Combined logs, props.conf transforms.conf and inputs.conf
I have a centralized syslog server which I forward all other server logs to. All of those logs are combined per log type such as /var/log/messages, /var/log/secure, etc. I've setup my transforms.conf...
View ArticleIs it possible to run a curl command on a dbxquery?
I am working with Splunk's rest api. I have to make a post request to splunk and get some data from a dbxquery. I tried using the following curl command but got an error stating dbxquery is an unknown...
View ArticleWake-On-LAN Configuration Guide
I am having issues configuring Wake-on-LAN in my environment, are there instructions for setting this up?
View ArticleDoes HEC provide guaranteed delivery, and if not, what are my options?
I want to ensure that the messages sent to HEC make it to Splunk. What are my options?
View ArticleYour Splunk license expired or you have exceeded your license limit too many...
I'm trying to use Splunk Enterprise at my company and I get this error about my splunk license. Our company is licensed, so I'm wondering if Splunk is somehow looking at my work PC/personal license...
View ArticleWhy isn't Splunk ingesting new rows from CSV file?
I have a 4-server Splunk scenario: 1. index server 2. deployment server 3. search head server 4. deployment client server (w/ a Splunk Universal Forwarder known to be configured correctly and working,...
View ArticleWhat are the possible causes for the marked sign?
I am logged in an indexer and getting red marked sign along with Administrator tab at web panel(port:8000). What are the possible causes for this? Thanks in advance!
View ArticleReceiving error in search to compare two fields
Where is the error? (index=paloalto sourcetype="pan:threat" action=allowed severity=critical src_interface="ethernet1/2.110") OR (index=trend sourcetype="deepsecurity-intrusion_prevention") | eval...
View ArticleLength of every column in a table?
I have a table with ~50 columns. I am doing an addcoltotals on the table, but this only adds up the numeric fields. Can someone please suggest an elegant way to take the length of every field in the...
View ArticleUnable to filter out lookup table values
I'm trying to filter out false-positive domains in a search of DNS events by using NOT on the ut_domain field of the lookup table. The search runs but provides no results, despite there being events...
View ArticleVersions above 7.1 for UFMA?
The Splunkbase page says, "Splunk Versions: 7.1, 7.0, 6.6, 6.5" are supported. Perhaps this is futile, then (if so, sorry), but we're running 7.2.6 on average. Will UFMA support above v7.1?
View ArticleSSL Medium Strength Cipher Suites Supported (SWEET32) and SSL RC4 Cipher...
We have received notice that our splunk heavy forwarder is vulnerable to CVE-2016-2183 , CVE-2013-2566,CVE-2015-2808. Can anyone please suggest how to remediate this vulnerability or if any workaround...
View ArticleSplunk App for Jenkins missing certain console lines for a Jenkins Job...
We're using the [Splunk App for Jenkins](https://splunkbase.splunk.com/app/3332/) and [Splunk Plugin for Jenkins](https://wiki.jenkins.io/display/JENKINS/Splunk+Plugin+for+Jenkins) in order to ingest...
View ArticleSplunk REST api to retrieve proper JSON using Python
Team I am able to make a POST call to export end point and getting the search results. I am using Python requests library. The result is not in proper Json. It returns multiple JSON with preview...
View Articlepassing a query string as token
how to extract the query stored in form of a key value pair in a lookup and execute the query in a single go in search app. For ex- |makeresults|eval field1= "index=*|stats count "| --> how can we...
View Articlehelp on if condition for results = 0
hello In a panel table, I need to display every key_path even if the key_path result = 0 I have done an if condition but it doenst works could you help me please?? index="toto" sourcetype="WinRegistry"...
View ArticleHow do AUTO_KV_JSON, KV_MODE and INDEXED_EXTRACTION work in detail?
Hi, this is a long running issue with splunk creating multi-value mv fields when JSON extraction runs at index time **and** at search time. Especially in a distributed environment it can be...
View ArticleUsing span option with timechart causes incorrect column names.
Splunk Ver : I tested in 7.3.0 and 6.6.12. Timezone : I don't know if it’s relevant to this problem, but it is JST If I run following search, column name will be "99". | makeresults count=10 | eval...
View ArticleSearch is waiting for Input on dashboard stuck for quite long
In one of servers, we are getting search is waiting warning for quite long time. It takes around 10 seconds after that it will be loaded.
View ArticleSearch optimization question
Hi all, I had some trouble with a search but got it to work. But the search istelf isn't that "clean" I suppose. Someone mentioned `Timechart` but I couldn't get it to work. This is the search:...
View Article