Need Index vmware performance data certain time
Since Splunk Add-on for VMware pull a lot performance data from vCenter, I need to index performance data 1 minute at the minute 0,15,30,45 However, there is no time data in _raw to filter out the...
View Articletimechart showing OTHER for some values
process_inst_id=258600,process_def_id=30,process_name=MIWrite,start_dt=08-OCT-2019-07:39:49,end_dt=,completed=N,running=Running,exe_period=1,avg_exe_period=1,status=GREEN host =...
View ArticleIs there a limit on the number of HEC tokens on a Splunk server?
We are planning on on-boarding several apps into Splunk using HEC. Does anyone know if there are any limits on the number of tokens Splunk supports per server? I know there will be...
View ArticleMy splunk enterprise webserver is stuck as below and starting.
My splunk enterprise is stuck below and starting. Splunk> 4TW Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open...
View ArticleHow to convert UTC to CST
We are receiving events on our syslog collector in UTC timezome. Below is the sample event. I have configured the below props on our search head, My assumption was it will pick the searchhead timezone...
View ArticleMy splunk enterprise webserver is stuck as below and not starting.
My splunk enterprise is stuck below and not starting. Splunk> 4TW Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]:...
View ArticleMy splunk enterprise webserver is stuck as below and not starting.
My splunk enterprise webserver is stuck as below and starting. Splunk> 4TW Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port...
View ArticleSearch head looks at cluster and separate index
In the middle of creating a new environment with an index cluster. On our current setup we have just one indexer. Is it possible to configure the new search head to search both the old indexer and new...
View ArticleCloudWatch RDS Logs to Splunk
I am using Splunk App for AWS couple of Questions : In the guide https://docs.splunk.com/Documentation/AddOns/released/AWS/CloudWatchLogs it says Splunk strongly recommends against using the CloudWatch...
View ArticleIndex some of a certain event code
Follow-up (ish) to https://answers.splunk.com/answers/757315/why-isnt-my-transforms-working.html as I let it sit idle for a while. I want to index Event Code 4688:...
View Article[SmartStore] Do warm buckets on S3 get rolled to frozen automatically?
Just recently setup smartstore in a test environment using a single index and I'm trying to figure out some details on the bucket lifecycle. So far I know that hot buckets are stored locally and when...
View ArticleSet up log-to-metrics from Universal Forwarder to Splunk Enterprise
I've followed the docs for setting up log-to-metrics but I haven't been able to get it to work as intended. I have a CSV file being monitored by a universal forwarder that then gets sent to Splunk...
View ArticleHow to piechart true false values ,How to create Pie Chart with only true...
I am working with this search query: `index=lab-testresults type=browser NOT(browser="UK*" OR browser="Firefox") suiteID="*" | stats latest(success) as success by browser noxID | stats...
View ArticleHow does dedup treat multivalue fields?
As the question asks, which events are removed when multivalue comes into play?
View Articlesplunk SPL
my search | stats count(eval(Code="3011648")) as "Incorrect login code" I am counting incorrect login code from this I want to divide count by week Monday Tuesday Wednesday Thursday Friday Saturday and...
View ArticleMetadata command returns only one sourcetype
We've got over 50 sourcetypes, however, when I run the command below, I only see syslog under the sourcetype column. | metadata type=sourcetypes | sort - totalCount Does anyone have an explanation?
View ArticleDBConnect Parsing
Hello- **The old process:** Executing a SQL query in SSMS and importing a csv into Splunk. Once importing via manual upload to the search head, Splunk automatically assigned searchable fields to the...
View ArticleTyping and Index queue shows 100%
I have noticed that Splunk is running relatively slow as of recently and found that the typing queue and indexing queue are both at 100% what is that cause of this and how do you remediate this?
View Articlestats count by source type missing some sourcetypes otherwise present
index=app_xxxxxxxxx_products cluster_name=dxx-exx-awslab sourcetype=xxxxxxx:deployment-info | stats count by sourcetype returns count for the sourcetype but when ran as : index=app_xxxxxxxxx_products...
View ArticleColor code result set based on uniqueness
I am running a query and it provides me the following result (as an example) **ENV VALUE** env1 1234 env2 2345 env3 1234 env4 2345 Is there a way I can color code the lines that are same, meaning, i...
View Article