validate a value base on the lookup
I have a csv lookup table like: item, expression a, "value>12 AND value<14" b, "value=1" c, "value!=111 " d, "value<10 OR value>100" .... And I have the log like: 2016-09-09 13:13:13,...
View ArticleAlert trigger from tstats queryy
Running Splunk Enterprise 6.3.x (and 6.4.4 as well, same story). I want to alert when we see syslog messages start coming in with IP addresses instead of hostnames, indicating a possible DNS resolution...
View ArticleSplunk Add-on for OSSEC: Why are my pre-built panels gone after update?
Updated and the pre-built panels are gone....how do I get them back?
View ArticleHow do bundles work?
Hi, We had a problem today where our filesystem filled up on indexers, caused by many bundles appearing suddenly. I'm not overly familiar with this functionality. How/when do bundles get sent to the...
View ArticleWhat is the default folder that the R Analytics app looks for installed R...
Hi, What's the default folder that the R Analytics app looks for installed R libraries? All my R libraries are installed in the folder: `/home/{username}/R/x86_64-pc-linux-gnu-library/3.3` But it seems...
View ArticleIn Forescout, trying to pull the descriptions for each of the compliance...
We have the following sourcetypes in index=forescout. fs_av_compliance fs_DLP_compliance fs_fw_compliance fs_encryption_compliance They each have the field "description". How do I list each of the...
View ArticleHow to expand events that contain multivalue fields into separate events with...
Data event 1.event_id=1 name=x,y,z responsetime=4,5,6 2.event_id=2 name=a,b,c responsetime=7,8,9 I need something like this events 1.event_id=1 name=x responsetime=4 2.event_id=2 name=y responsetime=5...
View ArticleWhat does this error mean from the source var/log/authlog?
Does anyone have seen this error while trying to forward some data to the indexer. Source of the error :- var/log/authlog xyz12345 adclient[1234]: WARN abc.loader Skipping right with id 87654321 due to...
View ArticleIs Splunk Support for Active Directory 2.1.3 compatible with Splunk...
Title says it all: Is Splunk Support for Active Directory 2.1.3 compatible with Splunk Enterprise 6.5.0?
View ArticleWhy am I getting error "/eventgen_modinput.py" lost sys.stderr" while using...
I am seeing the following error from the source `/opt/splunk/var/log/splunk/splunkd.log` ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/eventgen-develop/bin/eventgen_modinput.py" lost...
View ArticleHow to convert a string value in the format HH:mm:ss to usable seconds for a...
Hey Gang, We are currently running Splunk Enterprise 6.3.1 on RHEL 6.x servers. I have a string value that I have brought in from a long that represents hours, minutes, and seconds in the form...
View ArticleAfter upgrading Splunk from 6.0.x to 6.5.0, why are we unable to load...
Hello all, After upgrading Splunk from 6.0.x to 6.5.0, we are unable to load Splunk dashboards that are presented to the users in an iframe. __"Refused to display '(the url)' in a frame because it set...
View ArticleNMON Performance Monitor for Unix and Linux Systems: Manually running...
Per the troubleshooting guide we tried this : [splunk@blahblahblah]$ /opt/splunkforwarder/bin/splunk cmd /opt/splunkforwarder/etc/apps/TA-nmon/bin/nmon_helper.sh Terminated It didn't start the nmon...
View ArticleHow do you identify if a box is an indexer or a search head?
Hi, Splunk were installed on 2 boxes by previous admin. I can browse to port 8000 on both boxes, and get the 'Search and Reporting' UI. How do you identify accurately if a box is an indexer and another...
View ArticleWhat is the preferred way to migrate Splunk indexes onto new servers?
Hi All - We have a bunch of Splunk indexes in place. Our application is going to migrate to a new set of servers. And we need to make a decision whether to use same Splunk indexes for the data on new...
View ArticleKeyboard Shortcut to Format Search
At .conf this year, a new feature was showed off that allowed auto-formatting of SPL in the search bar with the press of a button in 6.5. It took a search from a single line:index=myindex | stats count...
View ArticleHow to display values in xyseries format?
How to display values in xyseries format? i have log like below tcp 0 0 12b8-splfwd02.nam.nsro:7171 poc-citi-luna1.nam.ns:50326 ESTABLISHED tcp 0 0 12b8-splfwd02.nam.nsro:7171...
View ArticleWas showing time of last update of dashboard in 6.4 using javascript. Stopped...
The following XML/Javascript was working in 6.4 to update the lastupdatedtime id. In 6.5 the javascript is now only being called on initial page load. Anyway to get the javascript code called on every...
View ArticleWhy does this line from the C# SDK Example return error...
I copied the code from the C# SDK Example on http://dev.splunk.com/view/csharp-sdk-pcl/SP-CAAAEYZ This following line always returns an error "System.IO.InvalidDataException:...
View Articlesearch peer searching requires invocation of splunk_server=* and indexes not...
Seems like a relatively simple issue but I'm stumped. I've got peers setup on on a search head.. and if I do a search referencing an index ONLY available on the remote peer.. it will only work if I do...
View Article