How to troubleshoot why I'm not getting email alerts from Splunk?
I have set up email on my Search Head. I am able to send a test email message using the following: whatever search | sendemail to="me@mydomain.com" But when I set up alerts, I do not get an email, and...
View ArticleHow to add a string to Palo Alto Network events during reindexing of data to...
It was discovered that the beginning of each event is getting cut off. The event time, hostname, future_use1 field, and half of receive time field are missing. Please see examples below. The current...
View ArticleWhat do I need to change to make this regex work in Splunk?
I've been fighting with and researching Splunk regex for the past month, and I just cannot seem to get the PCREs being produced by another source to work for me for searching proxy logs in Splunk. I'm...
View ArticleWhy is splunk indexing two hostnames from one server?
Backstory: I'm running several instances in which they terminate nightly. These instances are automatically re-created in the morning. I have data volumes that are mounted to each instance that...
View Articlesubtraction doesn't work for multiple values in one field
I managed to create a table that somewhat looks like this: ![alt text][1] However, when I tried to append a new column with the differences between after and before as its value, it just gave me a...
View ArticleWhy am I unable to match two fields from two sourcetypes using mode=sed with...
I have two sourcetypes that have URL fields. I am attempting to remove the `.` so that both fields are just letters and numbers. When I run the searches separately, they work correctly. When I combine...
View ArticleHow to configure F5 BIG-IP APM (Access Policy Manager) alerts in the Splunk...
Hi, Has anyone encountered how to configure F5 BIG-IP APM (Access Policy Manager) alerts in the app Splunk for F5 Access? I’m looking to get notified via email if thresholds are exceeded on the APMs....
View ArticleWhy does searching for event types not work after using fields command?
I have a search where I'm trying to get some results, select some fields from them, and then search further into those fields. Something like this: http_status=500 eventtype=ProductionAccessLog |...
View ArticleUniversal Forwarder on Windows issue
Greetings all! I haven't worked with Splunk in about a year so I'm a little rusty. Anyhow, I have Linux systems logging to Splunk no issue. However, I seem to be running into problem with Windows logs....
View ArticleBar graph with span=1d
I have a search looking for 7 days of data and one field below STATUS="Delivered","created","released","Awaiting Delivery" Now I want a bar graph of Total orders and Delivered orders. Total orders...
View ArticleCan someone help with installing the Palo Alto app on a forwarder? Having...
I installed the Palo ALto app on the splunk enterprise server and was able to pull data into the app. But i was reading that it wasn't a recommended setup. so i pushed the app out to the universal...
View ArticleFilter events on heavy weight forwarder sent b universal forwarder
Hi Team, We want to drop events which conatins keyword "error" Below is our setup: universal forwarder ------>Heavy weight forwarder -------->indexer/cloud we have multiple univeral forwarders...
View ArticleNeed to compare two reports
Hello all, I have a query that I have scheduled to run twice as a report: once for last week (Sunday to Sunday) and once for the week prior (also Sunday to Sunday). The query looks for Logins, and then...
View Articleignore time stamps from csv events
Hi, I am almost stuck on this for three days now. I am unable to stop indexing of the timestamp from the events. But when I set ` DATETIME_CONFIG = NONE` or `DATETIME_CONFIG = CURRENT`I am unable to...
View Articleusing stats with a by on 2 fields works + but what about timechart with a by...
using stats with a by on 2 fields works `...| stats max(kpi1) as "kpi1" max(kpi2) as "kpi2" by field1 field2` but can I do the same using timechart (so far I don't think i can) `...| timechart...
View ArticleIs it possible to change the timezone of logs from a feed based on a field...
Is there a way in the configuration of a feed (this is a pull from AWS) to look at a field value (state) and change the time to reflect when the event occurred? All the logs I currently get are in GMT,...
View ArticleHow do you search for the True Host IP Address that is behind a gateway device?
I am a novice user and I am attempting to retrieve true Host IP Address for a host behind a gateway device. trying to find a simple to get this information
View ArticleIs it best practice to migrate eventtypes to the Search app with or without...
Is it best practice to copy the /search/local directory to the new search head cluster members and not use the deployer? I used a deployer to set up LDAP, but per documentation, it says not to do the...
View ArticleHow do I use eval with two searches and format the result as a Single Value?
Hi, I've done a search that uses eval with two searches to get the final result. Then, I'm trying to see the result as a Single Value, however, as the Single Value uses the first column and my the...
View ArticleSplunk DB Connect 2: Why is an account with the db_connect_admin role unable...
New installation of Splunk DB Connect 2 and have set up my database connection, as well an input or 3. My admin account is able to view all the data on the health tab, but another account with...
View Article