Why can't I see stats values from a subsearch?
Hello. I want to extract timestamp data using stats list() and display that data as part of a larger search, so I run it inside of a subsearch. If I run the search as the main search, like this:...
View ArticleLookup File Editor App not finding *many* lookups
Hello, Yesterday we upgraded to v2.0 to take advantage of new features. Prior to this, there were no problems, but now we're only seeing lookups from 4 of our many apps (about 31 lookups instead of...
View ArticleWhy do blacklisted logs index to main?
I have a group of hosts that use the blacklist function in a monitor stanza in inputs.cong. Here is the referenced stanza: [monitor:///usr/Interwoven/LiveSiteDisplayServices/runtime/tomcat/logs/*.log]...
View ArticleError while posting to...
Using Splunk 6.3.1 and SplunkforPaloAltoNetworks 5.0 trying to add WildFire API Key via UI. Is there a way to just add this via config or CLI? Encountered the following error while trying to update: In...
View ArticleMobile Access to a SearchHead with own SSL Certificate
Hey, i have a SearchHead in the DMZ for the access with the Splunk Mobile App, connecting to the Management Port 8089. Now I would like to install my own ssl certificates. Do I have to configure this...
View ArticleHow to compare fields across multiple sourcetypes
Hi all, Im working on a search that essentially would take the field results from one search where I'm looking for a specific `PBM` ("Problem Number") and the `RMTMS` ("Reporting Serial Numbers")...
View ArticleUser can not see logs
I have created two indexes, two apps and have mapped users to them. There is nothing in the restricted search terms box and for either user group I have simply added the ability to search the two...
View ArticleMacintosh OS 10.11.1 will jack up your Nest input
Looks like some Python stuff has moved in El Capitan. I am now getting a lot of errors (and no data) from the Nest input. Upgraders beware. 11-20-2015 17:54:47.322 -0700 ERROR ExecProcessor - message...
View ArticleHow to restrict a user to see only a specific dashboard?
I've designed a dashboard and some users want to view them. How can I restrict users to only view dashboard and unable to>A: clone dashboard>B: enter in search tab>C: set that as home dashboard
View Articlesearchtime field extraction - troubleshoot props.conf
I have certain logs which is indexed correctly. Field extraction using props.conf and transforms.conf works correctly when I am searching within the indexer. However, when I am copying the same set of...
View ArticleWhat are the bundles present in /opt/splunk/var/run/splunk/cluster/remote-bundle
Hi, We have a distributed Splunk deployment with Index clustering. We observe that application bundles are present in /opt/splunk/var/run/splunk/cluster/remote-bundle location in the master indexer...
View Articleseverity_id bug?
In file default/props.conf the following aliases are defined: [source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...] ... FIELDALIAS-severity_for_windows = Type as severity...
View ArticleSplunk login - field input validation interfering with entering interleaved...
I usually use passwords with two or more strings that are easily remembered, then alternate the characters of them in the field. I.e. I type one of the strings, then go to the beginning of the string...
View ArticleTimechart query with multiple subsearches
The following query works for a specific time period. eventtype=A | stats count |join type=outer [search eventtype=B | transaction host maxspan=3m | stats count as B_Count] | join type=outer [search...
View ArticleMonitor file system to get file list with creation time
Hi , I have requirement where I have to monitor directory contains file whose creation time is no longer then 15 minutes. So here as per requirement I have to get list of files every time with creation...
View Articlehow to line break snmp data
Dears, i have configured scripted input that poll snmp of network devices using snmpwalk command but problem that walk come back to me as one events with 3000 line i would like to know how to break...
View ArticleApplicability of search filters for user roles on lookup table content
I would like to implement a strategy where branch office splunk users can only see events and lookup table content relating to resources in their own branch office. I can get the event filtering...
View ArticleHow to set alert when the replication and search factors are not met on the...
The status of the replication factor and search factor on indexer cluster are fluctuating and would like to setup an alert. This happens due to bucket fixups pending. Can some one help me creating an...
View ArticleCLI to disable / enable REST data input
We are running SPLUNK 6.1.4 We have a server with a REST API feed which every so often stops processing. To start it again we go tot he console and diable/enable it and it works ok after that. Is there...
View ArticleCan you make Splunk treat lookup files as local configuration?
I am running a custom app that uses lookup files to get some of its configuration on a search head cluster. When the lookup files are edited on a search head they replicate across to the others with no...
View Article