How to calculate the time difference in minutes between two events?
I have two events I'm using this nt_time=strptime(VENDOR_NOTIFIED_TIME,"%F %T")|eval st_time = strptime(START_DATE,"%F %T") |eval latency = nt_time-st_time| start date or vendor notified time looks...
View ArticleWhy is my field extraction not working properly between two log files?
Hello, I want to extract a field with the field extractor in Splunk. But when I extract these logs on log 1, I will get my field I want : "HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account" But on log 2,...
View ArticleHow to configure Lookup File Editor App for Splunk Enterprise to be called...
Hi, I want to call to "Lookup File Editor App for Splunk Enterprise" from another app. The idea is when you press over the option, launch lookup editor, and a specific cvs file. It was working in old...
View ArticleHow to configure a local Splunk Server to search indexes on a remote server?
I have a new local install of Splunk that I want to use to develop dashboards without making changes to my production install of Splunk Enterprise. I'd like for my local Splunk server to run queries...
View ArticleSplunk App for Unix and Linux: Unable to see categories after renaming the...
Hi All, I have Splunk App for Unix and Linux installed on all the forwarders and all the components of the environment I have copied a new dropdowns.csv file to the SA-nix app lookups folder in order...
View ArticleHow to create a choropleth map using state abbreviations?
Does anyone know if/how you can create a choropleth map in Splunk using state abbreviations? I have been trying the following search but to no avail. index=traffic sourcetype="traffic_logs" | stats...
View ArticleHow to hide the Search & Reporting app from a user, but allow them access to...
Hello all, I have created an app which contains some dashboards which I would like to present to a single user. However, I would like to restrict access to the Search & Reporting app. When I...
View ArticleHow to configure coldToFrozenDir in indexes.conf on multiple indexers to...
So let’s say I have 2 or 3 indexers and I configure the coldToFrozenDir in the indexes.conf… [default] maxWarmDBCount = 200 frozenTimePeriodInSecs = 432000 rotatePeriodInSecs = 30 coldToFrozenDir =...
View ArticleAfter installing the Splunk App for Unix and Linux 5.2.1, why is the app...
Just installed latest Splunk App for Unix and Linux (had already installed TA). Upon running the app, I get the following messages: home_disk_free Macro missing home_cpu_idle Macro missing unix_noop...
View ArticleSplunk Add-on for Unix and Linux: What other configurations are needed as OS...
I have a universal forwarder installed on Centos and logs are indexed in Splunk, but OS information is not passing through. What other configurations are needed to configure Splunk Add-on for Unix and...
View ArticleAfter installing universal forwarder on my Windows server, why am not seeing...
On one of my Windows servers, I have installed a universal forwarder. I am receiving the internal logs but no data is coming in.
View ArticleWhy am I receiving "Invalid value "-15d@d" for time term 'earliest'" error?
Our cluster environment woke up this morning with this message "Invalid value "-15d@d" for time term 'earliest'". All other time ranges are working, including "-16d@d" or "-10d@d". Any ideas? PS: I...
View ArticleHow do I hide panel when "no results found" text is displayed on dashboard
How do I hide my dashboard when I see "no results found" text displayed on my dashboard? I tried the code given by Splunk team on this website, but still didn't work. Below is my code and doesn't hide...
View ArticleHow to edit my search to list top 10 products sold in the last 4 hours, and...
Hi folks, I have Splunk version 6.2.7 and am trying to create a report to display the top 10 products sold within the last 4 hours (in quantity and displayed per product name) and compare those results...
View ArticleHow to configure SA-SPLICE to feed STIX format data into Splunk?
I am a beginner level Splunk user. I am currently on a project where I will feed STIX format threat intelligence data in Splunk in order to use Splunk for analytics. I understand that I will need...
View ArticleHow to write a search that will determine if a lookup file has been updated?
Hi. I have a lookup file uploaded from the clients manually, and how to determine if a lookup file is updated? My main goal is to create a savedsearch to check if the lookup file is updated, then...
View ArticleHow to edit dashboard to use token values to determine table cell color ranges?
I've gotten a statistics table with cell column color formats changing depending on a value, such as:[#D93F3C,#FFFFFF,#FFFFFF]99,100 but I would like to provide the ability for the user to enter the...
View ArticleWhy is coldToFrozen script only working for one index?
I'm trying to implement a coldtofrozen script for data retention using the Atlassian app/script that is shared is some other answers, which moves buckets to S3. (apparently I don't have enough karma...
View ArticleHow to search for IP addresses in a lookup that are not found in my events?
I have a lookup which has an IP address column, and I'm trying to find which if the IP addresses from this lookup table DO NOT appear in any of my events. I've very new to this. I've been trying...
View ArticleHow can I further edit inputs.conf in order to blacklist an event on Windows...
Hi, I am tired of making this filter work but unfortunately nothing worked. I have Windows Security events where there are two places where "Account Name" field appears . For ex (one under "Subject"...
View Article