Timechart question:- combining two values for plotting timechart
My query is something like below index = "A" | table x | stats dc(x) as total | appendcols [search index = "B" earliest="d" latest="@now" | table y | stats dc (y) as active ] | eval ratio =...
View ArticleBOTSv2 capture the flag app does not work properly
Hi, I'm trying to get the BOTSv2 dataset and scoreboard working with these documents: https://github.com/splunk/botsv2 https://github.com/splunk/SA-ctf_scoreboard Some of the apps are not available...
View ArticleDeployment server with load balancer seating in front of two HFs
Hi - I'd like to know if there is any issues when I add a new F5 load balancer in front of two HFs receiving apps update from a Deployment server? UFs -->F5 load balancer --> HF1 & HF2...
View ArticleUse mobile device to open browser with splunk dashboard , add input fucntion...
When we use mobile device to open browser with splunk dashboard , add input fucntion like time/multi select can not work normally in Splunk 7.x version. But use PC brower to open the same splunk...
View ArticleHow to detect the 1 liner entries in splunk?
For some reason, 1 liner entries are send to my splunk, after incapsula logs shifted to LEEF format. Initially, we were using CEF format. sourcetype:incapsula 1 liner log entries look like this:...
View ArticleAfter configuring LDAP authentication with AD groups. Few users are unable to...
We have newly setup the Splunk Environment in AWS platform where we have used LDAP authentication method and created AD groups to determine permission to users and login to Splunk Web. The issue we are...
View ArticleMixed Content Tile Requests
Hey there, we've got users complaining about Maps+ panels not rendering tiles. We suspect that some network and / or browser configurations drop the responses from mixed content requests. Chrome...
View ArticleRsyslog failover and load balancing while forwarding logs to a FQDN(dns)...
2 heavy forwarders are configured to receive syslog inputs on port UDP / TCP 1600.Linux servers are configured to send the logs on a single dns entry instead of an IP address.The dns entry has been...
View ArticleIs passAuth still supported for scripted Inputs?
Anyone know if `passAuth = user` scripted input option is still supported in more recent version of Splunk? This is still listed in the official...
View ArticleHow to run stats for just user and return values for other fields?
I have the following search looking for > three login attempts with > 0 successes and two or > failures by user, src, Country, Region, and City which limits me to searching for all five...
View ArticleRetrieve a CloudWatch metric without dimension
Hello there, Does someone already succeeded to retrieve data from a CloudWatch metric that has no dimension? We have configured a custom metric generated from a metric filter : [link text][1] The thing...
View Articlemonitoring windows services
how do you monitor a windows server service that is set to start at boot time and flag it if it stops or did not start? For instance monitoring the MSExchangeFrontEndTransport service every 20 minutes...
View ArticleHas anyone been able to configure TTP_Impersonation or TTP_Attachment?
Hi guys, For the Mimecast TA, we have configured all eight of the inputs the exact same way. Six are ingesting. TTP_Impersonation and TTP_Attachment are not. Does anyone have any insights on how I can...
View ArticleSplunk Add On for Encore - pkcs12 issue
Installed and configured Cisco Estreamer Encore add on for Splunk (3.5.8) both on the Firepower FMC and on my Splunk heavy forwarder (Splunk v 7.2.7). I can get estreamer-status and estreamer-logs to...
View ArticleHow to filter only latest log file for each time period
I have a very simple process to monitor monthly ETL processes, so I only get one file each month. That is until something goes wrong and I get more than one (reruns, bug fixes, etc). For my dashboard I...
View ArticleWord Count in a Url
Newbie Here ! How can I get a word count in a url? I am trying to count the number of occurrence of a word "organizations" in a url.
View ArticleSplunk validate_all.py errors
When I run validate_all.py splunk_archiver_dashboard.xml --- shows following errors /Applications/Splunk/etc/apps/splunk_archiver/default/data/ui/views/splunk_archiver_dashboard.xml INVALID...
View ArticleHow to split multiple vlaues in single cell to new line in join search
There few columns in the table that has multiple values in single line. I need them to be in separate/ newlines. Current result preview: 4 12 22 87 2 Expected result view : 4 12 22 87 2 How do i...
View ArticleHow can I enrich data for Infosec app for splunk?
Hello Splunkers, Not sure if "enriching" is the right term to use but I'm hoping someone can point me in the direction of some documentation that will help me get more information into, and out of, a...
View ArticleAlert condition to count total events instead of count by
I have the below sample splunk query that returns me count by Errors - index="abc" earliest=-1h "/payment_items" "Exception" | rex field=_raw "Exception:\s"(?.*)"" | fields request_id, Error | dedup...
View Article