After upgrading an indexer cluster from Splunk 6.3.0 to 6.3.1, why is one...
After upgrading to Splunk 6.3.1 from 6.3.0 a cluster of 4 indexers one of them shows error `Could not bind to port IPv4 port 9997` and does not receive any forwarded data. Other 3 indexers upgraded to...
View ArticleHow do I get an automatic lookup to populate a table, even if there are null...
Hello - This is my first time asking a question here. I receive a lot of answers by reading others' questions (thank you) so hopefully you can understand that I have done my fare share of searching...
View ArticleWhere do we install Splunk Apps (ex: Palo Alto Networks App for Splunk) in a...
In our Splunk environment we have two data centers with one indexer each and one heavy forwarder each, and then we have one distributed search head. My lab environment is my home where I install and...
View ArticleWhy Splunk started as non-root cannot bind ports?
12-07-2015 15:08:37.498 -0500 INFO TcpInputConfig - IPv4 port 550 is reserved for splunk 2 splunk 12-07-2015 15:08:37.498 -0500 INFO TcpInputConfig - IPv4 port 550 will negotiate new-s2s protocol...
View ArticleDo I need to set up my search head or one of my indexers as my deployment...
I just set up 2 indexers and 1 search head. I need to use a deployment server to manage and deploy configurations across my universal forwarder. Do I need to set up the search head as my deployment...
View ArticleHow to create a dashboard panel of alerts triggered in the past 24 hours that...
I have set up alerting for my app such that it emails the user whenever the count or volume for today is outside of a range (+/- 25%) of the average. The alert is configured to send an email and to...
View ArticleWhat is the best way to install the Splunk Add-on for IBM Websphere...
Hi I'm looking to install Splunk Add-on for IBM WebSphere Application Server to get JMX data and WebSphere logs. What is the best way of installing the Splunk Add-on and getting the JMX data from...
View ArticleSplunk Add-on for Amazon Web Services: Why are VPC Flow logs writing to local...
We started collecting VPC flow logs at some point. But it started writing them to `/opt/splunk/var/lib/splunk/$INDEXNAME` instead of the `/EBS/$INDEXNAME` which is where the actual index I wanted to...
View ArticleHow to import a list of IP and port pairs, then compare this against firewall...
I regularly generate a list of IP addresses and port pairs for which I should see traffic, and I log firewall traffic in Splunk. Is there a way that I can import that list of IP/port pairs and then...
View ArticleSplunk internal log license_usage.log log rotation is not handled correctly.
When our license_usage.log is rotated to .1 .2 and so it splunk is not correctly handling the rotation as it should. This log is rotating every 4 minutes and is around 22MB when it rotates. Looking at...
View ArticleAfter collecting Cloudtrail data with the Splunk App for AWS, how do we...
Hi, We have a test setup for Splunk enterprise (in single instance) to receive Cloudtrail and was able to fulfill this using Splunk App for AWS. Now we would like to to send the collected data from...
View ArticleWhy am I getting JavaScript TypeErrors "i is undefined" and "e.replace is not...
Hi, I've got a couple of problems trying to make the following simple xml work: SAMPLE : Dynamic topNTop :20102030trueTop $topn_src_ip_token$ destination IPindex="myindex" | stats count by src_ip |...
View ArticleSplunk Add-on for MIcrosoft SQL Server and DB Connect 2: How to extract and...
We're polling an audit file from our SQL server, that includes a field called **additional information.** This field has a field inside it:field that I need to be indexed. I may have done something...
View ArticleDoes anyone have a Python script for adding a UDP data input?
Hello All, Can someone paste the syntax of a Python script for add a UDP data input? I have searched for it over google and haven't found it yet. Tnx in advance . Vadim
View ArticleHow do I edit my regular expression for rex to extract all expected fields...
Here is the logged event: SepsisGraphBuilderImpl: 11252495 MS VitalsGraphBuilderImpl: 2257 MS Mic2GraphBuilder: 358360 MS RasGraphBuilderImpl: 201 MS PatientInfoGraphBuilder: 1992 MS...
View ArticleCheck Point: Linking events together to produce a results set
I am looking to build a dashboard where a user can submit a session number & retrieve the entire history of a session with one catch: the session id isn’t on the last event but there is a UID that...
View ArticleWhy does this _internal log message have two similar key=value pairs and can...
It's not really a question, but could you please change your _internal log message: The maximum number of concurrent scheduled searches has been reached (limits: historical=2, realtime=2)....
View ArticleWhy is my search with "where NOT equals this OR this OR this" not filtering...
| dedup _raw | where NOT MsgId=="AUT22673" OR MsgId=="AUT23574" OR MsgId=="AUT20915" OR MsgId=="AUT22886" What am I doing wrong here? I expect it to disregard events with that criteria. Its bringing up...
View ArticleWhy are third-party certs getting deleted out of the...
Anyone know what would cause all the certs to be deleted out of the `$SPLUNK_HOME/etc/auth/Certs` directory? Must they be put in auth?
View ArticleHow do I index with regex using props.conf/transforms.conf ?
I'm trying to put logs which match a regex into a different index ("audit_private") than the one they come in with ("syslog_general_public"). Yet: My logs are all still in the original index, and not...
View Article