How to convert now() into strptime?
Does anyone knows how to do this? Im having a trouble with this convertion. Thanks in advance
View ArticleTenable Add-on for Splunk Giving Oops 404 Error when trying to configure
Installed version 3.1.0 of the Tenable App and receiving the following error in the Splunk Web Service Log when trying to configure: Masking the original 404 message: 'Trying to reach the "TA_tenable"...
View ArticleHow to create a table from indexed nested array
I have been banging my head against the wall for a while and would love some help. Imagine I have the two event logs and would like to create a table from them. The logs have a array value and I want...
View ArticleList queries along with CPU usage
Hi, My Splunk head usage seems to be spiking at specified intervals. The reason seems to be a lot of alerts/cron that have been set up during these times. Is there a way for me to see the crons/queries...
View ArticleHow to create dynamic tables in a search query
Hello guys, I'm pretty new to Splunk and I'd like to see if there is a way in which I could create a query that would dynamically populate the necessary table columns based on an initial search value...
View ArticleAlert condition considering previous itirations
Hello All, Using the below conditions (along with the required conditions) to configure alert earliest=-5h | head 100 The challenge facing is, sometimes observing it is considering the transactions...
View ArticleSplunk: Pulling Time
I need to pull some logs that happen one hour after 2020-02-29 16:12:26:000, what would be the best time choice to use in Splunk to do this? Sounds super simple but I've gone through the time settings...
View ArticleHow to convert ASCII characters to their Hex values?
There are plenty of answers to the question of how to convert Hex into ASCII using a combination of rex/replace and urldecode. However, I am looking to do the opposite. I have binary data in a field...
View ArticleHow can I count mv fields by type?
My data looks like: { parent_id: 1 child_info: [ { id: 123, status: "PASS" }, { id: 456, status: "FAIL" } ] } I am trying to print the result in format: parent ID | Child_Passed_count |...
View Articlesplunkforwarder stopped forwarding to indexer after ACL change on FS
I've singe SPF forwarding to 3 indexers in a cluster, after changing the file permissions to rw from rwx the splunk forwarder stopped indexing files from input dirs. have seen logs no clues found. Any...
View ArticleUF upgrade script on Windows servers (2012, 2016, 2019)
Hi Team, Currently I am working on a UF Auto installation script where the script has to automatically upgrade the UF package on all Windows boxes (that have v6.5.3) running to v7.3.4 using this...
View ArticleBMC Remedy add on in a search head cluster
I am having trouble using the BMC Remedy Add on in a search head cluster environment. First issue I am running into is that the web ui does not go beyond "Loading" on any of the members, worked around...
View ArticleSplunk Db connect need to onboard 100+ tables with different raising column
Hi All, We are having one database with 100+ tables which need to onboard and every table having different raising clolumns. could you please provide any suggestion how to add onboard 100+ table rather...
View ArticleHow can Splunk loop through a list of numbers and do an action against each...
We have got a problem to find a list of 500+ client servers (but less than 1000), which are missing DNS entries. the servers have a pattern luckily . Let's say for example, the server names are...
View ArticleDemand based script execution of script on UF
My splunk architecture is as below: UF - > HF -> IX - SH Here, UF and HF are in same network where as IX and SH are in Splunk cloud. I need to run certain script on UF only on user request. I can...
View ArticleSplunk Alert for Unused volumes in AWS
Hello, I wanted write a splunk alert for unused volumes in AWS and send slack notification. Any suggestions on this ? Regards, Dennis
View ArticleTrigger specific custom alert
Hi there! I'm using this query index="dev" |eval raw_len=len(_raw) | eval raw_len_gb = raw_len/1024/1024/1024 | stats sum(raw_len_gb) as GB by kubernetes_namespace | bin _time span=1d To get the amount...
View ArticleHow to configure sending encrypted syslog via TCP
Hi. I am struggling with this since few days. :( I sure that I don't understand some steps correct so that's the reason. So I trying to configure sendings logs from my NAS servers (Synology) to my...
View ArticleJoin two queries
Hello, i Have this query that i want to improve | loadjob savedsearch="myquery" | where (strftime(_time, "%Y-%m-%d") = "2020-02-27") | stats dc(eval(if(STEP="Sent",ID_MESSAGE,NULL))) AS sent,...
View ArticleWhy are my processing queues full on some indexers, and nearly empty on others?
In my indexer cluster, on the MC under "Indexing>Performance>Indexing Performance: Deployment" I'm noticing that some about half of my indexers show close to 100% across queues (from parsing to...
View Article