How do I edit my timechart search with timewrap to compare the latest 2 hours...
Hello, Sorry if this has been answered before, however, I am struggling with a search that I am trying to build. The ideal result that I am trying to achieve is the following: I want a time chart to...
View ArticleHow to create a search to show a trending single value for the last 60...
Hi, Sorry if this has been answered before, however, I am struggling with a search that I am trying to build. The ideal result that I am trying to achieve is the following. I wanted to create a search...
View ArticleHow to install the Splunk forwarder on a BlueCat DNS/DHCP Server?
Has anyone successfully installed the Splunk Forwarder on a BlueCat DNS/DHCP Server or otherwise got full DNS logging into Splunk from one?
View ArticleWhy might my Heavy Forwarder stop forwarding UDP:514 events?
Hi! I am getting a strange thing happening. My Heavy Forwarder (CentOS 7 Linux) running Splunk 6.2.5 is periodically stopping forwarding the data that is being sent to it via a UDP:514 rsyslog stream....
View ArticleWhat other logs should I be collecting from Domain Controllers besides the...
What other logs should I be collecting from the Domain Controllers except for these ones, or are these all logs that DCs are generating? [WinEventLog://Application] disabled=0 [WinEventLog://Security]...
View ArticleOur daily log indexing rate suddenly increased. How do I find out which index...
Recently, the ingest rate of logs (GB per day) has tripled on our Splunk server. We are trying to find out what caused the increase in logs per index. Any help is appreciated thx
View ArticleIs it possible to have your sourcetype be determined at time of indexing...
Title pretty self explanatory. The files that I am indexing are having their host be determined by the directory in which they are located in. In my case, it is the system's hostname. For sourcetype, I...
View ArticleWhat are these time modifiers doing?
I have a search where I want the first search to search the previous week (Sunday to Sunday) and then use the same search to search two weeks ago to the previous week. So, for example, if I ran the...
View ArticleHow to get a stats count on multiple fields in a table sorted by count?
Hi All, I am trying to get the count of different fields and put them in a single table with sorted count. stats count(ip) | rename count(ip) as count | append [stats count(login) | rename count(login)...
View ArticleSplunk 6.x Dashboard Examples: How to add icons to my table of search results...
Hi. I have a table I have filled with search results, and I want to add some icons to it based on the values. I have tried to use the Splunk 6.x Dashboard Examples app for `table_icons_inline` , but I...
View ArticleSplunk unable to assign reasonable sourcetype to Solaris 10 BSM audit file...
I am indexing a couple hundred Solaris 10 BSM audit files a day. The audit files are converted to ASCII. It handles the indexing and host assignment just fine, but when it comes to the sourcetype, it...
View ArticleWhat has your experience been like using Splunk with Cisco Nexus 9000 Series?
https://opennxos.cisco.com/public/articles/a-devops-view/#answer_58 I heard very great things about the use of Splunk and Cisco's N9K switch (basically linux server). Looking forward to hearing other's...
View ArticleWhy do I see completely different versions of the Splunk App and Add-on for...
I have a client who installed the Splunk App and Add-on for Okta last May, but they are completely different from the versions currently on Splunkbase (as of Dec 2015). Everything has been re-written...
View ArticleHow to Exclude header data in cisco log file ?
Hi splunkers, I would like to remove headers from a cisco file. I've tried transforms configurations, but I can't get it work. I ran a search to troubleshooting: `"index=_internal sourcetype=splunkd...
View ArticleIn LDAP integration for user authentication, what version or versions of the...
In old versions of Splunk (e.g 4.0) it was possible to select the use of LDAP v2 or v3. In the current product is this still possible? If not, what version does Splunk use?
View ArticleDoes anyone have examples of using RegEx to convert a Syslog event to a...
I would like to convert a syslog event (no delimiters) to a delimited input at the UF. This would allow for faster searching because I wouldn't have to regex every event at query time. Can someone...
View Articleanonymize before indexed_extractions
Hi, I have a csv input and want to anonymize data, but with SEDCMD it only works for _raw field. The fields created from indexed_extractions are not anonymized. The fields of the csv vary and the...
View ArticleIssues With Blue Coat Logs From FTP
I have FTP servers where all the proxies sending logs. I installed the UF on this server (Windows server) and then deployed stanza for inputs.conf and outputs.conf files. I can't figure out why the...
View ArticleHow to load Java objects into plunk
Hi, We will get huge xml file from our client. I need to parse and based on the nodes, i need to move the data to their respective indexes. While in reports, i need to join the data from various...
View ArticleShow data from external APIs in Splunk dashboard
Suppose, there is an API endpoint *GET example.com/userscount* which returns a single integer in its response. I would like to show this value in a 'Single value' panel in Splunk dahsboard. Similarly,...
View Article