Splunk Hadoop Connect: How can I change the file names created by the app?
Hi, I am trying to transfer the data from Splunk to Hadoop using Splunk Hadoop Connect. I see that I have 3 files created 1). 3691308f2a4c2f6983f2880d32e29c84.1476896341.cursor 2)....
View ArticleHow to monitor a folder to index each new text file every day?
Hi, I have a search head and I need to monitor a folder that has a text file in which every day there is a new file. I configured the Splunk forwarder on the host and configured Splunk for monitoring...
View ArticleWhy does the "View Results in Splunk" link in alert emails lead to an empty...
Query: index=xyz | bin span=10m _time | stats count as Count by _time Trigger condition: where Count > 0 My alert is triggered and I receive an alert email. When I click on “View Results in Splunk”...
View ArticleHow to edit props.conf for proper line breaking of a log file that does not...
Events are not breaking up correctly for this particular log file that does not have `YYYY-MM-DD` in the timestamp. Here is the log from one of the apsp that was not so greatly written. I say this...
View ArticleHow to forward data to both third party and indexer servers without...
I am fairly new to Splunk. The company I work for already has Splunk universal forwarders installed on servers to pull log content out to Splunk servers to index. Now we would like to forward the same...
View ArticleHow is categorization of messages (ERROR, WARNING, INFORMATION ETC) normally...
I am a Splunk user (with no control of data collection) and have set up color coding for errors (red) warning etc in different colors. To do this, I had to categorize the data I could, but I can't...
View ArticleCell value colours in 6.5, wildcards?
Hi all, Just wondering if there is a way yet of adding cell value colour scheme's using wildcards in 6.5? So if I want to colour every cell containing the string 'sausages' I could use something like...
View ArticleSplunk ES Incident Review Dashboard Default Search Time Settings
I am a Splunk ES (enterprise security) user, looking to change the default search time setting for all users on the Incident Review dashboard. By default, it is set to search "All Time." I would like...
View ArticleStruggling with inputs.conf and conflicting rules
Hi, I'm struggling with an issue involving my old nemesis, inputs.conf rules :-). In this case, we have a catch-all rule on our apache servers' inputs.conf at the bottom that looks like...
View Articletransforms with SOURCE_KEY using FIELDS
Dataset 10.24.11.102 - user1 [10/Sep/2016:02:46:12 -0400] "GET http://www.foo.org:80/lib/stone/csrf/token.json HTTP/1.1" 200 393 10.32.52.18 - user2 [10/Sep/2016:02:28:21 -0400] "GET...
View ArticleIs there a way to control stash_new files in spool directory?
Backfilling will increase the number of files in your spool/splunk/ directory. Is there a way to check the status of what's already indexed? Any way to increase the time or prioritize the write to...
View Articlecoorelated event
any body advise me why the below query is not showing the the IP's whereas I am sure that there are some IP's who are bluecoat logs but not in websense logs: index=websense sourcetype=websense src NOT...
View ArticleWhy wildcard search is much slower than "where like(field, value)"?
I have two searches return the same result in my **single Splunk instance environment**, but there is huge performance different between two searches. **Searches:** 1. index=main...
View ArticleExport all panel results as different csv's on single button click
Hi, I would like to export the csv's of all the panel results with a single button click. So far, I am able to search is getting this on individual click. Is there any way to do it?
View ArticleY Axis Scaling
Hi, We have a few dashboards were we set the Y axis height depending on the query results. However, it seems that this option has now been removed in 6.5.0? The answer to this [question][1] is what we...
View ArticleHow to compare using eval expression and field value pair
I want the table to be generated based on 2 conditions - one condition is comparing eval expression and other field value pair.. how to do that index="myindex" |eval Due_Date_Time =...
View ArticleExtrace fields in JSON during index time
Hi , I'm a newbie to splunk in field extractions. Appreciate any help on this. I have JSON Format logs like below: ![alt text][1] [1]: /storage/temp/166244-json.png I want source and tag as a field i.e...
View ArticleIs there a way for my app to run a Python function on server start?
I want Splunk to run my script when the server starts & stops. Of course I can write a custom shell script to launch Splunk & do that by hand, but is there a way to have my App run on startup?
View ArticleHow to rectify or clear the error message shown under Splunk Portal -->...
Hi All, Can you guide me in how to resolve/clear the following error messages that are displayed in Splunk Portal. Splunk version - 6.2.1 Errors that are popping out in the messages drop down are 1)...
View Articleui-prefs.conf and Dashboard fieldset time picker default earliest and latest...
Is there anyway to get dashboard time picker default time values to use values from ui-prefs.conf? Have tried every combination I can think of and nothing seems to work. We have many dashboards that we...
View Article