DB Connect and sourcetypes
Good evening, I was using DB connect and it was forwarding events to my indexers, searches were working and everything was great, However the DBA then cleaned the source DB the events were coming from...
View ArticleLog event skipped on read
Hi, I'm generating a stats (csv) file that is updated every second. The log has no errors/skips, but I've found that if I don't specify an interval within inputs.conf it will miss randomly and/or part...
View ArticleSplunk UF Deployment - Possible Issues
Hello. We are planning on deploying UFs across our enterprise ~ 3000 systems. Currently, we have deployed UFs to 50 systems and have seen no issues. Before doing a large deployment to cover our entire...
View ArticleAzure File Share and Splunk
Hello everyone. I have an Azure File Sharing folder with log files. Is there a way to read all these files from Azure File Sharing folder and show the logs into Splunk web? Thanks.
View ArticleReplacing backslash not working in SEDCMD after re-directing through...
Hi, I am trying to escape backslash character from json data. It works when I apply SEDCMD definations in props.conf soucetype - mysrc. But when I re-direct the definations to transforms.conf...
View ArticleSpluk Addon for AWS
Hello The addon configured for AWS runs form 3 HFs to get the data from SQS queue, however on the SQS, the Messages Available" grows to 999K+ and is not getting cleared. "Messages in Flight" appears to...
View ArticleNo events indexed REST API for twitter
I am very new to Splunk, and I have I just connected the twitter API to my splunk data source. And this is how my configuration looks ![alt text][1] ![alt text][2] [1]: /storage/temp/275155-1.png [2]:...
View ArticleDoes `maxTotalDataSizeMB` apply to all indexes in one indexer ?
I am beginner in splunk and I had a doubt related to `maxTotalDataSizeMB` property. Assume, I have only one indexer. Now I have created many indexes like `web_app` , `iot` etc. Now, a separate index Db...
View ArticleChange Cluster Map Color to solid color with error
Hello, I am trying to make it so that my cluster map pie chart turns all one color when there is an event containing an error. So instead of being mostly green with a little bit of red, I would like...
View ArticleAppinspect in CI Pipeline - Memory use?
I'm using AppInspect (2.0) in my Bitbucket Pipelines step as a check on merge. In the past I don't remember this happening , but now it's taking even longer than usual to run (5m ... to now indefinite)...
View ArticleWhy doesn't a > WHERE clause work when an = does?
I cannot seem to get my search to return results when comparing a property with a greater than comparison even though using an equals comparison does work. The 'elements' property in my message is a 0...
View ArticleHow to split Cluster Master/Deployment server into two separate servers?
Hi - I am migrating Splunk to a new hardware and looking for a way to split the combo cluster master/deployment server into two separate servers as recommended. Can anyone advise me which files need to...
View ArticleHow to extract a field with a NULL/blank value
I am working with winevent logs for failed logons (Event 4625) and I have a log that has null/blank values for Account and Domain. When I try to extract the field I can see in the IFX that it is being...
View ArticleContingency table using dictated column fields
I am currently looking to make a table that shows how variables from 5 fields (the first five rows that splunk says have the biggest count) end up being spread into 5 new fields. As of now, I have...
View Articlewhen set no_priority_stripping = true the host change
Hi, when I set no_priority_stripping = true the host change from IP Address to Host name when performing a search in splunk. Example Host="10.10.10.170" to Host="ABC-DEVICE" Before set...
View ArticleWhy am I losing events when neither the cold path usage or maxage are being met?
I have an index I'm using to backfill a bunch of data, and as I'm tracking the event count by sources, I'm seeing splunk throw away events literally by the millions randomly (I'll keep track of the...
View Articlehow to define which heavy forwarder instances to deploy apps?
Hello - I have 3 HFs and about 150 UFs and 1 deployment server and other instances. In a new configuration, how can I use the DS to deploy apps to only these 3 HFs and UFs, not to other instances?...
View ArticleHow to read different time slots from lookup table
Hi splunkers, I have a situation to read different operational hours of same bin size for the last 3 days Scenario: 9-10 10-11 11-12 12-13 13-14 14-15 15-16 .............23-24 Today 1 2 3 4 5 1 day...
View ArticleOverwrite _time with field only shows all entries in timechart ignoring the...
Hi, I need to perform a timechart count for a particular field. The dates in the field aren't related to the timestamp the log was received and can go back to dates a few years ago, and so I overwrite...
View Articlewhere does splunk store output of shell scripts?
Hi, On Splunk forwarders, we have few shell scripts in "SPLUNK_HOME/etc/apps/my_app/bin/" that are being run. Just wondering where do the outputs of these shell scripts store? Shell scripts don't have...
View Article