Possible data limit?
Hello to all, I have notice a strange behavior which indicates some kind data limit (I don't know in which side). I'm querying the SecurityEvents of Log Analytics (which has a lot of events) and...
View ArticleHow to restrict search results to columns wanted
I have a search that returns a large amount of information in each row, resulting in many columns, most of which I don't want in this dashboard. How do I restrict it to the columns I want? For example,...
View ArticleLogging to Job Inspector from Custom Search Command
Hi folks. I have a custom search command and I am using `self.logger` to log messages from the command. Please see my `logging.conf` attached. [loggers] # root is mandatory. keys = root,...
View ArticleInput test data from "Registry of Open Data on AWS"
It looks like AWS hosts public S3 buckets for a variety of data. I am looking for a way to input this data into Spunk for testing. https://registry.opendata.aws/ I do have the Add-on for AWS installed....
View ArticleUnable to pass field as an argument to my macro
I'm fairly new to Splunk so I am having a hard time understanding how Splunk passes fields. My search: host=HMWVP* source="WMI:Service" Name=Audiosrv State!=Running |table host Name State |dedup host...
View ArticleIndex gzipped files without .gz extension
Hi, I am trying to index gzipped files that do not have the .gz extension on a window universal forwarder. First I got the following messages in splunkd.log: 11-18-2019 15:06:33.698 +0100 INFO...
View ArticleSplunk DBConnect and retention
Hi All, I am wondering how does the retention works when I am ingesting data which is older than the actual retention period. For example, I have an index with a rention period of 1yr. I now have a...
View ArticleMask a URL in Splunk Alert email body
I am providing a search string in Alert email body. I want to mask this search string instead of showing the contents of it. How can we do it?
View ArticleSplunk_TA_Windows Winregistry Sourcetype missing?
All, Just working with Splunk_TA_Windows today and noticed that there is no specified sourcetype in inputs.conf and I don't see how the sourcetype is found in props.conf. Any idea how this is getting...
View ArticleAlert if Value over threshold for a certain period of time
Hi, I have an event being received once every 2 minutes. I am trying to setup an alert if the Value for the event goes beyond certain threshold for 15 mins or more. I am using the below query. index= x...
View ArticleData input - Automation
Hi, I'm injecting data from a SDWAN platform into splunk enterprice 7.3.2 via Rest API. I'm using the Add-on builder to build our HTTP requests and It works great, however there are some taks that I...
View ArticleMultiple Timestamp in an event- transformation
I have an event which prints the actual time which splunk metadata has but instead i want to use the other timestamp. Splunk time shows 8/15/18 2:12:44.000 PM which it extracts from the Verbose line...
View ArticleHow to break a multi-line event with regex, provided that the date and time...
Hi, I have the following log format, How can I break this multiline event, with the condition if the date is changed only when the date containing time is at the beginning of the line. Thread...
View ArticleHow to display the data side by side within two colomns in a dashboard?
We have a dashboard, which is pulling the data for Current and last 7 days. In the screenshot below the data has split between the two colomns, but we are trying to display the colomns side by side and...
View ArticleDynamic Loop through a JSON array looking for trigger in any element
Data example: "storeID":"000", "activeStatus":"Active", "location":{ "addressLine1":"4300 Store Rd" "city":"Atlanta", "zip":"99999" "state":"GA", "mainNumber":"9999999999" }, "capabilities":[ {...
View ArticleData Disapearred
I have just set up a dashboard with some data from .csv files. It was working until I made the local host available via link and it seems like all my data got deleted. I can still see the csv files in...
View ArticleChanged License group from enterprise license to forwarder license, how do I...
Hi everyone, I'm a total Splunk noob. The title basically says it all. I recently changed the group from enterprise to forwarder. Now I cannot access the GUI. Is there a way I can change it back from...
View ArticleHow to get a direct count of results which are over a certain amount?
I've set up the following search with a count of events based on specific time frames over a week span: index=epackage flow_event=Package* containsAmendedReport="false" | eval Time2 =...
View ArticleSave PDF automatic report locally
I am needing to have the automatic generated report saved locally on the server. From there, I can create a cron job to move them to a different location. I am having trouble finding a way to get them...
View ArticleHow to wrap a regex multiline event to form a single event until you find the...
Hi, I have the following log format, How can I break this multiline event on condition that "2019-11-12T09: 51: 28.291" arrives. Note that the log needs to be indexed with Local Time. Application Name:...
View Article
