| rest /services/cluster/master/peers
I have a SH cluster and an Index cluster all running 7.1.7. I'm trying to access the **cluster/master/peers** endpoint by executing this search: | rest /services/cluster/master/peers When I run this on...
View ArticleSplunk User Role How do a choose particular app as default when i login
I logged in to Splunk web URL and i see many Apps , how can i make one app as default so when i login I don't need to select my app from the list
View ArticleEnabling HTTP Event Collector using a deployment-app buggy
Environment: Splunk version: 7.2.5 Distributed deployment with multiple Heavy Forwarders managed by Deploymentserver. I wrote an app for the Heavy forwarders to handle the inputs:...
View ArticleHow to use Machine Learning Toolkit to find a Malicious New Service
Currently, we run software applications on top of the normal services that are running in the Windows OS. I would like to use the Machine Learning Toolkit app to find an outlier service that is new and...
View ArticleHow to create a linechart with Percentages via Timechart
I'm looking to create a timechart that will show the percentage of success versus failure of 6 different fields over the past 6 months (broken up by each month, so I believe it's span=1mon). The goal...
View ArticleTonight i got a new host appear by mistake...
here is the host but when i try to search for it nothing......
View Articletrouble with extracting data from JSON event
Hi, I am storing the events containing subscribers per subscription topics. The events look like this:...
View ArticleNeed help with bundle replication fail
Hello, I am always getting the below message in my Search head's Even though I wrote: distsearch.conf: [replicationBlacklist] staylocal = *.csv limits.conf: [lookup] max_memtable_bytes = 1000000000 The...
View ArticleHow can i run a Python script whenever the alert is generated taking the...
I am looking forward to create a Python script which should run whenever there we get Alerted. Also, My alert would be showing a Hostname and I would like to use that Hostname information inside my...
View ArticleCollectd throwing ssl errors from one server, but not others
I have installed and configured collectd on 3 servers so far, and on 2 of them it works fine. These servers show up in the Splunk App for Infrastructure correctly; I can view all metrics as expected....
View ArticleWhen to use KV Store vs Index?
I'm working on a TA that pulls new domains from an API once per day and stores them in a KV store. I use this KV store in searches to monitor network logs for any events with domains that match domains...
View ArticleREGEX Help
Trying to pull the value from the 2nd set of brackets [ ] from this log. Some of the data values are blank, some start with a "/" and some are just text/numbers. Struggling to set regex to get the...
View Articlehow to display the events for the Count
Hi All, I am trying to display the events of the "count"(which is of multiple fields), how do I do that? I am using the append/appendcol command to combine 2 queries and display its count. when I click...
View Articleforeach with more than one FIELD?
Hello, In the code below, the first foreach sums the values in field A, and returns 21 (5+3+2+6+1+4=21). The second foreach counts the number of B field that has a value of 1, and it returns 4 (for...
View Articlehow to assign data to an index?
I have data from different sources already forwarded to a forwarders. Indexes already created on a deployment-master combined server, next how can I assign the data per source to a desired index? Thanks,
View ArticleSplunk forwarding all logs ignoring props.conf
Greetings! Sorry I am a newbie and might be a simple question but I couldn't find any answer works for me. I'm trying to forward a set of logs to a 3rd party SIEM server using these settings:...
View ArticleHow to upload ESRI files into Splunk?
Hi I have some ESRI files. I would like to use them within Splunk (geofencing). I found this document: https://www.splunk.com/blog/2015/10/01/use-custom-polygons-in-your-choropleth-maps.html But it is...
View Articlechronyd supports?
Does anyone know if there a plan to support chronyd in addition to the legacy ntpd? Chronyd is the default in RHEL7/Centos7. Or if anyone has updated time.sh to support chronyd? Regards, Mikael Lindstrom
View ArticleHow to efficiently query all indexes for a list of IPs
**BACKGROUND:** My Disaster Recovery team is compiling a list of all IPs endpoints, and has requested that I query all of my Splunk Events (*in all Indexes*) for anything resembling an IP. I created...
View ArticleHow do I get max for all events to use in timechart 1h span?
(this may be a duplicate, as I wrote a version of this question before registering and can't find it) I have a situation where I have a have a column of values and want to use the maximum of all events...
View Article