How to restrict users access to real time data and searches?
i want to restrict all users access to real time data and real time searches. how can i do this?
View ArticleHow to edit multiselect token to include a field with a null value?
I have a multiselect box on a field-- modelName modelName can have different values or empty value. eg. `modelName="modelA" modelName="modelB" or modelName=""` modelName="*" I set the default...
View ArticleHow to hide Real-Time Presets option in the time range picker for users?
I want to hide Real-Time Presets option in the time range picker for users. How can i do that?
View ArticleIs it possible to trigger a restart script on forwarder when an alert...
Hi, We monitor server status using access live log. It will continuously check for 200 statuses from the log. When we have status other than 200, for 5 minutes we need to trigger an alert. I see a...
View ArticleNew to Splunk: Any guides or recommendations to get started in learning Splunk?
Hi Guys, I am new to Splunk. I work with other SIEM but I don't have experience on Splunk for managing search, app, IDS tuning, SIEM managing. Can anyone guide me to help in that? Hope to get your...
View ArticleIs it possible to use Splunk DB Connect to search MongoDB?
I'm using Splunk Enterprise (licensed) and i want to connect to an external MongoDB to search data stored there. I don't to want to index any of this data. - I don't have a Hunk license. Can i still...
View ArticleHow does this search work?
I am using the tag name in search query to filter down the app specific index, followed by "index=index1" to filter down to specific index. tag=app_index index="ïndex1" | stats count by index | dedup...
View ArticleHow to view the results of a saved search in Python 2.7?
I connect in Splunk and did some searching, but I can not see the results of saved search... import splunklib.client as client import splunklib.results as results mysavedsearch =...
View ArticleSplunk App for Windows Infrastructure: How to fix the a macro on Failed...
Some Failed Logon dashboards return no results on the search head, but the dashboards are working on the indexers. eventtype=msad-failed-user-logons (host="*")|fields...
View ArticleWhy is Nav Refresh not occurring on my search head captain?
I have added the Nav contents in one search head (captain), used the refresh, and used Splunk restarts. But we're still not seeing the nav i added. In the documentation, it is specified that the nav...
View ArticleHow to get a developer license for Splunk IT Service Intelligence or Splunk...
Is there any way to get a developer license of Splunk IT Service Intelligence (ITSI) and/or Splunk Enterprise Security (ES)? I would love to adapt my apps to fit into ITSI/ES and add adaptive response...
View ArticleHow to change timezone from CST to EST during search time?
Hi, Can you please help us in changing time from central to EST during search time? We have our server in central zone and hence we are seeing time as CST. index=sa host=central.1 sourcetype=tidal_log...
View ArticleHow to prevent duplicate events on an XML file that is updated all day?
Our file lands on a Windows server. We are using a Universal Forwarder. The file structure is XML starting with a tag, and then tags update events all day at various intervals. We are getting many...
View ArticleHow to edit my props.conf to make sure CSV file data gets indexed?
Hi, I am using below props file for CSV but data is not getting indexed or sent into Splunk. Need help in updating props [data_csv] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv HEADER_MODE = firstline...
View ArticleAdd 2 columns in a table on applied condition
I have 3 columns in a table as below. I need to sum two colums(mag and depth) if place="7km W of Cobb,california" or "1km se of loma linda,california". show the result in mag and make depth as 0 column...
View ArticleForward data to Indexer cluster
I am in the middle of understanding an already built environment and trying to figure out how a splunk universal forward is configured. A brief about the environment , 3 search heads, 2 indexers, 1...
View ArticleWhats the best way to get bro logs from an IDS to Splunk Enterprise Security...
Right now we have another instance of splunk and bro addon running on the IDS, the bro index is then forwarded to the main Splunk/ES. Assume we need another bro addon the main server (the messages are...
View ArticleDoes INDEXED_EXTRACTIONS work for Active Directory
Hi, I'm looking at options for improving some reporting for a heavy feed from AD. Is INDEXED_EXTRACTIONS supported for AD events?
View ArticleWhy do i sometimes get "Failed to load component." in the Events tab while...
During some search , the query runs and i get the extracted fields in the fields sidebar however in the panel for events I get "*Failed to load component*" . Why is this happening?
View ArticleSplunk Architectural Questions - DMC, CM, LM, DS, SHCD?
First some quick background, I have new but fairly complex Splunk Enterpirse ES environment with HA Index Clustering and two Search Head Cluster (one for ES and one for core splunk). All servers are...
View Article