Why does my scheduled report deliver results in PDF, but in Splunk Web, it...
First time running into this issue. I made a new report of suspicious logons (24 hours) to run once a day. The search itself returns good results, and the resulting PDF from the scheduled report email...
View ArticleIs it possible to send dashboard PDFs to an internal SharePoint site?
Hi, we have a requirement from the business team and they don't want to receive the scheduled reports in email, instead they want scheduled PDF's stored in share points links which are internal to the...
View ArticleStatus Indicator - Custom Visualization: How to change the color of the...
Hello guys. I need the color of the status indicator panel to change based on the results of multiple searches. What I don't want is to write a big search with a big or condition to make that happen. I...
View ArticleIf a search head cluster is deployed in multi-site, what type of storage is...
If a search head cluster is deployed in multiple sites (2 sites), what is the type of storage is required for each search head? Local storage is fine or do we have to use SAN storage?
View ArticleLookup in macro does not work from savedsearch
We are on Splunk 6.2.1. This is all in Splunk search... I have a macro with lookup which works fine in a simple query but when I save the query and attempt to invoke from "| savedsearch ..." I get this...
View ArticleMy lookup in a macro works in a search, but why does it not work using...
We are on Splunk 6.2.1. This is all in Splunk search... I have a macro with lookup which works fine in a simple search but when I save the search and attempt to invoke from `| savedsearch ...` I get...
View Articlehow to pass a search result as a token in a drop-down?
i want to pass a search result as a token in a dashboard. please give me with sample xml code to do this.
View ArticleWill Splunk update the host field in indexed events if a universal...
So after months of battling an issue with our indexers dropping connections, we determined that there was a problem with the indexers performing reverse DNS lookups for the connecting servers. To...
View ArticleHow to use a search (which is running from a paid app) in my own app?
Hi, I want to use a search which is running in paid app called "pinger" to my own app called "XYZ" Is there any way to do this ? Thanks.
View ArticleExtend finite fields into the future in conjunction with the predict command
I'm attempting to build out a capacity chart that shows total elements used in a system and predicts the future count of elements. My basic search is: index=foo sourcetype=bar |eval capacity=250000...
View ArticleWhy is the eval command not working for Calculated Fields in Data Model?
I am designing a Data Model wherein I am specifying two or more sourcetypes in the constraints. The eval does not return values when i try to sum fields. For example: Constrain: index=some sourcetype=a...
View ArticleHow to configure authentication in REST API Modular Input?
Hi, I just installed the REST API Modular Input add-on in my Splunk Enterprise environment. I'm trying to input data from the Usabilla.com REST API using this add-on, but I'm having a problem that I...
View ArticleHow to backup KV Store for specific lookups?
We have several Lookups defined and i would like to backup kvstore for specific Lookups (For instance i need to backup only 5 out of 200 lookup definition defined). Is there a way to do that? Splunk...
View ArticleSearch Time Field Extractions Too Slow
All, I am trying to tune performance on a set of data. Basically I have narrowed it down to search time extractions being the issue but I really don’t see any resource limits on the search heads that...
View ArticleHow to improve performance of search time field extractions that are too slow?
All, I am trying to tune performance on a set of data. Basically I have narrowed it down to search time extractions being the issue but I really don’t see any resource limits on the search heads that...
View ArticleHow to edit my props.conf to line break before each timestamp in my multi...
Hi, I have logs with multi line events and I am trying to line break before the timestamp, but before date there is `-}",`. Can you help me write the props.conf so the line breaks before the date?...
View ArticleCustom Search Commands Have Worse Performance than External Lookups?
I wrote two versions of the same Python streaming command: one as a simple external lookup script, and one as a full custom search command (using V2 of the custom search command protocol). I tested the...
View ArticleActive Directory FS 2.0 SSO: What is the recommended logout configuration?
Splunk, The Splunk SSO documentation is unclear on the recommended logout settings. Are these correct, I couldn't find any documentation of than a blog post?...
View ArticleWhat common commands or search strings are used when investigating or...
Does anybody have any 'common' commands or search strings they would use when investigating or searching for Indicators of Compromise (IOC) or Indicator of Attack (IOA)? Any information would be helpful!
View ArticleAre there any plants to output ISO-3166 alpha codes from iplocation command?
Any plans to output ISO-3166 alpha codes from the iplocation command @arahut_splunk, or should we implement a maxmind-based csv lookup / custom search command?
View Article