How can I filter my results to compare values in two fields?
I have 2 fields called **sc_bytes** & **cs_bytes** in my results. How can I then filter my results to give me events when the value for **cs_bytes** is *greater* than the value for **sc_bytes**?...
View ArticleHow to fix my Search Head Cluster when SH members are not in sync?
Just created a Search Head Cluster with 3 nodes and a deployer. Deployer and 2 of 3 SHC members are in sync, but one isn't. I have reissued the deploy command but issue persists. A dashboard is fine...
View ArticleHow to group values of the same field and display timechart counts for each...
I first need to group values of the same field... Group1 (values match A1, A2, A3,...) Group2 (values match B1, B2, B3,...) Group3 (values match C1, C2, C3,...) ...then, I need to display the counts...
View ArticleTransaction command returning 'no results found'
I'm trying to manipulate some data from our incident management software to calculate the amount of time an incident spends in a particular status (Open, Assigned, Work in Progress, Resolved, Pending,...
View ArticleHow do I add date to field as a parameter to filter results for a dashboard...
I have a search set up that pulls data from our website by country IP and network domain. I'd like to add code to my dashboard that would also pull the date the file was accessed. What do I need to add...
View ArticleHow to resolve data not flowing through forwarders in order to generate...
We have a daily scheduled report which is to be generated at 12pm for every day, the issue we are facing is the data isn't getting in. In order to make data flow, we are currently restarting the...
View ArticleHow to add keepevicted=true in the datamodel or the query which uses...
Hi, I've created a datamodel which has a TRANSACTION. When I try to use the datamodel query for a longer period of time say 7 days , I'm seeing the following error.> Some transactions have been...
View ArticleQualys VM App for Splunk Enterprise: Facing problem in updating the...
Hi All, Currently we are facing issue in updating the qualysscanlookup.csv file, after executing the splunk query? **Our exact requirement is that the splunk should find the IPS that are not scanned...
View ArticleWill Splunk Add-on for Okta 1.2 work with Splunk 6.5.0?
Please can someone confirm the Splunk Add-on for Okta version 1.2 works with Splunk 6.5.0 Enterprise? I have used the Chrome extension 'postman' to validate my token and also curl from the Splunk...
View ArticleIs it possible to put a conditional statement in a field extraction?
I have files I am ingesting that have variable formats. I want to pick those lines out that only have an IP address as the third value and extract that as **srcIP**. Is this possible to essentially put...
View ArticleHow to eliminate duplicate alerts from being generated if search time is...
I have an alert that looks like this: index=test Operation="Add member to role." | eval lag_sec=_indextime-_time | table UserId,Operation,lag_sec,_time Normally, if I was receiving and indexing the...
View ArticleWhen running a CLI search with a specific timerange, is there a way to...
Attempting to build some monitoring whereby we run a Splunk search from the command line interface (CLI) over a given timerange and that returns a certain count and then uses that count to trigger off...
View ArticleFeature Request: Add data types to columns, such as integer or enum
In many cases, some columns of a lookup should adhere to a data type, for example: - assigning a priority from a list of priorities - defining a threshold as a number Restricting the input for such a...
View ArticleHow to write a regular expression for my use case?
11-01-2016 14:53:32.199 -0500 INFO StreamedSearch - Streamed search connection terminated: search....................... 11-01-2016 15:01:31.638 -0500 WARN DateParserVerbose - Failed to parse...
View ArticleAdd final total count of results
I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count and then totaling that column. There must...
View ArticleAdd final total count of results
I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count and then totaling that column. There must...
View ArticleAfter moving Windows Event Logs to a non-default location, what edits to...
I'm using the Splunk Universal Forwarders on our Citrix XenApp servers to forward logs to Splunk Enterprise. Besides the default Application, Security, and System logs I've also added AppLocker logs....
View ArticleCannot configure data enrichment in ES
As I am fairly new to SHC, I seem to be getting the same message in ES when attempting to edit/view > Configure > Data Enrichment and any of the options related to Identity or anything else from...
View Articlehow calc differences between count of different searches
Hi all. I have a first search: index=first sourcetype=type1 | stats count And a second: index=first sourcetype=data_sourcetype | join ID [search index="second" sourcetype="datatype2"] | stats count...
View ArticleWhen indexing historic and real time data together, does Splunk index old...
I have to index the historic data along with real time data from the log file. May I know from which point the indexing starts; whether it starts ingesting old data first and latest data at the end, or...
View Article