Is it possible to schedule the rebuild of an accelerated data model?
Hello everyone, It recently came to my attention that data coming from a lookup within my accelerated data model was not populating correctly. The symptom was that I was finding blank fields where the...
View ArticleSending logs using Splunk HEC
Hello, We have a requirement to send the logs from one of our IoT devices in to the Splunk. As it doesnt have syslog functionality/ install splunk agent, we are planning to use HEC. I have gone through...
View ArticleCumulative Distinct over time from the start of the selected time range
Hi, I need to find out distinct number of users over time per hour. I have managed to reach the below query: | timechart span=1h dc(user_id) What the above query does is that, it finds distinct users...
View ArticleHow can I run "AMQP Messaging Modular Input" addon periodically
I am using "AMQP Messaging Modular Input" to consume messages from RabbitMQ queues. If the rabbitMQ server stops somehow, Splunk always tries to connect with RabbitMQ and consume lots of CPU usage. how...
View ArticleIs the Cisco ACI Add on app a pull or push?
Hi Guys, Just a quick question. Is the Cisco ACI Add on app a pull or push?
View ArticleHow to use self join
Hi All, I have table in which I have columns such as name, id, type, business group etc type field has 2 values 'user' or 'approver', there are some name which are both are user as well as approver for...
View Articlesearch help
why is the search result for Metric Appdynamics displayed like this? "Sample events Note: Sample events match the current event type search. Caught kill, exiting... Caught kill, exiting... Caught kill,...
View ArticleLatest eStreamer not CIM compliant?
I've installed the latest [TA-eStreamer][1] and I'm trying to see if I can get the data into InfoSec App for Splunk for IDS/IDP events. I followed the [setup instructions][2] and I can see data coming...
View Articlehow to delete the unwanted special characters in alphanumeric string?
i have a string as below , I need to delete the below special character and make the below as a single value 123asdsd-123j;123gasds-1234iujh , with this create a new field value as...
View ArticlePowershell script output empty values from second scheduled run
Hi All, I have a strange behavior with a scheduled Powershell script. The .ps1 script simply execute in a Try Catch statement: Get-ADUser -Properties * - Filter * | Select-Object AccountExpirationDate,...
View ArticleDBConnect 3.1.4 doesn't recognize OpenJDK 1.8 on Ubuntu server
I have DBConnect 3.1.4. It lists out OpenJDK 1.8 specifically. I'm running Ubuntu server 18.04.3 LTS. I loaded openjdk-8-jre-headless/bionic-updates,bionic-security,now 8u222-b10-1ubuntu1~18.04.1 amd64...
View ArticleDoes Splunk ingest files that existsed before the remote folder monitor was...
I have a client server with a universal forwarder configured to forward data to an index server. On the client server, I have a folder "X" full of csv files. If I create a remote folder monitor for the...
View Articletimezone setting based on forwarder naming convention?
I'm sure Splunk'rs have ran across this already, so here's my issue. We have server naming conventions with "D" for DEV, "T" for TEST and "P" for PROD (in the same position of the server name). They...
View ArticleRunning rex within an eval/if
Hello, I Googled **and** searched the Answers forum, but with no luck. Below, in psuedo code, is what I want to accomplish. *eval newfield if oldfield starts with a double quote, newfield equals...
View ArticleField Extraction: Regex global flag/modifier
Hi Splunkers, I know that it is possible to match multiple times using `rex` (using max_match=0). Can I apply the same logic to a field extraction? I tried `.../g`,`/.../g`, `(?g)...`, none of these work.
View ArticleData Comparison between fields
I am trying to make a search that will compare the fields value with the old fields value to determine if there is any change in the value over time or if there is a new field added. For example, say I...
View ArticlePassing values from previous search into Map search
Hello All, My query is below. index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 |...
View ArticleIntermediate Forwarder Not Sending Data
I have a UF sending to a UF sending to Splunk. The intermediate UF is sending data but just from that host. The first UF's data is not getting to Splunk. Intermediate UF IP 10.0.1.18 Splunk IP...
View Articlehow to remove multiple logs into single event
[tomcat] EXTRACT = \/u01\/logs\-(?\w+)\/.* in source ### Adding the below to BREAK EVENTS only at timestamp and TRUNCATING issue BREAK_ONLY_BEFORE = (\d+[- :,-w]+) MAX_TIMESTAMP_LOOKAHEAD = 30 TRUNCATE...
View ArticleHow can I get Splunk_TA_nix to stop running lsof.sh?
**I can't figure out why lsof.sh is running every minute. Here's the** "btool inputs list --debug" **output for lsof:** /opt/splunkforwarder/etc/apps/DS2-ns2-Splunk_TA_nix-cre/local/inputs.conf...
View Article