Custom timestamp detection for a sourcetype with some event w/o timestamp
Hello there, For a particular sourcetype there are events with a timestamp and events without timestamp. As Splunk cannot detect a timestamp in the events without timestamp, it generates plenty of...
View ArticleIndex main
Hello Splunkers! I have a question, i have installed a universal forwarder on a AIX server, but all the logs arrives on the index "main", they should be arrive in one especific index that i created....
View ArticleHttpInputDataHandler - Parsing error : No data
Hello there, I got the following error a lot: "ERROR HttpInputDataHandler - Parsing error : No data" I guess it is related to HEC but I don't understand it nor find info about it. Would anyone know...
View ArticlePKI and Splunk
Hey there fellow Splunkers, can Splunk be used to help manage PKI? If so, in what ways?
View Articlesplunk connect DB join tables
I have 2 table that need to join them in splunk connect db in (sql_explorer) 1- table1 (sysindexes) 2- table2 (systables) 3- common column (tableid) I try to write join query with (tableid) column but...
View ArticleLogs are being cut off
Some of the logs ingested into our Splunk environment has missing line. I was told that this could be the result of a delay in completion of logs. Is there a way around this?
View Articleforward data to another Splunk
Hi at all, I have some Heavy Forwarders that receive data from some Universal Forwarders and take syslogs from some appliances. HFs take these logs and forward all of them to an Indexer (Indexer_A) and...
View ArticleHow do I search from a lookup to find if a URL contains a malicious domain?
Dear Splunk Experts, I have very little experience on Splunk, need your help with my search. I have a lookup with list of malicious domains and URLs. I need to get alerted if accessed URL contains any...
View ArticleWhere to download Splunk Enterprise Version 7.3.3?
Hello, where can I download previous versions of Splunk Enterprise? For example, I need Splunk version 7.3.3, but I can't find it on the download site.
View Articlearchiving an index, moved to cold, remaining folders and files in db
I'm working moving a retired index to frozen (indexer cluster). I've set the maxWarmDBCount = 0 for the index and all buckets have been moved to colddb on all indexers. There are some remaining files...
View Articlequery azure ad sign-in logs
I have indexed my Azure AD audit and sign-in logs: { [-] Level: 4 callerIpAddress: xxx.xxx.xxx.xxx category: SignInLogs correlationId: xxxxxxxxxxxxxxxxxx durationMs: 0 identity: My User location: IN...
View ArticleHow to fill null value of multi value fields with other value in search output
Hello Community, I need to fill null value of multi-field values with any value , i.e 0 or Not found. Here's the sample data in table Sample Table Customer_Id Counter_ID Customer_Name Desk_ID...
View ArticleRolling restart of Splunk service on linux multiple servers.
Hi I am looking for a script to perform the rolling restart of Splunk service on multiple servers from the Centralised server where it has ssh access to the slave servers. Is anybody have the script?...
View ArticleHow to use eval to find percentage for field values?
I have values for a field named action, block, passed, and alerted. How would I go about creating a search to looks for the percentage of blocked to passed/alerted events? I have the basic search of...
View ArticleIs there a way to trigger a email/alert for when a cron expression time frame...
I currently have a search that takes two time/date intervals from the same event and subtracts them to get a value. If that value is longer than one hour an alert will be triggered. In the cron...
View ArticleHow does monitor:// handle windows shortcuts to directories containing logs?
In an effort to get our inventory of inputs under control, I'm trying to get all servers to have one place for logs. Eg, `C:\LOGS`. When they want to add new files to monitor, they add a directory...
View ArticleHow to install Eventgen and configure Splunk Buttercup Games online data
Hello Everyone, Please help me , to install Eventgen and Configure Splunk buttercup game data
View ArticleHow to returns 0 or null if no results with tstats over time?
First of all, I apologize if I missed the answer somewhere and for my bad english. I try to supervise my hosts, indexes and sourcetypes over time with percentage. And I also try to make it dynamic so...
View Articlehow get ration of different values of the same field?
How do I get the ratio for two values of the same field? When I run the following command: host=web_app action=* file=* status=200 | stats dc(JSESSIONID) BY action I get the followin output: ![alt...
View ArticleSplunk for Windows Add-on Configuration
I am stepping through the splunkbase guide for adding the Splunk for Windows Add-on to my Splunk server and had a question. As I am configuring these index files and props files on the server to...
View Article