extracting fields from another field
Hi, We are receiving the event in json format and given the _raw event below. I am trying to extract the fields through props and transforms from a particular field but it is not working _raw event...
View ArticleCan access restrictions be put on a lookup automatically upon creation?
Can access restrictions be put on a lookup automatically upon creation? For example: User A creates a lookup <-- can this lookup be automatically restricted so that User B can not search the...
View Articlegetting sum of a multivalues field for ach event
Hi, I have a query like below. index=linux sourcetype=iostat mount="*" which will list total_ops for each mount of a host in multiple events. i need to get sum of total_ops of each host of all mounts...
View Articlewanna show the of the job as it is untill its changes its status
Hi Team I have following details One of autosys job is running for 20 hours with the status recording in the logs as RUNNING recording only one event with status in the logs .i.e when it changed from...
View ArticleHelp Getting Data Out of .xml report
I am trying to pull fields out of .xml file where I can make sense of them and put the info into a dashboard. I am trying to pull the ruleID, ruleResult, and result count out where they are relational...
View ArticleLogs not picking sorcetype from props.conf in apps/local folder on heavy...
Hi, we want to parse the logs on HF before logs are forwarded to indexers. logs are forwarded from universal forwarder to heavy forwarder. I have given sourcetype in inputs.conf on UF and created...
View ArticleStreamstats Time Sum When Specific Values
Hi All, I'm stumped on the following search. The scenario is I'm trying to track the amount of time a support ticket is assigned to a support team and specific status, for the lifecycle of the ticket....
View ArticleTA-microsoft-sysmon on Forwarders (UFs) - add a output.conf ?
Im a bit new to deploying forwarders on endpoints i manage (im not new to splunk)- Many guides i see (including the install instructions for this sysmon TA), state that you should deploy this TA onto...
View Article¿How can I configure the UF to take the hostname of the server from another...
I have two manageable linux servers with universal forwarder, both have the same host name, when you check the "forwarder management" menu, only one server appears at a time. that's why I want to...
View ArticleLogs not picking sourcetype from props.conf in apps/local folder on heavy...
Hi, we want to parse the logs on HF before logs are forwarded to indexers. logs are forwarded from universal forwarder to heavy forwarder. I have given sourcetype in inputs.conf on UF and created...
View ArticleBuild table by char position in string
Hi, I´ve got this event ->> 2020/02/14/16:12:28:872> MachineNumber="K003991_HT"> Pass="FPPPPPPFPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP" Each position of the...
View ArticleSAI app/addon and AWS app/addon on same instance
Hi, I want to use SAI and AWS on the same single deployment instance running Splunk Enterprise 8.0.1. Which versions are compatible with each other? Based on documentation it looks like the current...
View ArticleHEC not giving JSON output when using python
I am fairly new to python and I am trying to use a python script to get the health of my HEC in JSON format. When I am using a curl command like below: curl -k -s -u 'username:password' -X GET...
View ArticleField extraction for Log File Entries with Pipe delimiters
Hi, I have a log file I am monitoring. Log file entries have pipe delimited field entries as below: **LE Variation 1:** [default task-2] 2020-01-24 13:10:54,598 INFO...
View ArticleHow to split data from old indexer to new indexers.
I have a setup right now where we have 1 indexer in our test environment and we are putting 2 new indexers in the production environment. I need to know if I move all the data from the old indexer and...
View ArticleDHCP Field Extractions
I installed the Microsoft Windows DHCP addon for Splunk to my search heads and am successfully indexing DHCP events, but the data doesn't seem to be CIM compliant per the CIM Validator app. Here are my...
View ArticleCan one dynamically set "charting.data.count" in a splunkjs ChartView and...
I am creating a Javascript app outside of Splunk, and trying to dynamically reset the number of points that get charted in a ChartView instance. I have tried doing:...
View Articlelicensing in a distributed deployment
we've recently migrated to a distributed deployment, with a licensing server. a recent surge in events caused licensing to be exceeded, and we received a reset license which was installed on the...
View ArticleHow to find in between duration between three transaction event?
Hi, How can I find in between duration between three transaction event? For example, the duration1 between mod1 and mod2, and duration2 between mod2 and mod3. My current query is taking a while because...
View Articlehow to troubleshoot connection issues from heavy forwarder to syslog receiver?
I have a heavy forwarder in which I setup the outputs.conf as follows [tcpout] defaultGroup = indexer_group,forwarders_syslog useACK = true [tcpout:indexer_group] server =...
View Article