how to group or follow fields with different value
Hi guys, I am new to splunk. I have multiple events that looks like this: - 2020-02-07 07:21:20 action_time="2020-01-02 07:21:20.39", id_client="1234", ticket="1", - 2020-02-07 07:21:20...
View ArticleUsing a child data model to reduce search
i'm trying to create a data model with child subsets and calling this in a search. However the searches are calling the whole index rather than the subset - How do I need to adjust the setup to get...
View ArticleRun CLI command on mac to connect to splunk and retrieve result of query
How I can run python commands from my Mac to retrieve data from Splunk. I am going through the splunk documentation - https://docs.splunk.com/Documentation/Splunk/6.2.1/Admin/AbouttheCLI Settings >...
View ArticleDefining string for use with inputcsv using dashboard token
I would like to define the value of a variable, lets call it 'infile' based on the value of a token selected via radio button. Pseudocode: If rbutton=yes then infile=inputfileA.csv if rbutton=no then...
View ArticleSplunk app for infrastructure script error
Hi team, I have a problem in the functioning of splunk application for infrastructure, when I launch the script under the command line of my host (ubunto 16) I always find this error : Failed to...
View ArticleAmazon WorkSpaces
We are running Sysmon on Amazon WorkSpaces. We are trying to get the Sysmon (and other) logs into Splunk. We are currently trying to use a forwarder on the hosts. We run "splunk...
View ArticleEditing inputs on multiple Universal forwarders at a time
We have around 600 servers where we need to edit inputs.conf on universal forwarders of those servers.Is there a way we can do it at a time, all these servers are windows OS. I got to know there would...
View ArticleHeavy Forwarder Slow to Start Forwarding Syslog
Hello- My current setup: Device Syslog --> Syslog Server w/ Splunk HvyFwd --> Splunk Indexer When I restart my Heavy Forwarder server or Splunkd, it takes up to 30 minutes to begin forwarding...
View ArticleNeed help with inputs.conf
Hello I have some directories that I need to monitor. Using updated inputs for the TA_nix app I am adding syslog/linux:audit data is specific paths. It mostly works as expected BUT I had a few...
View ArticleHow to set a Token when the dashboard is 100% loaded
hi I need to be able to know when a dashboard is 100% completed, how can i get a token for this? I had an idea of doing something like this after each search. LOADED However this is a very manual way...
View ArticleHow to count lookup matches by the field values in the Lookup?
Hi, I was given a request to use csv lists (i.e. lookups) with keyword values to find USB writes in an index where a field name of "file-name" is file info written to usb. The file-name values are not...
View ArticleCalculate difference of fields where certain field value exists
For each Digit I have below (Digit 0,2,3,4,5,7,8) I want to calculate the difference in time between the TXN endtime and the FW endTime for that digit. How can i group this new calculated one value for...
View ArticleRESTAPI Search Limits TTL
I have a search being executed via script hitting the REST API. Occasionally it will return no results and looking for the associated events in _internal we get the below: ![alt text][1] [1]:...
View ArticleBucketMover - aborting move because failed to rename src to dest failed...
Trying to send the frozen buckets to a ECS Windows shared drive using CIFS mounted on Splunk Linux indexer. Permissions to Splunk service account on frozen is having full level modify access. Is there...
View ArticleUpdate Universal Forwarder
How can I update 300 forwarders quickly? Is there any method?
View ArticleHow many apps can I deploy in Universal Forwarder?
Hi everybody, I'm trying to deploy 2 apps in an universal forwarder from a deployment server. The problem that I'm encountering is that when the deploy finished and restart the Splunk Universal...
View Articleedit server.conf on multiple servers
I want to edit server.conf for around 600 servers, is there anyway we can edit them all at a time.
View ArticleHow to Configure Splunk Heavy Forwarder to Consume Kafka Topics based on SSL/TLS
Hello, we are using Splunk Heavy Forwarder to consume data from Kafka topics (flow #1) and forward it to the Splunk Server (flow #2), i.e. Kafka Cluster --- (1) ----> Splunk HF ----- (2) ----->...
View ArticleDB Connect not able to process results
I am able to test the connection in datalab using splunk db connect app. I am able to fetch results when I run the query and successfully created connection. But, I am not able to see any data when I...
View ArticleExtract pairldelim kvdelim JSON problems
I have JSON data that I'm trying to extract into fields and unable to get all the data extracted correctly. My query is **index=myindex |spath |extract paridelim="," kvdelim=":{}[,]"** My data looks...
View Article