Splunk 6.4.2: What are the proper procedures to update the RHEL7 OS, as to...
Running on Splunk 6.4.2 Can someone tell me proper procedures to update the RHEL7 OS, as to limit Splunk downtime? We have a clustered environment a master/deployment server, 4 indexers, 1 ES search...
View ArticleSplunk Add-on for Microsoft Azure: Why am I not receiving data and getting...
I am having an issue with the Splunk Add-on for Microsoft Azure. I installed and configured the Add-on (storage account name and access key) based on the documentation. The app is not pulling data....
View ArticleWhen trying to forward IIS logs from one indexer to another indexer, why is...
From indexerA I am trying to forward Windows Event Logs and IIS Logs to indexerB. The Windows Event Logs are being forwarded properly, but the IIS Logs (sourcetype=iis) are not. (Splunk Enterprise...
View ArticleHow to adjust my alert to provide results with each record on a separate line?
I am trying to adjust my alert to provide results with each record on a separate line. I have the following search string that counts the total records and does a subtotal. If it goes over a certain...
View ArticleWhy is my notable event not showing up in Incident Review?
Hi When I try to create a new notable event to display in Incident Review, its not showing up in Incident Review. I did it as per documentation. Select Configure > Incident Management > New...
View ArticleHow to create contextual drilldown from table to timechart with different...
I'm trying to make a dashboard, so far I have a table which derived from multisearch, because set of fields is different: | multisearch [search index=x host=y | eval name="A"] [search index=x host=y |...
View ArticleHow to configure srchFilter for a role to limit the results by indexer?
I have a Splunk Enterprise setup, with a handful of main indexers and their own search head clusters, and a bunch of little departmental indexers paired with individual search heads. One of the...
View ArticleSplunk Enterprise Security: Why is the Incident Review dashboard not...
Hello All, I am working with the Splunk Enterprise Security App and in the Incident Review, under Urgency, we have 5 labels: Critical High Low Medium Info The problem is when we click on one of the...
View ArticleSplunk DB Connect 2.3: Why is rising column value is not used in search after...
I am using an input in Splunk 6.4.3 and Splunk DB Connect 2.3, that makes use of Rising Column in Advanced mode for MySQL. Indexing occurs correctly, and all goes well until it has finished parsing...
View ArticleCisco CDR Reporting and Analytics: Why am I getting a read access error after...
Hello, I want to set up Cisco CDR Reporting and Analytics app on Splunk 6.4.2 // Win7, and I can mount and access through a shared folder to my CDR repository (for Splunk and R&A app could see the...
View ArticleHow do I extract information populated in one panel to another panel in the...
I would like this to occur in the same dashboard. Sort of similar to a pipe command between panels.
View ArticleHow do I extract top values by a specific field and have them display along...
index=* sourcetype=* host=* | search Event=176 | top limit=20 User| table Location, Event, User, Address, Time It displays the table but my columns with the fields **Location, User, Address and Time**...
View ArticleIs it possible to run two Splunk instances simultaneously without creating...
Hi, I am planning to migrate my current Splunk Enterprise instance to a new server, but my organization requires that I complete the migration for all test environments before placing anything in...
View ArticleWhy is my Python custom search command running very slow while using external...
Hi, I have written a custom search command in Python for Splunk which utilizes bcrypt library and to match password hash. When I try to run the Python code in PyCharm it runs fine, but when run in...
View ArticleWhy does my indexer stop responding to search heads but indexing continues?
Hi, We are noticing performance issues on an Indexer. The server in question is being used to index network data so index rate is high. Type: Physical CPU - 32 Mem - 32 GB Splunk Version - 6.4.1 Splunk...
View ArticleHow to index a SOAP response using REST API Modular Input?
Hello Splunkers. I have a WebService that I need to get data from. I have to do the following steps: 1) Send a SOAP request to login to the WebService and get a SID (Session ID); 2) Use this SID to do...
View ArticleWhy can't you use a wildcard when searching for tags (tag=*)?
I've always known that you can't search **tag=*** but I never knew why. Maybe the old-time splunkers can elighten me?
View ArticleHow do I modify my search to create a visualization from transaction id events?
Hi, I am searching the logs to trace the events in the log files for a given transaction id. I see the results from two servers, the flow is like this: Transaction id 'T10001' produced 6 events....
View ArticleHow can I improve my active directory data search so that it does not take a...
Hi, I have a search that is taking waaaaaaaaayyyyyyyyy too long and am looking for idea on how to improve it, be it tstats/datamodels/fields.... Here's my search (active directory data) index=AD |...
View ArticleHow can non-admin users share content across apps globally?
I want my users to be able to share content (e.g. Dashboards and field extractions) from the Search app to all other apps. These users have a limited set of capabilities, but have write permissions on...
View Article