Is there a character limit for sourcetypes?
Hi everyone, I have doubts about character limits to sourcetype. I'll need to get a sourcetype name using transforms/meta, but I have very large fields, greater than 50 characters. This will be a...
View ArticleWhy am I unable to blacklist all content in a certain directory with my...
I am trying to blacklist the following in the inputs.conf Currently I have this: [monitor:///var/log] disabled = false blacklist = /manager/tomatod* index = os I have tried to blacklist all content...
View ArticleWhy is my scheduled search producing a count of zero, but get results when I...
Hi All, Currently I am facing an issue with scheduled reports. The scheduled job is getting executed as per the cron job set for every two hours, but we are not seeing any events getting triggered. On...
View ArticleQuery fails from Dashboard, but succeeds from Search. Is this a licensing or...
I'm using a Splunk application I developed myself 2 years ago. At the time, I had an Enterprise trial license. I saved off a number of configuration files (indexes, inputs, props, transforms and...
View ArticleHow to expand macros in a Splunk search?
I have a search as follows: index="x" search_name="Y" (status=Z) | 'A' | 'B' where A and B are macros Now how can I see the complete search by expanding all the Y, A, and B? Also, if the macros (A and...
View ArticleSplunk _internal logs get indexed multiple times (including metrics and...
I see the same problem on other `_internal` logs, but I'll focus the example on the `license_usage.log`, since it's near and dear to all of our hearts. ;) I found a few similar questions but without an...
View ArticleTons of network errors in Python log
I'm receiving a ton of errors in my Python log from the AWS Addon on the HF I'm running the data gathering from. I have been collecting data, and seemingly my dashboards appear to be working OK....
View ArticleHow to edit my REGEX in transforms.conf to allow certain data to get indexed...
Hi, I have a regex to allow certain data into Splunk via a transforms, and now I need to update it. I made some changes, but the data still isn't coming in, so I'm assuming that my regex is wrong....
View ArticleWhat is the recommended procedure to move an app from one Search Head Cluster...
I need to move a few apps from SHC1 to SHC2. My plan is below. Critique please! (SHC1 uses deployer Dply1, SHC2 Dply2) * Stop all SHC members on SHC1 * Copy target-app entirely from SHC1 to all members...
View ArticleIf maxDataSize in indexes.conf is for hot buckets, then what parameter needs...
In indexes.conf, it is given that "maxDataSize: The maximum size in MB for a hot DB to reach before a roll to warm is triggered". What parameter is defined to set size for warm buckets and the cold...
View ArticleHow to edit my props.conf for proper event line breaking based on my sample...
Ok, I give. I can't seem to figure out why this is failing... This is the log: (Suitably neutered) 2016-11-03 13:34:00,654 [10] INFO XXXXXXX_YYY.XXXXXXX - Script Name Input: 2016-11-03 13:34:00,716...
View ArticleWhy are search results in Splunk Web getting truncated and not parsed...
I am seeing an issue with results being truncated and not parsed correctly for some events when I do a search via Splunk Web. However, if I export the results and look at the event, the entire log is...
View ArticleWhy is index time json field extraction not working for events from a .gz...
We are trying to extract fields during indexing time for JSON format events with .gz file, however, it is not extracting the fields and also not extracting the event time from the json field. Can you...
View ArticleHow to remove duplicate events if all data is identical except the time and...
Hey, Fellow Splunkers I have multiple duplicated events, all data on the event is identical to the exception of the time. I'm attempting to filter based on Alert ID; however, both events have the same...
View ArticleAny idea why a particular sourcetype would stop showing data after 10/31/16...
Here are some pieces of info that may be relevant: - The sourcetype in question shows no data after midnight on October 31st when searching - Setup: 1 Splunk server, no replication or anything, 40...
View ArticleHow do I get Splunk to recognize and parse one of my field values in JSON...
I have perfect key/value pairs in my log (I am using the Splunk Add-on for Microsoft Azure to get table storage logs). The logs have: LogTyppe: LogTyppe MessageDetail: {"test"="this will work",...
View ArticleHow do I sort my results from my sample data into different columns?
I have the below data that I want to sort and show up in different columns as 1. Device (that shows the different rpp's) 2. Daily_AVG 3. Threshold 4. Date 11/3/16 10:00:06.000 AM *2016/11/03 10:00:06|...
View ArticleWhat methods are you using to do your Splunk Enterprise Security Incident...
We have a lot of indicators in our Splunk Incident Review queue, and I am having a challenging time with Splunk Enterprise Security Suppression, and it's driving me nuts. It's been about a year and I...
View ArticleWhat is a managed app in Splunk Enterprise Security?
I'm attempting to create a new correlation search in Splunk Enterprise Security (4.1). I've created a blank app to house all the custom searches, but when I pick the app from the "Application Context"...
View ArticleShow certain text in events as BOLD during search time?
Is it possible to show certain text in the events as BOLD after running the query?? I have used rex mode=sed in my search query to replace certain contents in my events , like below: original event:...
View Article