How to exclude duplicate events based on a field value in another event?
Hi, I have an "asset discovery" type of query that uses a CSV and 4+ indexes, and produces tens of thousands of results look similar to this: id device serial origin 111 routerAlpha 12345 sales...
View ArticleWhy does Splunk selectively ignore duplicate events (not ingest events) from...
I'm trying to learn how Splunk works by presenting it small sets of data and observing the results. The results of my most recent test really surprise me. I'm no sure what to make of it I have a...
View Articlesoftware uninstalled
Dear All, how can I know that if someone uninstall anti virus solution on windows server or client. can we get that logs with windows TA ?
View ArticleHow to get kvstore values with the command rest?
Hi all, I'm currently retrieving lookups from another SH in this way: | rest splunk_server=server_name splunk_server_group=* /services/search/jobs/export search=" | inputlookup my_lookup.csv"...
View ArticleHow to configure the universal forwarder to Heavy forwarder then to an Indexer?
Hi, Can someone help what are the step I need to do if I have below flow : Universal Forwarder ------- Heavy forwarder ------- Indexer And need help how to parse the traffic when the log will at heavy...
View ArticleHow to create a search to do a count on the latest event only?
hi I want to do a count the last event of a subsearch I am doing "stats count last" but it doesnt works what I have to do please? Something with _time? `test` [| inputlookup host.csv | table host |...
View ArticleHow to get stdev and avg from a multi column timechart for eventflow trends
Hello! I want to compare my event flow rate from the benchmark (last 21 - last 7 days [14 days in total] to the last 7 days to determine if there are any abnormal activities or to determine how my flow...
View ArticleWhere is the "What to Search" panel?
On the Search and Reporting main page there is no "What to Search" panel that was mentioned in the Splunk Fundamentals 1 training, Anyone know why it might not be there and I would be able to access it?
View Article(unfortunately) My Splunk server is on Windows.. but I need to monitor linux...
I have single windows server running Splunk enterprise, and I have a Linux server with the universal forwarder installed and sending logs... that is working, now I need to add the nix-add-on so I can...
View Articlechaining custom alert actions
hi, i am looking to chain a couple of custom alert actions. use case is monitoring a node that is down. when down, alert action #1 is triggered and pings the node as verification. if node is indeed...
View ArticleCreating an average completion time chart based on stages in a process
I am attempting to set up some sort of dashboard using Blue Prism data, I am new to splunk and my research into attempting what I am doing has failed. I am trying to set up a chart that shows the...
View ArticleHow to create a drill down that will go from a value on a stats table to a...
I want to create a drill down that will go from a value on a stats table a time chart for the clicked pool name in a new tab, I've been at this for a few hours now and I can't seem to get it to work....
View Articlecompare find missing values from two indexes same field heading /name
Trying to create a report using two indexes on same field "Pcname". Different datatype one of from **Active Directory** and other one is from **SCCM**. Same computer are present in both indexes see...
View ArticleWhy does Splunk selectively ignore duplicate events (not ingest events) from...
I'm trying to learn how Splunk works by presenting it small sets of data and observing the results. The results of my most recent test really surprise me. I'm no sure what to make of it I have a...
View ArticleHow to chain custom alert actions?
hi, i am looking to chain a couple of custom alert actions. use case is monitoring a node that is down. when down, alert action #1 is triggered and pings the node as verification. if node is indeed...
View ArticleModify Splunk_TA_infoblox to separate events into indexes
Splunk_TA_infoblox reset "sourcetype" of input events, in my case from "infoblox:file", to 3 different values -- infoblox:dns / :dhcp / :threatprotect. I am trying to modify the TA to put those events...
View ArticleSQLAUDIT logs files from folder
Hello We have several DB servers that are sending logs to a single folder. How can I collect those logs into Splunk? Do I need to create a new sourcetype or can they be indexed into an app? Thank you...
View ArticleA single forwarder has multiple GUIDs Splunk v7
On the forwarder management, I was missing a client (which is indexing data and showing in search as well) That same client/forwarder appears under the monitoring console forwarders. I followed the...
View ArticleTA-IOC Lookup: No stanza, no key
I've tried to set up this app with the external API credentials, but I keep getting the following error: command="securitylookup", No totalhash stanza in api_keys.conf, add stanza and th_key and...
View ArticleCompare IP_address field in 2 indexes and ignore the data with the same...
Want to run a report by comparing 2 indexes on " IP_Addresses" field. Ignore any matching " IP addresses" (If IP are present in both indexes then ignore else display in query / report) or list any...
View Article