Scripted input with powershell - SplunkTime not working
Hi, I have a PowerShell script that's being executed, but the event time is showing as the time the script runs. The script outputs objects like this: SplunkTime : 12/05/2015 15:32:06 RESEND_TYPE :...
View ArticleHow could i filter network firewall data using a filed value ?
Hello, I have a firewall that sends a lot of data, i would like to filter events using a specific field value (exemple whitelist field="value") my stanza is like this : [udp://516] connection_host = ip...
View ArticleHow to sum a field and group by another - but remove first entry per group?
I have a search that sorts events by a field (SYMBOL) . My issue is that I want to sum the duration between events by SYMBOL . I have : index=xxx sourcetype=yyy ..... | sort 0 SYMBOL, _time |...
View ArticleDashboard export to PDF - Panel title appears on incorrect page
When exporting a dashboard to PDF (in Splunk v6.3.1) I get the title for a panel appearing on the page before the panel. You can see in the [PDF...
View ArticleHow to use Timewrap over a dynamically found day ?
Hello, I'm trying to use Timewrap command dynamically. Indeed, in the documentation, it is written you can filter the date: .... | timechart count span=1h | timewrap w | where strftime(_time, "%A") ==...
View ArticleIssues with splunk 6.3.1
Hi there, I have splunk enterprise installed in linux server. I am accessing it through instance like http://(server ip)/8000/ from my windows machine. i have added splunk add-on for service now and...
View Articlehow to add field extraction to existing default field
I have logs that do not use the default name value format for the "user" field. When I add a field extractor for my user format and name it "user" the default format of "user=" no longer is included in...
View ArticleBig license usage: How is log collection via OPSEC been done? Is the script...
Hi Splunkers, We have a customer that is collecting Check Point fw, ips, and vpn logs via Opsec. Check Point version is R77. In the moment splunk is indexing about 30 gigabyte per day. If we look at...
View ArticleIs there any set up steps for the Splunk Add-on for Box on Search Head servers?
I installed the Splunk Add-on for Box on my heavy forwarder and search head servers. Per the documentation, I configured the app on my heavy forwarder to retrieve events from Box. While viewing the...
View Articleparsing the data in bcoat_proxysg source type
What's the best way to parse data in bcoat_proxysg source type to get rid of the blob of info and have more distinct fields to query on? (short of having to create regex expressions) ... Is there...
View ArticleHow to not index certain messages from splunkd on the fwd servers
I am trying to minimize the amount of apps I have by putting paths into inputs.conf that may or may not exist on all hosts in the serverclass. I am getting a ton of the following: 12-18-2015...
View Articlesplunk rest export to pipe delimited file
Hi, I am trying to receive saved search data using rest api and showing the results in csv format. Is there a way that i can change the delimiter to pipe instead of comma.? The command i used to fetch...
View ArticleFetching data from Cassandra Database through Rest API
Hi, I have a cassandra database which is only accessible though REST API ( through authentication ) . I want to fetch the data from cassandra database ( NO SQL database ) through SPLUNK. I am using "DB...
View ArticleVariable TIME_FORMAT
I have a log that has time expressed like this 20151218111015. So that would be December 18th, 2015 11:10:15. However, sometimes it doesn't have the seconds. So, the props.conf TIME_FORMAT could be...
View ArticleConfused about having the deployment server on a separate system.
I am in the process of revamping our Splunk installation. This time around we are attempting to implement a more distributed system. In the past we have had a single server running everything,...
View ArticleSplunk Api query returns inconsistent results
Hello, I am getting inconsistent results from splunk for below queries. query1: search index=index01 AND status=success AND (userid=user1 OR userid=user2 or userid=user3.... till userid=user50) | stats...
View ArticleView result has a broken link
The view result in email alert doesn’t open becasue it redirects to splunk .xxxx.com:8000 . If i remove the 8000 then, it would work. How to change this so that it redirects to proper host?
View ArticleChoosing App Redirects to Splunk Add-on for Unix and Linux: Setup
When I choose the "Splunk Add-on for MySQL" in my list of apps, it always brings me to the Splunk Add-on for Unix and Linux: Setup screen. We don't even have that app. DB Connect App has been set up...
View Articleimporting -txt files
Below is the format and i want to import. The data is showing \xA0 where there should be a £. Please can you send through some recommended settings for props. Date:\xA001/12/2015 Description:\xA0CARD...
View ArticleSplunk outer join where only results from A are returned possible?
I'm looking for the join syntax for an outer join in Splunk that is not "all of A and all of B that's in A". Rather, what I need is "all of A that's not in B." The A and B index records look something...
View Article