Turn-off Muster Node/License Master/Deployer Machine
Hello everyone, i'm actually dealing with an infrastructure composed by three search heads, two indexer and a single instance with master node, license master and deployer together. Now, for...
View ArticleWhere does docker's splunk-logging-plugin read splunk-capath from?
I have docker running with docker-machine on my Mac. In my docker VM I have loaded my company's internal root certificate in `/etc/ssl/cacert.pem`. Install the plugin with `docker plugin enable...
View ArticleSplit One Radio Button Into Columns
Hi everyone, I have a dashboard input with ~40 options. I could set this to a Dropdown which would work fine, but ideally want to keep it as a radio button and split the many rows across a couple...
View ArticleSmartStore does not work well
I think SmartStore does not wrok well. Standalone environment and version is 7.3.1.1 I edit indexes.conf like this. /opt/splunk/etc/system/local/indexes.conf [default] remotePath =...
View Articlehelp for displaying a fields in a table panel evenr if the result field = 0
hello In a panel table, I need to display every sourcetype results even if the sourcetype result = 0 I have done an if condition but it doenst works could you help me please? `windows` sourcetype="Win"...
View ArticleCreate a dummy row if no data
If there is no data for a table I want to create a row whilst waiting for the event to appear and add the word "Running" to the table until an event appears to the query below index=cronhost_billing...
View ArticleSubsearch doesen't exclude results from main search, what is wrong?
I have the following search: index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d | search NOT [search index=my_index asset_type="Workstation"...
View ArticleNeed help in field extraction
In the below log, I need to extract genres from the log. In a single log there are multiple genres. Such as for the below log , we have 3 genres ---( Comedy, Drama and Romance). My requirement is to...
View ArticleNot able to install any app.
Hi All, While installing any app, I am getting some SSL Error. Can someone help me in fixing this. Below is the error msg. Please let me know in case anything needed from me. Unexpected error...
View Articlebasic http status query (404 error 200 success)
I would like to show http traffic from my f5 (load balancer) to web servers for statuses 200 and 404 (200 green, 404 red). As a basic example something like this: index = iis | stats...
View ArticleTruncation of some sourcetypes
I am getting some strange behaviors for some of the sourcetype transforms. 70% of the events are still showing sourcetype=pfsense. The only 2 that get transformed correctly is pfsense:filterlog,...
View ArticleIs there a way to display current time with marker in event timeline viz in...
Is there a way to display current time with time marker in this dashboard in splunk?![alt text][1] [1]: /storage/temp/275875-aaaaaaaa.png
View Articlequery optimization without join
I am having multiple index and sources , initially we wrote query using join and we got desired output , but now our planners want the query to be optimized and not to use join and append, below is my...
View ArticleMSA - Insufficient privileges to collect resource usage metrics
Hello, We decided to run Splunk (Windows) with a MSA (Managed Service Account) with the Minimum permissions requirements from this documentation :...
View ArticleSum by Name Regex
I've spent awhile messing around with this and can't get anything working. I need to sum a list like this by Storage1 and Storage2 to get a total of each Storage*. This is a much larger list in reality...
View ArticleWhy is the Splunk App for Unix on windows server not displaying data?
Splunk App for Unix default dashboard on a windows server is not displaying any data. I can run search from within the app and get data but not from the standard/default dashboard, any idea how to...
View ArticleHow to display fields in a table panel even if the result field = 0?
hello In a panel table, I need to display every sourcetype results even if the sourcetype result = 0 I have done an if condition but it doenst works could you help me please? `windows` sourcetype="Win"...
View ArticleHow to create a dummy row if no data?
If there is no data for a table I want to create a row whilst waiting for the event to appear and add the word "Running" to the table until an event appears to the query below index=cronhost_billing...
View ArticleWhy does the subsearch not exclude the results from main search?
I have the following search: index=my_index asset_type="Workstation" asset_atp="false" asset_status="ACTIVE" earliest=-1d@d latest=-0d@d | search NOT [search index=my_index asset_type="Workstation"...
View Articlewindows event Ids not parsing all events correctly
![alt text][1]When looking at windows event logs I notice that there are a lot of events that still have the and not this hinders my ability to table out different event ids. I have tried to create a...
View Article