Splunk certificates required for 3rd Party Application?
I am making an 3rd party application using Splunk API . I noticed that in server.conf by toggling the enableSplunkdSSL to true or false secure or unsecure the splunkd port. However i am not at all...
View ArticleSplunk user permissions
Hello All, I have restricted search for each index for each user. When i try to search with user1 index2 - i can see the events and when i try to search with user2 index1 - i also can see it It should...
View ArticleUpdate blacklist.csv
I was wondering how i can update the blacklist.csv file. What was the initial feed and how can i update this periodically. This data changes almost everyday, so it would be nice if this is list is up...
View ArticleCompare values in couple of fields
Hello, I would like to find differance between values in couple of fieldes for two months. I figure out how to do that just for one filed |set diff [search index = test_im REPORT_PERIOD="2015-10-01...
View ArticleAdd two Regexs
Hi, I need to add two RegE to transforms.conf and props.conf If I add one block of code testing each REGEX independently works. If I duplicate the same block of code adding another REGEX it fails. I...
View ArticleScheduled searches by users not accessible to others. "The view you requested...
Hi, When accessing recent runs of searches by link on the form of: http_//**splunkserver**/sv-SE/app/**appname**/@go?sid=scheduler_**username**_**identifier**-at-**time** example: user john doe created...
View Articleconverting Mibs to python modules errors
Dears, i have followed documentation to create pyhton module from Mibs file and i have added all snmp input as said in documentation but i didn't get any Output and splunkd.log give me below error...
View ArticleHow and when to use $abc$ to tell Splunk that abc is a field name?
Somewhere I read about using $abc$, to tell Splunk that *abc* is a fieldname I can't find explanations in the docs, when and how it can be used. Can someone provide a link regarding this topic? Cheers...
View ArticleWildcard pattern in search
Can simple regular expressions be used in searches? I'm trying to capture a fairly simple pattern for the host field. For example a host name might be T1234SWT0001 and I'd like to capture any device...
View ArticlePerform secondary search on each result?
I have a search that shows network activity destined for specific IP addresses I'm interested in: host="logserver" 1.2.3.4 OR 4.5.6.7 OR | dedup src | table src,_time "src" is an extracted field...
View ArticleError 'Could not find all of the specified destination fields in the lookup...
Running Splunk 6.3.1 and Palo Alto app 5.0. receiving the error below when doing a simple search. index=pan_logs SplunkforPaloAltoNetworks v 5.0 is deployed to search head. Splunk_TA_paloalto v 3.5 is...
View ArticleHow can I display my data in a bubble chart?
I am running the following search: "authentication failed" | stats count by user, sourceip | sort -count | head 10 Which produces a table with three columns, user, sourceip and count, like so (scrubbed...
View ArticleSplunk App for Unix does not show cpu usage on Ubuntu
Hi, I have installed Splunk App for Unix, enabled cpu.sh and installed sysstat package. Also I have add to inputs.conf (.../etc/system/local/) follow stanza: [script://./bin/cpu.sh] sourcetype = cpu...
View ArticleHow to define the search mode for CLI searches
Hi @ all, on the Splunk GUI you can choose between "Smart mode", "Fast mode" and "Verbose mode" for a search. Is there any way to define this mode for a search via CLI? thanx in advance -ciir
View ArticleSplunk master(Linux) integration with sharepoint
Hi, we are planning to integrate the microsoft sharepoint(Agents- windows OS) with splunk master,indexers(Linux Os). what are the considerations ,we have to take care? do we need to install any add-on...
View ArticleLoad url via SPL at search line
Is it possible to load data from a url using SPL at the search line? Three uses cases, specifically: 1) Load https://server.domain.com:8000/en-US/search/inspector?sid=[sid]&namespace=search for job...
View ArticleHow do I authorize a user to use the REST API?
Hi everybody, I have a problem with a user. I've just created a new user and it seems ok when I use it with Splunk. However, I have no authorization when I try to use it with REST. Is there a...
View ArticleStats duplicated by time using Bucket.
I have a dashboard, that for managerial types I have added drop-downs for "Source" "Time Span" and Timechart By. These of course feed variables within the inline panels themselves. They are $source$...
View ArticleMonitor Splunk Forwarders State
hello! I have a set of universal forwarders that keep shutting down on their own. We have a case open with support but this bring up and important question. How do I monitor the health and availability...
View ArticleQuestions about Indexer Buckets and best practices
We have about a 3 TB/day ingest rate, spread across about 20 indexes, and we have a 2 to 5 year retention time depending on the index. 4 of these indexes account for 90% of the data, and we are...
View Article