change colon to dash in Search
First, let me start by saying I am not a programmer, a Splunk expert, highly experienced with Regex or SED. I say this so you understand if you offer an answer please do not leave any steps out...
View ArticleField extraction stanza help in props.conf?
I have the username filed extraction as follows in the props.conf which extracts the username:- [sourcetype_X] EXTRACT-XYZ = username="(?[^+\"]*)" which extracts the field as follows...
View ArticleHow to save the CSV file to external location
I would like to save the CSV file to an external location. I am using the |outputcsv command which is saving the file to a Linux but I need the file to be picked up from there and move to external...
View Articleblocked=true messages
I noticed on my splunk instance that I am getting messages like these: 02-07-2020 15:20:36.038 -0500 INFO Metrics - group=queue, name=typingqueue, blocked=true, max_size_kb=500, current_size_kb=499,...
View ArticleERROR DeployedApplication - Failed to install...
I am receiving the above error when trying to deploy update and new apps from the Cluster Master to the Indexer Cluster. The aspps do exist in /web/splunk/etc/managed-apps directory structure on the...
View Articlehow to setup a triggered alert on a index based on usage?
Hello, I would like to setup ongoing alert to be triggered anytime an index ingests 20gb of logs. This is to prevent a license violation due to developers turning on debug mode and leave it one...
View ArticleFuture Request: Epoch Time Correction
| makeresults | eval time=-62167252739 | eval _time=time | eval time_text=strftime(_time,"%c %::z") `-62167252739` is "0000/01/01 00:00:00 +0000" but, my result is _time time time_text 0000/01/01...
View ArticleHow to get the correct URL to the Splunk collector
1.While creating a splunk it is showing "Please enter a valid URL beginning with https:// " even though my URL format starts with https://
View ArticleCan Splunk find love?
Since Valentine's Day is near, Splunk can search for everything. And it might find love, I thought. How?
View ArticleUse of Timewrap command to control the time range
Hi, I am trying to plat a graph of response time over a period of time. I am using timewrap command to plot it for yesterday, day before yesterday and last week. The problem is I only want it for a...
View ArticleLine Break Assistance required
Hello Splunkers, required yous assistance with a line break for below-mentioned logs at `],[` {"time":1581014469,"states":[["4b1803","SWR55X...
View ArticleHow often should I upgrade Splunk Enterprise?
The [software support policy for Splunk Enterprise](https://www.splunk.com/en_us/legal/splunk-software-support-policy.html) is now two years. My company has a policy to wait a few releases before...
View ArticleHow to manage reports and alerts for 150+ indexes?
We have a ton of indexes and need to better understand which ones have stopped receiving events so that we can report and alert on them. We have a Splunk Enterprise v7.3.3 distributed environment with...
View ArticleAllowed characters for metadata fields source and sourcetype
My question is simple: which characters are allowed for the values of the metadata fields `source` and `sourcetype`? I could not find any documentation on this.
View ArticleArithmetic on multi field values
I am new to Splunk, and I need to perform arithmetic on some multi-field values. What is the best way to do this? Here is an example of an event (where the "stuff" field is an array containing any...
View ArticleMake extractions in props.conf from search query
| makeresults | eval _raw="Nov 14 03:23:42 hostname rsyslogd-pstats:{ \"name\": \"global\", \"origin\": \"dynstats\", \"values\": { } } Nov 14 03:23:42 hostname rsyslogd-pstats:{ \"name\":...
View ArticleCan't see newly created indexes on search head in distributed search
I have a single indexer and single search head with the indexer attached as a search peer and I created one index called "winevent" on the indexer. I don't understand why the search head cannot see...
View ArticleUnable to login to freshly installed Splunk Enterprise (just reloads login page)
On a fresh Splunk Enterprise install, I cannot log in to the web GUI. When I get the password wrong, I am told it is wrong. When I get the password right, it just reloads the login page. Here are the...
View ArticleSubtract One Field from Another
Hi guys, I'm having trouble making a simple subtraction (well, I thought it would be simple!). Field1 is a number in string format, Field2 is a count of events. What am I doing wrong? index=index_name...
View ArticleSearch heads cannot connect to web login after 8.0 upgrade
Hello. After upgrading from 7.3 to 8.01 my search heads no longer work. It will not load up the search head web page. Any ideas? If I load from a backup back to 7.3 all of my real time indexed data is...
View Article