How to write a RegEx to extract the IP address in reverse order?
Currently I am extracting the URL and reverse IP address (D.C.B.A) from a DNS-related event. I would like to capture the IP address in the opposite order (A.B.C.D). I heard this may be possible with...
View ArticleHas anyone attempted to run Splunk with indexes stored on AWS Elastic File...
Has anybody attempted to run Splunk with the indexes stored on [AWS Elastic File System (EFS)][1]? Reading up on EFS, its seems ideally designed for a tool such as Splunk and, since it is elastic,...
View ArticleWhen searching a large number of events, why do I get inconsistent search...
Hi, I am trying to collect previous 7 day data for baselines, for selecting the result-set I have tried below searches and got different result in each case. There are 1,155,072 events indexed in the...
View ArticleIs there a limit to the number of open KV Stores?
Hi, I am using an external command I wrote, the command saves and retrieves data into\from a KV Store named after a value which is passed to it. Everything went fine for some time but at some point I...
View ArticleHow to convert 18 character epoch time to format so Splunk understands...
I have a dashboard that shows the status of certain logs reporting to Splunk. Within this dashboard, it also shows the last time an event was sent. Most of my log sources reports in 12 character Epoch...
View ArticleHow to make custom collection apps use CIM to use pivots?
Hi all, We're collecting data from a source which contains performance data for a given host on a single line, both for Windows and Linux. I've set up a few servers and a few tags, but I'm unable to...
View ArticleHow to configure Splunk Universal Forwarder 6.2.4 to send data to NMON...
Hi, We have Splunk Indexer 6.2.4 and Universal Forwarders 6.2.4 on client machines. Recently we have installed NMON Performance Monitor for Unix and Linux Systems (TA-nmon) app on Splunk indexer, but...
View ArticleIs data scrubbing only available for specified roles?
Hi all, I know Splunk can replace identifying datas at search time, however I don't know if this can be done for specified roles only? Many employees in our company may not have the necessary...
View ArticleWhy is Regular Expression (Regex) grabbing digits in multiple cases?
I am trying to grab this response time ****...
View ArticleWhy did upgrading kill the Cisco Security Suite 3.1.2 app and the app had not...
404 Not Found Return to Splunk home page Page not found! View more information about your request (request ID = 57d6cc94d91f8f8670b8) in Search This page was linked to from...
View ArticleWhy are email alerts not sent until Splunk restart?
We have had a problem over the weekend when one of our alerts did not trigger. I had to restart the services to get it all working again. Does anyone had any idea why this might have happened? It's...
View ArticleHow can I generate a search to find hosts which are missing a certain...
I have a sourcetype which is a log created by the AV application on the host. I would like to find hosts which are missing this particular sourcetype (over 4 hours). It seems like a easy search but I...
View ArticleWho should be the owner of my Saved Search and Reports in Splunk?
Hi, I have created reports and dashboard in my Splunk test environment. Now we have to move our code to Production environment, I have some questions, listing them below: 1. Who should be the owner of...
View ArticleWhy am I getting error "404 Not Found" trying to configure Cisco eStreamer...
When I try to configure Cisco eStreamer for Splunk, I get the following screen: 404 Not Found Return to Splunk home page Page not found! View more information about your request (request ID =...
View ArticleHow to encrypt archived data?
We have a requirement from our security team to have the "Backup copies of sensitive information are encrypted" Can someone please provide information on how the archived data can be encrypted. Thanks
View ArticleDashboard Assistant: After adding help entries to a dashboard in the Search...
I'm attempting to add help entries to a dashboard inside the search app. The dashboard is called Symantec Antivirus, so the entry is thus: App: Search View: symantec_antivirus Panel: symantec_attacks...
View ArticleCan I disable Splunk from indexing data for a specific time frame?
I'm one overage away from violating my licenses due to an AV scan on my QA environments and would like to temporarily stop indexing during those AV scans. How can I block Splunk from indexing during a...
View ArticleCan I search a search head from another search head?
I think I already know the answer to this, but here goes: I have a search head that can access my indexer as a search peer. I have another search head in a separate security group that cannot access my...
View ArticleSplunk Support for Active Directory: How to pass results from one LDAP search...
I am attempting to take the tabled result from the below search: | ldapsearch search="(mail=[EMAIL ADDRESS])" attrs="cn" | rename cn as group |table group And then I want to then take that result and...
View ArticleWhy am I unable to populate custom entries in the Newsletter app?
Greetings, I installed this app and I love the functionality that it provides. Everything works great with the sections that are prepopulated with the data gathered from the scripts, however when I try...
View Article