Report Schedule via SH
Hello there, I got some scheduled reports that write on summary indexes, I scheduled it via a sh script with curl. That's what the script do for every scheduled report: 1. Enable report 2. Schedule...
View ArticleWhere do i find the non-scheduled searches under backend.
iam able to see saved search under UI but not in savedsearches.conf.
View Articlehelp on comparison between 2 lookup
hi I use the search below in order to retrieve the fields host ,SITE and STATUS from a lookup and to compare them with the field host in another lookup | inputlookup host.csv | lookup...
View ArticleSolarWinds NPM ver12 to Splunk
Hello All, So I'm currently following the links below in integrating SolarWinds NPM to Splunk. [https://answers.splunk.com/answers/380984/solarwinds-orion-and-splunk.html][1]...
View ArticleCalculating hours since event
I am attempting to calculate hours since an event occurred, however, the calculated time shows decimals including .6 to .9 between hour values. index=abc | eval time_difference=(now() - _time) | eval...
View ArticleHow to extract Docker Daemon json data into proper fields
Hi All, the below is the one event in splunk. How to extract MSG, PromotionId, requestId, status, command fields { [-] log: 2019-10-15 11:56:47.047 INFO paXXX-command-service:ppe...
View ArticleHow to monitor localhost thru REST API Modular Input for Splunk?
Hi All, I am trying to monitor the output of localhost thru REST API Modular Input of Splunk. http://localhost:8888/services/health Purpose is to have the health check results shown in JSON format....
View ArticlePivot Limit
I use a datamodel and I access it with pivot command. Everything is fine until there is data with long text. Let's say there is field A, B, C, and field B has long text. The text in field B is...
View ArticleNeed to display the latest event as a result
Search query :1 index="main" earliest=06/01/2019:00:00:00 latest=now | stats first(status) by src destination port Search query : 2 index="main" earliest=06/01/2019:00:00:00 latest=now | stats...
View ArticleExcessive Jobs / Optimized Search
I have optimised my search as I can see but I have now run into a problem wherein my search is spawning 39 jobs on each refresh. This is obviously killing resources and causes my dashboard panels to...
View ArticleHow can I carry over field values into future time buckets?
I have three fields: order_number, status, and a timestamp for when that status became effective. There are three statuses - ready, in_progress, and complete. I need to create a dashboard that provides...
View ArticleGetting Field Values to appear in Pie Chart
I'm trying to get the number of the field to appear in the pie chart. Currently with the following search and XML change I can get the label and the percentage of the field but would like all three to...
View ArticleLookup table issues devices
We have been using a lookup table for many customers who are separated via separate indexes. The table is simple but drives our device dashboard data using a customer_id_tok for dropdowns. Each...
View Articlehow do I create chart using web access logs as source ? I want list of all...
how do I create chart using web access logs as source ? I want list of all URI's which shows counts of error codes 40* and 50* I am using below splunk query for getting list of URI with error codes...
View Articlequery related to website/service downtime duration calculation
Hi ALL i have below dataset for website Time,title, response code 01/10/2019 08:22 ABC_PORTAL 200 01/10/2019 08:24 ABC_PORTAL 01/10/2019 08:26 ABC_PORTAL 01/10/2019 08:28 ABC_PORTAL 01/10/2019 08:30...
View ArticleWhat are the differences between heavy forwarder (HF) and HEC?
What are the differences between heavy forwarder (HF) and HEC? Under which scenario is which option preferred on AWS environment and why? Thanks.
View ArticleWhat is the DR approach of Splunk ES on AWS?
Hi everyone, Assume the best practices of Splunk AWS is deployed on production AWS region (e.g. London). How to design the DR of Splunk? 1. create another best practice design in another region (e.g....
View ArticleLdapquery for getting users in the OU groups
We are using SA-ldapsearch to pull the data from AD. As part one of the security use cases, I need to pull all the users which are part of multiple groups from the same OU. Say I have OU named Admin...
View ArticleI don't have admin but need dashboard tabs - any way to do that ?
I don't have admin but need dashboard tabs - any way to do that ? Tried reading the manual nothing there
View ArticleAlert query using mstats
I know that events and metrics use different index types. Does that mean I can't create an alert (outside of metrics workspace) using an SPL query with mstats? E.g., I am pumping collectd uptime info...
View Article