How to search the count of an event for the last sixty minutes, and the count...
How to get the count of an event (say logins) in last sixty minutes and the count of same event for same hour yesterday? Result should be as: Today hh:mm:ss Count Yesterday hh:mm:ss Count
View ArticleLinux Forwarder Opened Hundreds of Sockets
Has anyone ever run into a situation where the forwarder opened hundreds of sockets on a system? Here is what we have configured on the system's output.conf: [tcpout] maxQueueSize = auto...
View ArticleTransform at Index
I am attempting to build a exporting field that ArcSight can use to properly categorize. Here what I got: transform.conf [devClassName] REGEX = ($m)EventCode=(\d+) FORMAT =...
View ArticleHow to Combine with custom's webservice api to achieved Single sign-on?
1.custom have own itself single sign-on system,can provide webservice api,such as: a. api url : http://10.50.11.100/MyWebSite/ProjectHome/WebService/DDLoginService.asmx?wsdl b.method:...
View ArticleField Extraction issue
HI Experts, i am able to exact 4th and 5th fields from below log but i am able to exact get the value if the 4th or 5th filed is HOSTNAME but if it is IPaddress then i am not able retrieve.here is the...
View ArticleSuccessful dormant user logins
hello I am trying to write a query for Successful dormant user logins whereas the user has successfully logged in today but in last 30 days there was no activity done by this same user. Here is my...
View ArticleNegative Index Delay
Well this one is interesting. How can splunk index something before it knows about it :-p ![alt text][1] [1]: /storage/temp/162286-eventindexdelay.png
View ArticleOverride hostname to FQDN in etc/system/local/inputs.conf on Windows...
Hello, I need to set Windows forwarders to use the FQDN as the hostname across all inputs, as I have duplicate hostnames in my environment. I've tried changing everything in a Splunk deployment app,...
View ArticleHow to do 2 parameters rex mode=sed ?
Hello Guys, It's possible 2 parameters rex mode=sed in sequence ? I can change ab for 01 and ac for 02 I try this, but not work: | rex mode=sed field=_raw "s/ab/01/g;s/ac/02/g" Error: Error in 'rex'...
View ArticleSplunk ISE add on - no sourcetype=cisco:ise:syslog
Hello Team, I have installed: Splunk Add-on for Cisco Identity Services Splunk for Cisco Identity Services (ISE) I do received all syslogs from my ISE server, can see it with search host=1.2.3.4, but i...
View ArticlePass fields from base search to subsearch fails
Hi, I tried to do a base search, then pass fields to subsearch as both a filter and stat columns. I tested with following: index="_internal" | eval MyUser=user | table MyUser bytes | map search="search...
View ArticlePossible option to combine a search command or dashboard XML along with the...
Hi all, Is there a way to combine a search command or dashboard XML along with the indexer data and export it so that it can be imported at another Splunk instance ? This would be helpful for scenarios...
View ArticleDisplay something on a dashboard panel when no data: i.e. an HTML picture?
Short of the `depends` option, is there a way to display something on a dashboard panel when no data is received? Obviously, when, for example, there are no authentication errors, that's a good thing....
View ArticleSignificant performance differences running same query against different indexes
I performed the exact same search (index=|head 2000000|stats count) on the same indexer against THREE different indexes: fictionaldata, main, udp_syslog The results were: fictionaldata: 3.444 seconds...
View ArticleIndex Migration from non-cluster standalone Splunk instances to Multi-site...
Hello Splunkers. I am facing issue while implementing steps for the migration of legacy standalone Splunk instances to multi-site cluster environment.I tried to perform the changes today but roll...
View ArticleCase vs If?
Hello In SPL which one has better performance when used in search queries: "case" or "if" ?
View ArticleIndex Strategy - Single index with multiple sourcetypes vs Multiple indexes...
Here is what we have: 8 indexers / 4 search heads / each of them are 24 core, 256GB memory and 7.6TB disk I am trying to understand which of the following gives a better search performance - [access...
View ArticleWhich instance is installed on a server?
Hi Team, Im new to the splunk team in my organisation and they have servers A , B , C, D etc. There are splunk instances installed on the server like deployer , clustermaster , deployment-server etc....
View ArticleHow to edit my search to get total time of events (last-first) and sum by...
So I am trying to get the cumulative sum of all the time taken by each host, so far I could cumulate for a single host, how can i loop through all the hosts and show it in a table index=main host="XYZ"...
View ArticleD3 Visualization
Hi Experts, can anyone please provide help on D3 integration in splunk for visualization. i have below search and i want it to be visualized using D3. sample output is tcp 0 0 10.40.88.178:7171...
View Article