Basic lookup command
Hi all, I am curious the best way to write the following lookup query. I have a 1 column lookup of firewall rule names. I would like to search our firewall index and use the lookup to determine which...
View ArticleHow to get aggregate total of 3 months of response times in chart
I've created a search to chart the average response times of each application over the past 3 months. How would I get the aggregate total of each month per application? Search: COMPANY="FOO" PORT="*" |...
View ArticleI have one source type and 2 field values, username and IP. How do I show IP...
I have one source type and 2 field values, username and IP. How do I show IP that is associated with multiple usernames.
View ArticleSort groups by group total
Hi, I want to display the count of occurrences of logline* for each user per date but sort the groups by total count My data is something like user1 10/10/2019 logline1 user1 10/10/2019 logline2 user1...
View ArticleHow to convert _time to mm/dd/yyyy Day H:M:S AM/PM
My _time format reads 2019-10-13 04:19:21 I try to convert this _time value to the format mm/dd/yyyy day h:m:s AM or PM. Can anyone help me on this? Thanks,
View ArticleSecurity log entries in wineventlog index and main index
I currently see the wineventlog:security as a source under my wineventlog index for the Splunk_TA_Windows app and also under my main index. Is it possible I am indexing this data twice? Will splunk...
View ArticleSplunk DB Connect and JDK
Hi guys, I have installed DB connect successfully using the JRE some time ago. The trick is that you have to have Java installed, and JAVA_HOME installed _before_ you install DB Connect for the first...
View Articleaccess search results for search upon login
Hi, Sorry, a very n00b question and i apologise if this is in the doco but i couldnt find anything in the search doco about it.. Can you kick off a search, log out of splunk and log back in later and...
View ArticleBest Way to Count Multiple Users logging into 1 Computer/Address with Cisco...
Trying to find the best way to log anytime a number logs into more than 1 computer. Not sure the best approach for this. My current query is: index=cisco_ise sourcetype="cisco:ise:syslog"...
View ArticleSplunk could send email after the upgrade from 6.5 to 7.1 (ERROR...
Hi there, I have performed a version upgrade from 6.5 to 7.1 and found that the Splunk instance becomes unable to send emails (scheduled reports and triggered alerts). The error messages are as follow:...
View ArticleHow to hide a panel when i select only Unoccupied option from dropdown
I have dropdown with many values. I want to hide a panel and instead display another panel when I select unoccupied dropdown option from the dropdown.
View ArticleMap command shows results only when the second query have value
Hi Splunkers, I have first query which produces 50 results, am using map command to run different query for each 50 results of first query and getting values, but when map command search query doesn't...
View ArticleFail on start splunk after the upgrade of Splunk Enterprise Security from...
After upgrade to Splunk Enterprise Security v 5.3.1, fail on startup with the following error: [root@splunk02 bin]# ./splunk start Splunk> Another one. Checking prerequisites... Checking http port...
View ArticlePass alert count as argument to python script
Hi, I have an requirement to get the alert count from "Searches, Reports, and Alerts" under Alerts column for the specific saved search. This Alert count need to pass as an argument to python script...
View ArticleList of user who have logged into Splunk in the last 30 days and what...
Hi, Looking to get some help with a query for the following. List of user who have logged into Splunk in the last 30 days and what Apps/Indexes they accessed. Thanks.
View ArticleWildcard search from lookup
Hi, Is there any way to get all the values in the column from the lookup table to build the default choice option in the drop-down? I want to remove the hard-coded list of hosts in the default and...
View ArticleUF is not sending few logs
Hi All, I have UF installed in my windows machine and its has IIS logs and App logs. In last few days, my forwarder is not sending App logs to indexers. I have other machine which is having same log...
View ArticleHelp with regex in getting the value out of a certain word
Hi everyone. Im not very good in doing regex. I would like to ask for you help here. The situation is to get a certain value based on the given word. The value does not have a format and very messy....
View ArticleSplunk corrupts incoming JSON Lines by introducing bogus \x-prefix escape...
I was curious to see how Splunk (7.3.1) handles escape sequences in JSON strings, so I created a test file of JSON Lines: {"code":"variant-characters","time":"2019-10-15T10:00:00+08:00","test":"|...
View ArticleIs it possible to ingest-time eval _indextime field?
Hello! I have a distributed deployment of Splunk Enterprise. All my UFs send raw events to two HFs, these send cooked data to three-node IDX cluster. My search interface is three-node SH cluster. I...
View Article