How to get a transaction command to work with a combination of indexTime and...
Good Afternoon Splunk, I have a question about some data that I am trying to evaluate for the transaction command. Below I have a snapshot of the data I am trying to get a the transaction statement to...
View ArticleTalk to Splunk with Amazon Alexa: Why am I getting error "Can't connect to...
I'm most of the way through the setup of the "Talk to Splunk with Amazon Alexa" App https://splunkbase.splunk.com/app/3298/ but I still have an error. The messages I keep seeing are: 09-20-2016...
View ArticleHow to edit my search to categorize User Agent by Mobile OS?
Hello Splunk Masters, I'm working on a radial gauge that will show successful IIS requests. I need to be able to build out a search to separate results by either Android or iOS. Here's how an example...
View ArticleHow to edit this search to remove the time for maintenance windows using a...
We've got a search that displays our web monitor logs, and would like to add a function that allows us to remove time for maintenance windows via a CSV file. I ran across this question/answer that...
View ArticleDB Connect and SQLite database locking
I have about 30 searches that run once per day and pull data from a SQLite database and write them to Splunk lookup tables. Most of the searches only take a few seconds to run. Each search is scheduled...
View ArticleHow to modify my search so it shows total MB per user for the day?
bucket _time span=1d| eval _time = strftime(_time,"%b %d, %Y")| stats sum(eval(Bytes_Written/(1024*1024))) as MBytes_Moved, values(User_Name), values(MBytes_Moved) by _time Above is my current search,...
View Articlesourcetype duplication / send to syslog while indexing concurrently
Hi Forum, I currently searching way to duplicate data coming in from the universal forwarder to a intermediate heavy forwarder into a 3rd party syslog. Meaning i want to index data into splunk and...
View ArticleWhat is the best way to handle json data with nested arrays?
I am having some trouble working with JSON events. I use Splunk Enterprise 6.4.1. I'm using KV_MODE=json in my props.conf file. For regular fields and top level arrays, it's working great. However I...
View ArticleData not forwarding to cluster/master
The logging isn't making it to my cluster. I'm trying to capture port traffic in one of my UF (universal forwarders) and sending it to my cluster. I have a few [monitor:/xxxx] setup in the same...
View ArticleHow does the "top" script in the *Nix TA work for Dual CPUs and Multiple Cores?
Hello, I'm running the Splunk App for *nix, the TA and SA and the question I have is when you use the index=os sourcetype=top|stats avg(pctCPU)... I have an IBM HS23 - dual CPU with 6 Core each. Does...
View ArticleHow to make splunk join with multiple to 1 record where one source is in json...
How to make splunk join with multiple to 1 record where one source is in json format and other one is string?
View ArticleIs it possible to prevent indexing part of a line in a log file?
I know it is possible to skip lines in an input, however, I have the case where I want to skip part of a line. For example, I have an inputs.conf stanza like the following:...
View ArticleDoes Splunk App for PCI Compliance require an SA on License Master?
The title says it: Does the Splunk App for PCI Compliance require an SA on License Master similar to Splunk IT Service Intelligence?
View ArticleSlack Notification Alert: Why is an alert failing with a "HTTP Error 500"...
Slack Notification Alert App is failing for one particular alert with HTTP Error 500. I've tried deleting the alert and recreating it. I've also tried regenerating a new API key from Slack. Still...
View ArticleSplunk DB Connect 2: Is there a way to pull more than the max limit in the...
From the "DB Input", there is a parameter, "Max Rows to Retrieve", from step 2. It limits 1 to 10000000 records. My initial pulls have more than 10000000 records. Is there another alternate solution to...
View ArticleWhy does checking the status of a forwarder make the forwarder stop running?
Hello, I have multiple Splunk forwarders in my setup. I am writing a script in which I need to check if Splunk forwarders are up and running. I am executing this script from a remote machine but I am...
View ArticleWhy am I unable to index contents of a text file being monitored by universal...
Hi, We are trying to get DNS logs into Splunk. Logs are generated in a .txt file and the goal is to use Splunk Forwarder to parse and Index these. After creating the `[monitor: .. ]` stanza under...
View ArticleCan eventtypes for specific users be disabled via the REST API?
I'd like to disable eventtypes via the REST API. These eventtypes could be owned by a variety of users, but I want to make my API calls with a single user. According to the Splunk API docs, the correct...
View ArticleHow do I monitor Forwarded Events logs on Windows?
I'm trying to monitor Forwarded Events logs on Windows (not application, system, etc.)? My inputs.conf stanza looks like this: [WinEventLog://Forwarded Events] Doesn't seem to work. Anyone had success...
View ArticleHow do I get the settings menu back in Splunk Web?
The settings dropdown menu only shows the DMC? I don't how it got this way. I was trying to restore some views on reports and ran the refresh options for nav and view. ![alt text][1] [1]:...
View Article