I want to delete fields whose total value is less than the threshold on a...
index=_internal | eventstats count by sourcetype | where count > 100 | timechart span=1m count by sourcetype note:earliest=-60m if the total is less than the threshold, I don't want to display the...
View ArticleField Extraction for different types of data
Hi Splunkers, Splunk suggests to extract fields at forwarders for structured data, why? and what if i have field names in the log / no filed field names in the log? I have a confusion that whether my...
View ArticleTimezone Query
I have a Deploy server application that I use to control my "SYSLOG" server that receives logs from various other sources. The SYSLOG server has a SPLUNK UF installed on it and it sends the data to...
View ArticleConvert Time Picker values in readable format..?
Based on the time picker & time modifier token i am displaying the time values in a human readable format in a label. For this command i am getting the proper results.![alt text][1] | makeresults |...
View ArticleGetting windows logs into splunk
Hi, I am very new to Splunk. I am looking for a way to get windows logs into Splunk. I downloaded the Splunk forwarder but the issue is that this gives me gibberish logs. Example:...
View Articlerepopulate a csv with data from a search using curl
Hi, what is the best way to repopulate a csv with data from a search using curl but without using a username and password as I want to cron the search? Thanks
View Articlesubstraction: | eval field1=mvfilter(match(field, "OUT$")) | eval...
Hello Community, I evaluate the values of a single field which comes with values such as: OUT; IN; DENIED and can get counters for each of those values. Now I want to subtraction "OUT" minus "IN" ( or...
View ArticleSplunk forwarder on Linux - ./splunk "commands" just hang
It has been a while since I have worked with Linux, but doing my best to refresh my knowledge. Successfully installed the latest forwarder on Ubuntu and it has actually phoned home and the deployment...
View ArticleDisplay TV guide style UI in dashboard
I am new to Splunk and I need to display my data in typical TV guide format. X axis is list of channels Y axis is timeline with scroll bar to go left and right of the current time. Each row of the line...
View ArticleHow to merge multiple lookup lines into one
I have a table with formatted something like this: 1 John, Smith, a123, superuser, blah 2 John, Smith, a123, audit user, blah 3 Sally, Smith, a234, regular user, blah 4 Andy, Smith, a345, audit user,...
View Articlesplunk dashboard cant sent email
when i input related email address into the dashboard, it shows the error message "command="sendemail", 'rootCAPath' while sending mail to:" how to solve?
View ArticleWhy cant I see some data that I was able to see before 1 month? Even if...
Notes - Our retention policy is 3 years for that abc index. - When I exported the result of that query before 1 month, I was able to see that particular data - Today when I run exact same query, I can...
View ArticleWhy past data is missing even if date range is inside my retention policy of...
SPL: "(index=3y OR index=3mon) (host=x OR host=y) name="RegisteredUserLog" actionType=egg pointGet=true (platform=0 OR platform=1) | eval earned_date=strftime(_time, "%Y-%m-%d") | stats count by...
View Articleissues with Tab Focus in post Splunk 7.3.3 upgrade
we have created dashboard in splunk using tabs as per below URL and its perfectly working fine....
View ArticleOkta Splunk Data collection error
After the configuration of Okta SPlunk TA app I see the following error in _internal HTTPError: 401 Client Error: Unauthorized for url: https://XXXYYZZZ.com/api/v1/logs I verified the token used is...
View ArticleSending Alert email to the extracted user field
I have set up alerts in Splunk and usually I hard-code the recipients email id in the TO field, and it works flawlessly. But in this case , I cannot hardcode the user email id in the alert's TO field,...
View Articlekv store problem
hello i'm running splunk with Kubernetese and Ansible from time to time im getting this error :>> [SPLUNKD] Error in 'inputlookup' command: External command based lookup> 'kv_alerts_prod' is...
View ArticleSSL/TLS with requireClientCert in web.conf fails
Hi! I have worked for a while to make Splunk use TLS and PKI as much as possible. At present the system contains of version 8.0.1 components only. I have managed to get Splunk Indexer to require client...
View ArticleHow to enable just one tag name from the CIM model?
How to enable just one tag name from the CIM model? eg. I just want to use network tag from Inventory model. But the data model gives error saying other tags names are not included.
View Articleproblem with tab focus in dashboard in splunk 7.3
we have created dashboard in splunk using tabs as per below URL and its perfectly working fine....
View Article