How do I get the hostname from a triggered alert?
Splunk finds the desired pattern in the logs eg. "error xyz" and triggers a script to forward this condition into our enterprise monitoring system. All good stuff. How can I determine the hostname of...
View ArticleHow do I specify which sources should be indexed from data inputs and not the...
Hello, Please bear with me because I'm new to Splunk and I've only just started using it today. Also note that I am currently running their trial and have not purchased anything yet. I am looking to...
View ArticleAfter upgrading Splunk, why am I getting error "Cannot find any source of...
After upgrading Splunk, I see the following error (in bold) when Splunk is started: ---------- Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking...
View Articlehow to save username field in two endpoints in setup.xml
I have defined two endpoints in setup.xml. one is a custom endpoint and other is storage/passwords. There is username, password field in storage/passwords and is written to passwords.conf custom...
View ArticleHow do I read SSL Certificates from Custom Folder?
I tried to get my indexer and forwarders communicating using SSL by following [this][1] guide. However, I found that I couldn't get it working without just throwing all of the certificates into auth...
View ArticleHow to join two sources based on two search fields?
I have two sets of data: 1. sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected 2. sourcetype=app "DEBUG B" function=UpdateCartItemStatus Set 1 (DEBUG A) also has the fields unitID1,...
View ArticleHow to remove a field from data before indexing?
Hi All; I have an interesting issue. Currently, I have data free flowing into a port on in Splunk, and one of the fields in this data has become corrupt and is not allowing me to search my data...
View ArticleSplunk Add-on for Infoblox: Why is the event time off for indexed logs in...
We have our InfoBlox appliance set to use UTC. However, Infoblox logs in Splunk are showing as -0400, but they should be -0500. Where do I adjust this? I'm not seeing anything in props.conf that stands...
View ArticleHow do I generate a report listing x sample events for each Windows event code?
I need to generate a report showing X entries for each type of Windows event code I have. The report would look something like: Event Code: X (say 4624 for example) <most recent event with an Event...
View ArticleWhy am I getting "Error while creating deployable apps...No such file or...
OS Linux Splunk Version 6.3.1 After executing the following command on my deployer instance, I am seeing this error. -bash-3.2$ ./splunk/bin/splunk apply shcluster-bundle -target...
View ArticleI need to extract xml tag values, but I dont want to use spath. how can i do...
Here is the sample xml. There will be only one of the below tags in xml.-fd9035a:151642200c0:-37c2-fd9035a:151642200c0:-37c2 I want to extract **myMsgId**, using regex.
View ArticleHow to search and identify a real server crash vs planned shutdown/restart...
Hi Team, Please let me how to identify real server crash Vs planned shutdown/restart. Any quick help is much appreciated. Unplanned/Real Crash: --------------------------------- 2015 Nov 30...
View ArticleIs anyone else having problems getting apps to work with Splunk 6.3.1 and...
Every single app that was working with 6.2.x is not working with 6.3.1. I even installed newer versions of APPs but did little good. I have gotten many things to work, but overall memory and cpu usage...
View ArticleDo custom Splunk apps need to define all their inputs, reports, and dashboards?
On a Splunk Enterprise install, I've created all the reports and dashboards that I want using the default search app. However, I just started creating a Splunk app to group all these reports together,...
View ArticleCan splunk convert a date to epoch time if the year is 1970
When running the search: | eval startTime="1970-01-01"| eval dateadded_epoch = strptime(startTime, "%Y-%m-%d")| table Jobname dateadded_epoch ![alt text][1] I get no results, but if the year is changed...
View ArticleWhy am I getting a scheduled search "datetime strftime() error", and some...
I have a dashboard which loads a bunch of scheduled reports. This dashboard is emailed to me via pdf at 6 pm everyday. The dashboard loads/works fine, however, the pdf doesn't show all the panels. The...
View Articlecan we use a calculated field to calculate a new field in data model
When I try to calculated field for calculate a new field eval is not coming back with any results. How can I use a calculated field to calculate a new field.
View ArticleCIDR raw search?
I'm using a CIDR lookup table against raw data (find a match in the entire event, any field.) It won't work, understandably with CIDR notation as my lookup. Is there a command that can be used to...
View ArticlePossible explanations for Index not being refreshed automatically?
Hi. I created a new index with along with a fresh install on a Win7 system a few days ago. It should be pointing to some log files that are continuously being updated. When I first created it,...
View ArticleWhat would cause a Fatal thread error in thread typing found in the Splunk...
Hello everyone, Over a ~26 hour period I am seeing several fatal errors regarding the typing thread. I've done some research and there is very little information about threads to be found online in...
View Article