk version 6.0 to 6.4. Now we are unable to start Splunk and we notice that the application isn't in the...
View ArticleNessus Data Importer: Is there a way to import only the most recent scan?
I have a scheduled scan which runs every month for the past 5 years. When I run the `nessus2splunk.sh` it starts importing all the scans (including the historical ones), is there any way it can not...
View ArticleDUO Log Add-on for Splunk: Where to change number of days of historical data...
We configured the DUO Log Add-on for Splunk to pull logs for the last 30 days and everything is working. We would now like to change it to pull logs from the last 90 days. Where can we make this change?
View ArticleWhy is the data not being filtered to another index?
I have the following configuration for filtering the data coming from X udp port data input to an index that's being already created: props.conf [source::udp:X] TRANSFORMS-new_index= route_index...
View Articleaction.email.reportFileName not working as expected?
I'm looking for an option to remove the automatic timestamp from the csv output filename attached to emails. According to both the doco...
View ArticleHow to resolve missing calculated field when search is performed via REST API?
I have a query to calculate the average recipient count for Exchange: index=msexchange sourcetype=MSExchange:2010:MessageTracking sender="sunj@advisory.com" ((source_id=STOREDRIVER event_id=RECEIVE) OR...
View Article