What is the best practice for installing and managing apps in a distributed...
We have Splunk installation in a distributed environment with search head clustering and indexer clustering enabled and managed via a master node. We are currently in the process of ingesting network...
View ArticleSeperate indexes within single monitored directory?
I have a single directory being monitored. Via Splunk GUI, you can only select a single index for the logs to outputted to. There are dozens of different types of logs, but there is a specific kind of...
View Articleextracting fields between pattern in a search and and calculating length of...
Hello. I have a simmilar quesiton to this : https://answers.splunk.com/answers/176585/how-to-extract-a-field-between-two-patterns-in-a-s.html I want to do something similar for Get Request strings with...
View Article-1 value at _time field using timechart
Hello Splunkers. I'm having an issue with timechart; Scenario: I have a index that contains summarized data. I want to create a timechart showing the sum of bytes used. However, in the field _time, I...
View ArticleHow to modify my timechart to get the results as i needed?
I have a search as follows in which I am trying to display 2 fields (My Search) | timechart span=1h count by field_username which displays the result as follows _time user_a user_b user_c user_d...
View ArticleAny ETA for release of Splunk App for Windows Infrastructure 1.4.0?
I want to upgrade to splunk 6.5 the only thing preventing me from doing so is the reports that the splunk app for windows infrastructure does not work at all with it yet. I understand it has to do with...
View ArticleDisplay no data found when no search results displayed for each panel
How do I display message to the user saying "No data found" on the dashboard panel when each of the panels returns no data at all. Currently, I am hiding panels when no search results are displayed for...
View ArticleHow to split a string into 2 separate fields in Splunk 6.5?
Hi, before Splunk 6.5 I used commands like this to split strings into separate fields. For fields like **productId=abc_text_def** | rex field=productId "(?.*)\_text_(?.*)" Since 6.5 this does not work...
View ArticleSSL Certificate Password- What password is this option referring to?
I was setting up the Indexer Discovery feature over SSL and according to the Splunk documentation, I am supposed to put the below info to Splunk Configuration files. For Indexer [SSL] serverCert = path...
View ArticleSearching Index Cluster - Getting Duplicate Results
I am testing our new indexer cluster using our existing search head. I added the indexer cluster servers to "dist_search" and created an indexer group so I can search just the cluster. However, all of...
View ArticleWhy is Incident Review not working after upgrade of CIM and Splunk Enterprise...
Incident review is not working after Splunk ESS 4.1.1 and CIM Upgrade. Also checked for data sources and their respective correlation searches enabled, but still i cant see any notable events or data...
View ArticleHow to fix an error "Received event for unconfigured/disabled/deleted...
Search peer xxxxxxxxxx has the following message: Received event for unconfigured/disabled/deleted index=wineventlog with source="source::WinEventLog:Security" host="host::clientxxxx"...
View ArticleHow to generate a search to plot a scatter chart?
How would one write out their **grouping and reporting commands** to **plot a scatter chart** for the following sample results? [01/May/2015:20:39:49 -0400] conn=2693355 op=9521 msgId=9522 - SRCH...
View ArticleHow to edit my search to append a total average column for a chart?
I can't seem to find a solution for this. I've created a chart over a given time span. I've been able to add a column for the totals for each row and total averages at the bottom but have not been able...
View ArticleWhat are the configuring inputs for the Splunk Add-on for Netflow?
please I need help! I'm configuring inputs for the Splunk Add-on for Netflow. When I'm fetching "flowfix.sh"--I can't find it and the folder "nfdum-ascii" is always empty while executing the steps of...
View ArticleHow to edit my regular expression to extract the numbers and semicolons from...
I don't understand how Splunk does regex! I have this search below: ... | spath output=test path=a.b.c | rex field=test "?[0-9]+" | table test, test1 Test is this:...
View ArticleWhy am I getting "Invalid key in stanza [lookup:cam_category_lookup] in...
During startup, I get the following message - "Invalid key in stanza [lookup:cam_category_lookup] in E:\Splunk\etc\apps\Splunk_SA_CIM\default\managed_configurations.conf, line 34: expose (value: 1)"...
View ArticleHow to fix Splunk forwarder port 9997 stuck in a "time established" state?
In one of our client's windows server, we have a Splunk forwarder installed in it. i have verified the services on it are up and running, i had checked whether the port is listening or not. Port 8089...
View ArticleHow to determine which servers are ingesting data into our Splunk instance?
my instance is search head for our project. so i want to know the servers which are ingesting into only my instance with ip address ****
View ArticleIs there a script to automate installing universal forwarders on multiple...
I have a use case to install Splunk Universal Forwarders in 600+ Windows servers at a time. Is there any script to automate it?
View Article