Azure Data into Splunk
Dear All, What is the best way to push Azure data into Splunk Active directory, blob data. Please let me know what is the best possible way to achieve this? any documentation please share the link....
View Articleeliminate some value in fields in stats count.
index=* | spath msg.uri | rename msg.uri as url | rex field=url "shop(?[a-zA-Z\/\-0-9\.]+)" | rex field=ex_url "buy-(?[^\/]+)\/(?[^\/]+)" | eval url_N="/shop/"+"buy-"+family +"/" + product +"/" | eval...
View ArticleRole-level search restriction
Hello, Assuming I've a role created "myapp_admin_role" and there is a setting for User-level concurrent search jobs limit as 3. This role has inherited another role under Inheritance called...
View ArticleHow to display a modification on the active directory ?
Hello, I want to display a table with the differents modifications made on AD ( group add, user creation/removing, etc..) with the details of the opération but I cannot find the détails in the logs. I...
View ArticleDatamodels getting rebuild after after attaching it to new Search Head.
Hello, We are trying to move from Single node installation to multinode/Distributed Search Installation(1SH and 2 Indexer) - Not clustered for this we have copied full Production installation and...
View ArticleNested case -> match within mvjoin
Hello, I'm trying to create an multi-value field 'category' which takes its value from a 'case(match(' that queries a users AD group membership and returns the category value based on the memberOf...
View ArticleUsing TimeWrap for specific time window.
Hello Everyone, I am trying to count the events for the window 8PM(Day1) to 6AM(Day2) for last 3 days so that I can compare the count of the events for last 2 time windows. Assuming I am running the...
View ArticleHigh quality chart export
Hi community, Do you know if there is a reliable or supported way to export charts from a dashboard in a high quality format? I've tried to test some js using html2canvas but with no results, and it...
View ArticleConcurrent calls per minute
I'm trying to calculate the amount of concurrent calls per minute or another time span (e.g. 5 minutes, ...). I'm using the concurrency function to achieve that. There's one problem though: The...
View Articleat index time, merge multiple lines with the same timestamp
Hi there - our customer have a custom app we cannot modify - for each unique event, the app send a log with 2 or 3 lines - each line have the same timestamp - and nothing else is common (no "event id")...
View ArticleCustom javascript being overwritten by default Splunk default view (common.js)
I'm creating a new dashboard with custom layout/style in Splunk enterprise security app. I'm experiencing an issue while adding my custom.js script to dashboard. I have placed the custom.js file in...
View ArticleNot getting proper output of query
Hello everyone, In my query if my field value(Current_Day,Current_Day_Actual,Current_Day_Average,DifferenceFromAverage) is zero then i am not getting the proper output. For ex: This is the result from...
View ArticleSplunk Citrix monitoring
Hello All, What are the addons available for citrix monitoring for the version 7.x? I have seen some Add-ons/Apps available in splunkbase as listed in the image,do we have any other addons available?...
View ArticleHow to compare 2 lists from 2 different searches ?
I have 2 different searches to create 2 hosts list, and I want below from splunk search: 1. Find all hosts from 1st search from a csv. 2. Find few hosts from different 2nd search with a criteria. 3....
View Articlegetting results in verbose mode but not in smart or fast mode
I have indexed file using `INDEXED_EXTRACTION=csv` in props.conf when I search `index=abc field_name=123` I get results in all three modes i.e. fast/smart/verbose mode and all fields are getting...
View ArticleFrozen Buckets not going to Frozen Path
Hello, I'm trying to configure my indexes to store frozen buckets on an NFS share mounted to the Splunk Server. I have mounted the share, created a path with sub folders for each index. I've set this...
View ArticleHow to configure Splunk to read a csv file from a universal forwarder?
Hi, I have one csv file at location /apps/data_splunk/.csv And this CSV file has data like below JAN-18 | 31-JAN-2018 | -1 | 1 | 31-JAN-18 | 01-FEB-18 | 727 JAN-18 | 01-FEB-2018 | 1 | 1 | 01-FEB-18 |...
View ArticleSplunk "Show Source" does not match IIS log file
Hi, At my company we have noticed that for some records (1-2%), the data we see in Splunk does not match the data coming from the IIS logs. This is a rather interesting problem, when we conducted...
View ArticleREST API Input -- Checkpoint datetime parameter encoding in API url.
Hello! I am trying to define a REST data input that uses an encoded URL param to fetch data. That param is a datetime value, called 'last_seen', see the following image: ![alt text][1] [1]:...
View ArticleHow to stop datamodels from rebuilding on a new Distributed search
Hi We broken up a single install [SH + Indexer]. We have created a new SH and added the original Indexer(Full of data, Indexer and Data models). When log into new SH the data models are rebuilding. How...
View Article