Are there limitations on the number of real-time alerts that one user creates?
Mainly I'm curious because one of my users asked me, but are there limitations on the number of Real-Time alerts that one user creates? The reason I ask is because there are several users on the search...
View ArticleWhen I try to add or delete port 9997, why do I get the same "Error occurred...
When I try deleting port 9997, I get the following problem: Error occurred attempting to remove 9997: In handler 'cooked': Could not find config id for port 9997. When I try to add port 9997, I get the...
View ArticleWhere to install apps in a distributed environment?
We have a distributed environment of one search head, one indexer and one deployment server + license master. I'm working on resolving CPU utilization issues right now related to too many scheduled...
View ArticleHow to move lookup tables from Symantec SIM to Splunk? Does anyone have...
Like the Trojan lookup tables? How can I test if the event isn't happening? I could set up the search for the port/protocol/name and use the email event - does anyone have an example of this? The other...
View ArticleMoving a search head pooling Windows environment to a Linux environment,...
Trying to get a Windows environment moved into a Linux environment, and having problems finding where props.conf is applied to the data. There's no props.conf in local on the search heads, the cluster...
View Articlecalculating average that depends on the value of one field
I have this list of events: 1. dir=up, time=60, speed=12, weight=92 2. dir=down, time=54, speed=16, weight=32 3. dir=up, time=69, speed=10, weight=66 4. dir=up, time=99, speed=84, weight=47 5....
View ArticleWhy can I not get max real-time searches to exceed 12 in limits.conf?
I have 6 CPU's and limits.conf in /etc/system/local has the following # the maximum number of concurrent searches per CPU max_searches_per_cpu = 6 # the base number of concurrent searches...
View ArticleHow do I configure props.conf to recognize the proper timestamp for my logs?
Hello, I have an issue where a small percentage of my logs are coming in dated 2011. I tracked it down to a field called `usernum=*` where some subset of the users account numbers match Epoch time...
View ArticleHow to install the Splunk Add-on for Microsoft SQL Server and configure...
So the instructions for installing this add-on include the following pertaining to installing on a search head cluster: Search Head Clusters Yes You can install this add-on on a search head cluster for...
View ArticleLookup File Editor App for Splunk Enterprise 2.0.2 hangs on retrieving...
I am using Internet Explorer 11, and Lookup Editor 2.0.2 hangs on the lookup_list page just showing "Retrieving lookups..." In the browser console I see that LookupListView.js throws an error at "Line...
View ArticleShould I Turn on Hyperthreading with Splunk?
My Intel processor supports hyperthreading, which should provide more performance. Should I turn on hyperthreading while using Splunk?
View ArticleUnable to find the difference in time between two events. What am I doing wrong?
Hello, I am trying to report on the differences in time between two events. To do so seems straightforward enough. Take eventA = _time (of event A) eventB = _time (of event B) TimeDifference =...
View ArticleSplunk Add-on for Check Point OPSEC LEA: Why are the extracted values for...
I just onboarded Checkpoint logs using the Splunk Add-on for Check Point OPSEC LEA, and most of the fields look OK except for a few ones which seem to swap the data between each other. Fields like...
View ArticleIs it possible to use a part of the source name as _time during CSV import?
Hi, I'm uploading multiple CSV files. Unfortunately, they don't have a usable field for the timestamp. Is it possible to grab a part of the filename (source field) to define _time? The structure of the...
View ArticleHow do I remove unique IDs from error logs and stacktraces in a search in...
Hi all, I want to count similar errors and stacktraces in order to prioritize them. I have a search that works in most cases: index=ix_dis_appl_p loglevel="ERROR" | rex "ERROR](?.*)" | stats...
View ArticleDoes the Website input add-on support JavaScript?
I have an input that's only useful after the JavaScript on the page has run. Is there a way to have this application run the JavaScript before pulling data?
View ArticleHow to apply a rangemap to string values?
Hi Splunkers! I am running the following search to try and apply a "low" rangemap value if a string matches "up", and a "severe" rangemap value if the string matches "down", but I can' t get the eval...
View ArticleWhy is the stats command wiping out a custom extracted field from my search...
Hello. if I run a search like this: "..." | dedup 2 correlationId | eval EpochTime = _time | eval nowTimeEpoch=time() | eval minTime=0 | eval maxTime=1 | stats min(EpochTime) as minTime max(EpochTime)...
View ArticleAfter upgrade to a Splunk 6.2 indexer cluster, why do searches hang with high...
Hi, We've recently upgraded to a Splunk 6.2 indexer cluster, but we're finding that searches will hang and the system goes unresponsive. We're forced to restart the entire system. Our hardware doesn't...
View ArticleWhy is my search on JSON data producing duplicate results for each line,...
Hi guys, I have a problem. Every time I try to run the following search, the result is duplicated in each line, but the date and time. What can be? My log is in format JSON. index="my_index"...
View Article