Config Explorer error
Hi at all, I tried to use the Config Explorer app on a stand-alone Splunk server (on italian Windows 10), but when opening it I have the following error message: An error occurred! init: An exception...
View ArticleLogs not received into splunk
Hi Team, HF has been installed in a server, connectivity has been created to splunk, but we are not able to see any logs in splunk. We have two different hosts. For one of the hosts we are able to see...
View Articleneed to add 45 days in a field
i have a field "add_time" with the values as "05-27-2020 08:57:34.024" i want to create a field which will show 45 days ahead of the given time. i.e output should be "07-11-2020 08:57:34.024" please...
View ArticleDon't Expire Alerts
Hello All, Sorry to ask a silly question, I had a look around, but unable to find a solution. When we set an alert in Splunk, there is an Expires Parameter. I understand this is TTL for the Alert...
View ArticleMatching fields from different indices to return another field
Hi, I have two different indexes where I need to match a field and if true, return another field. First Search (Index1) FileName DeviceName explorer.exe myserver.test.com processor.dll...
View ArticleProcessRunner: No such file or directory
Hello! I’m working on streaming telemetry data to Splunk. I use Splunk Universal Forwarder v7 x86_64 to capture and stream data to Splunk Enterprise 8. I use the `script://` to capture data and run...
View ArticleCan we delete frozen data in Splunk
Recently we encountered a problem. /opt file system on the indexer server has reached 100% due to which users were unable to do search. we found that /opt/splunk/archive/main folder is consuming most...
View ArticleSplunk Db connect app running on Windows with python3 is not working
Hi Splunkers, We have the following environment: • Splunk - 8.0.0 • OS – Windows server 2016 • Splunk db_connect_app – 3.2.0/3.3.1 • Python – python3 • Jre – 1.8 NOTE: Machine has timezone variable set...
View ArticleHow to use .json file as input in a POST call to the REST API
Im trying to update a role in our environment via the Splunk REST API and Im using POSTMAN like app with an input file which is holding several changes in parameters for the specified role. The post...
View ArticleCorrupted fields problem
I have a problem on this search below for last 25 days: index=syslog Reason="Interface physical link is down" OR Reason="Interface physical link is up" NOT mainIfname="Vlanif*" "nw_ra_a98c_01.34_krtti"...
View ArticleCheck Deployer and search head status in internal logs
I am trying to monitor deployer and search head service status using _internal logs. Which fields should I consider to monitor whether Splunk service on deployer and SH are up and running? Note: I am...
View Articlecommand modifier what is the use of it in simple terms
What is the use of command modifier in layman terms, please I don't know what it does apart from the understanding that it modifies the commands?
View ArticleString matches
I have an events for each device with multiple checks as below and i want to find the device count which has "Pass" on all the fields and the device count which has "Fail" in even one field Device1...
View Articlesearch with parameters
Hello, I have this query: index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR...
View Articlethe scripts of Splunk Add-on for Unix and Linux pending in ps queue
I run Universal Forwarder 8.0.3 & Splunk Add-on for Unix and Linux 8.0.0 on AIX 7.1 while I found no event came to index = OS after I used ps -ef | grep splunk I found some script ex. Iostat.sh...
View ArticleTwo overlays, using different time span
I have the following timechart, that I display in a column chart, where I use the average value as an overlay. timechart span=1d avg(time), count However, if possible, I'd like a second overlay that...
View ArticleSearch only displaying 24 hours of data
1. There are approximately 1.5 Billion ingested entries from 40 forwarders. 2. Performing search with any criteria on windows hosts lists all events -all time 3. Performing same search on linux hosts...
View Article"too_small" sourcetype gets appended in some Splunk versions.
I have added a monitor stanza for the log folder which contains log files that I want to ingest into Splunk. I have set sourcetype for each log file in props.conf but in some Splunk version(like 7.3.3,...
View ArticleI want to remove my unwanted logs into nullQueue.But no luck
#### #### #### #### 2020-05-12 14:34:52,060 2020-05-12 14:34:52,060 2020-05-12 14:34:52,060 I want to remove ####< from my events, so i used props.conf along with transforms.conf with this below...
View ArticleThe rest api add-on works in with version 1.5.3 but when I upgrade to 1.8.1...
I've got about 10 or 12 rest api inputs setup in the add-on that are all working fine with 1.5.3 but stop working whenever I upgrade the add-on to 1.8.X is there anything I need to be changing to make...
View Article