Advice on using eventtype, macro, tags or something else for easy user reference
Hi, We have Apache logs in a variety of indexes from a variety of hosts which represent a variety of different environments. Up until now, we'd been creating and maintaining tags which matched DNS...
View Articleearliest takes null value after Before selection of DateRange in TimePicker
Hi, I am using the Splunk's timepicker Date Range selection with token "timestamp". ![alt text][1] [1]: /storage/temp/162279-timepicker.png In panel search, this token is used as : ` index=xyz...
View ArticleHow to break events at the hex message delimiter?
I have to break events based on the hex message delimiter. When I ingest data into Splunk, it is showing as letter 'x' or whitespace between events. How do I break events at the hex message delimiter?
View ArticleUpgraded universal forwarder from 5.2 to 6.5.0. Is it typical to receive a...
I upgraded my Windows universal forwarder from 5.2 to 6.5.0. All I did was grab the installer from download and install on top of the older config. I am getting a fatal error on the...
View ArticleHow can I have different chart column bar colors when comparing hourly events...
I have the search below that produces the result I wanted (hourly average count per day for the past four days) search | timechart span=1h count | eval weekday=strftime(_time,"%A") | eval...
View ArticleCan Splunk read (not index) Odata?
Hi, Is there any way that Splunk can read (not index) OData? I know there's an ODBC driver, but I want to do this in Splunk. Splunk DB Connect 2?
View ArticleWhy is the x-axis time range reversed in my timechart?
I am seeing this odd behavior in my timechart, for some reason the X axis is reversed with the newest events showing nearest to the Y axis. For some reason this seems to change based on the time window...
View ArticleWould love to see a Watchguard UTM Firewall APP - any plans ?
Would love to see a Watchguard UTM Firewall APP - any plans ? Thanks
View ArticleCan I use the result of an eval command as a token further down the line in...
Hey y'all, I have a chart that takes transaction data from processes that run at different intervals. Most processes run once per day, but one runs once per week. The end goal is to show the duration...
View ArticleIs there a better way to edit my current inputs.conf for sourcetypes defined...
All, I have a dozen+ inputs I am creating. I feel there there should be a smarter way of doing this. As you can see, I am naming the sourcetype after the log....
View ArticleWhat is the best method for connecting with a MySQL database that resides on...
I am new to Splunk (6.3) and am interested in knowing a few things in addition to the original question: A. Assuming I can connect to a locally residing MySQL database (5.7) and extract rows from the...
View ArticlePalo Alto Networks App for Splunk: Does the current version of the TA handle...
Does the current version of the TA handle Correlation Engine events? Or if not, is that planned in an upcoming version? I'm not on the newest version (3.7) yet, however, in my current version, those...
View ArticleDoes REST API Modular Input get updates each time or the whole dataset?
Hi, I've configured to poll some open data sets using the REST API modular input. Polling is set to daily. I saw that it got the entire set of records (json) the first time cleanly and indexed it. I am...
View ArticleCan I use multiple kvstore lookups in a single collection?
This is my first time trying out the kvstore, so learning by fire. I set up a collection in myapp/default/collections.conf, and set up a number of lookups within that single collection using stanzas in...
View ArticleHow to change the "From" address when an alert email is generated from a new...
We have 4 search head servers in search cluster. One of them was added recently. When Splunk alerts come from "old" servers , they show "**Splunk Alert** splunk@hostname.acml.com" as a sender. Splunk...
View ArticleHow to edit my search for time-based correlation between two different...
The following search utilizes windows event security logs and produces a five column table that has the fields noted below: Sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=3 | dedup user...
View ArticleAfter running a "stats count by fields" search, is there a way to search on...
I wrote a search and used `stats count by` to display records. Now I have thousands of records and I would like to know if Splunk has search features on tabled records. We are using 6.3 version. If...
View ArticleWhat is the keyboard shortcut for the Splunk 6.5.x Search bar formatting on a...
Hi forum, I'm currently searching for a way to use the new Splunk 6.5 feature "query formatting" on a German keyboard. When I switch my German keyboard to US it's working like expected using CTRL+\ (on...
View ArticleHow to make an external service call after all panels in my HTML dashboard...
I have a HTML dashboard with several panels containing TableElement. My question is: I want to make a external service call after all the panels in my dashboard had been loaded. is there a way to do...
View ArticleLocation Tracker - Custom Visualization: Is there a mapCenterLat and...
Is there a mapCenterLat and mapCenterLon option as there is in a single value cluster map?$mapCenterLat$$mapCenterLon$
View Article