How do I edit my "eval if match" syntax to evaluate complex combinations with...
Hello all, I have the following eval function which functions properly: | eval my_count=if(match(lower(FieldName),"\\\filename.exe"),1,0) But I want to evaluate a few things in the if statement and...
View ArticleSplunk App for Enterprise Security: Why do the Threatintel lookup files not...
Hello, I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table....
View ArticleHow to edit my search to sum up the count of hosts per group for each account?
Hi All, I'm pretty new to Splunk so still learning my way around everything. Running a search like this results in the following table below: index=my table | stats count(Host) by Account, Group |...
View ArticleWhy am I getting a 500 Internal Server Error trying to set up the Splunk...
I've copied the directory structure to `$SPLUNK_HOME/etc/apps/splunk-add-on-jira-alerts`. I've copied the defaults directory to local. I log in as admin, go to app management, and select Setup on the...
View ArticleHow can I concatenate a single field's value across a multiple rows into a...
Search: index=exp eventName="business:SelfServ-ChangeTrip" ChangeBookingEventType=ChangeBookingPayloadChunk hotelChangePayloadId="24c51841-8188-448b-9f4a-26f978ae4af9" | sort chunkSequence | fields...
View ArticleIs there any need to upgrade the Universal Forwarder for Linux ARM (Raspberry...
I have installed Splunk Enterprise 6.3. The Universal Forwarder at my pi has version 1.0. Is there any need to upgrade the forwarder? thx
View ArticleIs there a test license available to install the Splunk App for Enterprise...
For those that have the Splunk App for Enterprise Security, per documentation, it is advised to test the upgrade on a test system particularly if dealing with load balanced indexers. Is there a test...
View ArticleProps.conf stanza matching hosts with literal pipe in name?
I would like to build a props stanza for hosts that have a literal pipe in their name. I have tried a few different formulations of this, which are: [host::*\|*] [host::(*\|*)] [host::[^|]+\|[^/]+]...
View ArticleSplunk App for Stream: Why are we seeing constant growth of memory usage by...
Hello all! We've started to roll out the Splunk App for Stream to a few of our production servers. I've been watching the streamfwd.exe process' memory usage, and it just keeps growing. After leaving...
View ArticleIngesting AlienVault OTX feed service with Splunk?
Someone recently asked me how they could tie Splunk in with the free AlientVault OTX feed service. Has anyone ever done this and can they provide the dance steps? THANKS!
View ArticleSecuring indexed files: If someone could access the index directory and make...
Hi I was wondering, if someone could access the index directory and make some changes in a journal.gz, what is it going to happen? Splunk is able to notice this? there will be an error? a security...
View ArticleBest way to collect logs from Checkpoint and Blue Coat Proxies?
What is the best way to collect logs from the devices that I can't install Universal Forwarders on? Should I use the available apps like the ones for Checkpoint and Blue Coat? Would I even need these...
View ArticleHow to create an HTML app setup page and have searches read a database name...
I have a simple page that I converted from Simple XML to HTML. It does some searches to a DB and gives the results in a few panels. Now I need to provide a way to configure parts of the app after it's...
View ArticleWhat index(es) should the Splunk App for ServiceNow place its data in?
I just installed the Splunk Add-on for ServiceNow 2.7.0, and the Splunk App for ServiceNow 4.0.0 on a test bed. We're behind a proxy. I configured the credentials in the TA, and set up the proxy...
View ArticleHow to monitor events from Stratus V Series servers?
Hello experts, Has someone ever collated data from Stratus V Series? http://www.stratus.com/solutions/platforms/v-series-continuum-openvos/ We are working with a card processing company in Brazil, and...
View ArticleKV Store in Splunk 6.3 won't start due to long namespace name
This seems to have started occurring after I upgraded to Splunk 6.3. The KV Store will not start with this error in `mongod.log`: 2015-10-16T15:55:29.724Z W STORAGE [initandlisten] database...
View ArticleHow to have a gauge dynamically change its width and height when I resize the...
I am trying to get a Gauge to Auto Re-size with the page. Currently when I re-size the page, they are pushed underneath another element. I would like width and height of the Gauge to dynamically...
View ArticleHow to edit my props.conf and transforms.conf to extract field names and...
Hi I want to extract the field names and field values of my events. My event looks like this: Step: 1000 Result: blabkbk Actual: blabblabl Step: 1100 Result: blabkbk Actual: blabblabl I want the field...
View ArticleWhy does the cluster master throw error "Archiver failure - Failed to create...
Oftentimes when we go to deploy our configs to our clustered indexers (Splunk 6.3.0) using: sudo -H -u splunk /opt/splunk/bin/splunk apply cluster-bundle It fails with the following error: Encountered...
View ArticleHow to add an AWS account to the Splunk Add-on for Amazon Web Services via...
We use clustered search heads and clustered forwarders. All the documents on how to set up the AWS account seem to be GUI based. So, we set everything up on one search head. Then copied our...
View Article