List all created users with their roles.
Hi, I would like to see roles of created users not roles of user which created account, is there a way to to this? index=_audit action=edit_user operation=create | eval...
View ArticleUsing value in lookup as source in search
Hello, I am new to Splunk so apologies if this question seems overly simple. Currently I have a search where in the query I list off the different sources, e.g. index=my_index host=my_host...
View Articleget percentage of specific field over volume
I have two query 1: sourcetype=A error=499 2: sourcetype=B X=* I would like to make timechart of % of A on B. Basically I want to make timechart that will tell if error code increase is because of...
View ArticleHow to use value from a drop down that contains reserved characters in a search?
I have a table that shows instances of errors from the event log over time by host. I use a drop down that searches the event log data for Type="Error" | top limit=20 Message to populate $ErrorMessage$...
View ArticleJoin only returns 1 value
The search below looks up a serial number in another index, there will be multiple values to "x", but currently it only returns 1. How do I get it to return all of the values? Also, 2nd question, as...
View ArticleSending Logs to splunk from logstash
Hi i am trying to send logs to splunk with HEC using logstash, but configuration is not working. A curl from the server is working but logs arent going through logstaash. curl -k...
View Articleuse stat results as string instead of numbers
Hi everyone, so I am wondering if it is possible to display my results as a string for computername instead of displaying it as a number. I don't believe using count or stats is the right process here,...
View ArticleUsing inputlookup value as source in search
Hello, I'm new to Splunk so sorry if this seems like a basic question. Previously, in my search I was listing various sources in the query itself: index=my_index host=my_host source="comp_1.log" OR...
View Articlehelp on a complex timechart
hi I use the search below in order to display a timechart which count the number of host which are in a cpu range consumption (0 - 20, 20 -40, 40 - 60) `CPU` earliest=-30d latest=now | fields...
View ArticleSplunk query to get top sorcetypename=kubernetes_logs, devided by services...
Hi there! I need a query, that will show me Top Sourcetype Sizes by Day, where sourcetype=kubernetes_logs, and the kubernetes_logs itself, to divide by service names (or namespace names). RIght now,...
View ArticleLogs after ingestion are not readable
HI All , I am ingesting cloudwatch logs through s3->sns->sqs , on heavy forwarder using the aws add on using sqs based s3 as input type . The logs in the bucket are in .gz format and when splunk...
View ArticleFIltering a record out based on stats values
Greetings all. I have this: | stats dc(Indexer) AS conntected_indexers values(Indexer) as Connected by connectType sourceIp sourceHost Ver I have a list of indexers (ind1, ind2, ind3) that if they show...
View ArticleIs it a valid configuration to have indexers on different IP subnets/vlans...
We have nine sites in a multi-site cluster with indexers at each site ranging from three to 15 servers. Each site's indexers are all on the same vlan and ip subnet for for their region. I have a need...
View ArticleJust installed splunk free on Ubuntu..can't start
Splunk seems to have installed on Ubuntu 18.04 but the only place i see it is in the /opt dir and if i try to cd to it it says no such directory exists but if i cat it it says it is a directory , any...
View ArticleHow to keep the number on the right side after changing the commas with space...
Hello Splunker! I added the "tostring + commas" to a number to get the thousand separator. Work's fine. The problem is when I do the rex command to replace the commas with a space to match the canadian...
View Article8.0.1 upgraded Heavy Forwarder- TcpOutputProc - Possible duplication of events
We have a support ticket open, but I thought I'd also ask the community. Since upgrading our Splunk to 8.0.1 this one HF has been spewing "TcpOutputProc - Possible duplication of events " for most...
View ArticleHow to globally replace a value in any of the fields.
i have a output where i have 0 in random columns. i would like these 0's to be replaced with any text for reporting... is it possible to replace 0 in any field ? ex output below Jan2019 Feb2019 Mar2019...
View ArticleEMC Isilon Add-on error: Splunkd daemon is not responding: (u"Error...
I have tried version 2.5 and 2.6 of the Add-On on both 7.0 and 7.3 versions of Splunk (2 separate servers) and I receive the same error. Has anyone resolved similar?
View ArticleWhat will go wrong replicating smart store S3 buckets across AWS regions
I am preparing to migrate my Splunk data storage to AWS S3 using Smart Store. My S3 buckets will be replicated across regions in AWS for failover and I have a requirement to fully test that capability....
View ArticleManually setting source name
We have discovered that on one of our servers, we had an error in the monitoring stanza and was not getting the logs for several directories. We can go back and get those logs from the backups. These...
View Article