Performantly overriding sourcetype per event with new replacement string, not...
I know how to use Splunk 7.3.0 to overrride source type per event using a backreference. For example, given this snippet of incoming JSON Lines: "code":"red" I can do this in `transforms.conf`: REGEX =...
View Articleprint latest and values of status in an order.
I have some this like this |stats value(status) by time, id I want to print the latest time, values(status) in the order they got indexed or they happened by id. Can someone help, Thanks!
View ArticleGroup by id.
I have a query like this index=MyIndex | stats values(status) as status by id, time | dedup id,status Gives me something like this Status id time apply 123 2019-10-28 10:04:02.707 EST verify 123...
View ArticleSmartstore : SmartStore throws S3Client 404 error on receipt.json files
As part of internal testing, migrating data from the Classic index to SmartStore. The indexes.conf was configured with S3 configurations pointing to the on-prem S3 remote object store, we do see the...
View ArticleSplunk overall performance with auto refresh dashboards
How autorefresh dashboard will impact the performance of splunk app in general. So, the dashboard i'm planning to enable auto refresh consisting of 4-5 panels(searches) and will refresh every 40-60...
View ArticleRight top align "last updated time" token, within Time picker fieldset panel...
I am trying to top-right align my "last updated time" token (as a separate div) in the Timepicker panel , but I am getting issues. How do I resolve this issue ? I want to show the time in the top-right...
View Articleif multiple events at different time, only return most recent events based on...
Hi, I've got a search that returns me the following results: ![alt text][1] [1]: /storage/temp/276050-capture.png Basically, I would like to only keep the most recent events for an IPAddress IF the...
View ArticleFormatting outputs of latest events in multiple sourcetypes possible?
Hello, I am trying to take a search like this `index=public sourcetype=public1* OR sourcetype=public2* newyork* earliest=60m@m | convert ctime(_time) as time | stats latest(time) by device, sourcetype`...
View ArticleDHCP log monitoring in cluster environment
Hi, I have a DHCP cluster environment, Cluster ip : xx.xx.xx.xx active node : yy.yy.yy.yy (D:\DHCP\logs) passive node : zz.zz.zz.zz (F:\DHCP BKP\DB and Logs\logs) How to monitor the dhcp logs in a...
View ArticleMinimum free space 32 bit
I keep getting a message stating that I do not have enough space. I went to general settings to adjust the limitation. When I go to save it, it is requesting that I enter a kv port which I know my 32...
View ArticleUsing Transaction Command more than once in the query
My Query - index=abcd sourcetype=applog OR (sourcetype=nginx AND uri=/v1/abcd) | transaction startswith="status=201" endswith="className=SYSTEM resourceName=/event/v1/util" | rename duration as...
View ArticleHow to convert old dashboard XML to new dashboard beta JSON?
I'm using Splunk Enterprise 7.3.2 on-prem. How to convert existing XML dashboards to a new JSON format?
View ArticleHow to use CIM?
Hello, I read about CIM, saw Splunk Fundamental 2 and read the documentation, but I don’t understand ... how to use CIM and how to work CIM? Help me understand, please. Thank.
View ArticleCentos 7 - Splunk 7.4.2 - Enable/Disable boot start - issues as non-root user
We have setup "enable boot-start" as the non-root user "splunk" and it's not systemd managed:/opt/splunk/bin/splunk enable boot-start -user splunk -systemd-managed 0 --no-prompt --accept-license...
View ArticleHow to use a portion of the hostname in your inputs.conf monitor path?
Got a bunch of logs to pickup from different machines. Evidently each machine has a share to the other machines, so I need to only pickup the log in the directory matching with the actual host name....
View ArticleIPV6 convert to ipv4
Among the data stored in splunk is in ipv6 format. I want to know how to convert the ipv6 format to the ipv4 format. In addition, ipv6 format to ipv4 format would like to know how to convert when...
View ArticleCorrelating multiple logs to get combined data for Active Directory Events
All, Need help with combining logs from Load Balancer/SNAT and AD Domain Controller to get the combined results in a single query. I could come up with separate queries and looking for help combining...
View ArticleAccessing Saved Report output in json from Splunk Rest API
I have some reports saved under search app. I want to access these report output via Splunk REST API in a java program. I am trying below rest API for accessing output in java program. API:...
View ArticleAssets uploads in Splunk Web 's local locatopm
When I upload a file say css, js etc using the Splunk web(ie through 'App Name'->Edit properties->Upload File), where does it get saved in my splunk instance? NB:Please forgive me if it is too...
View ArticleHow entity discovery works in Splunk App for Infrastructure?
How entity discovery works in Splunk App for Infrastructure? Is it something like a traditional discovery tool that scans network? Or only the added entities are visible?
View Article
