Is it possible to run an indexer cluster with varying amounts of storage...
We have an on premises Splunk infrastructure with indexers that have 9 TB of usable storage in a cluster. We are moving from 6 months retention to 1 year retention and need to double our storage. Is it...
View ArticleMultiple Timestamp Aggregation in Reports: How to have a single report for a...
We are logging information from a network security device that has multiple fields of interest. LOGIN, LOGOUT, START, and DISCONNECT messages all have unique time stamps and messages associated with a...
View ArticleHow to generate a search to compare the value of a field with a CSV table?
Hello! I'm currently trying to compare the value of a field with a csv table. I want to compare the destination port (dst_port) with the values of pwhitelist.csv and display the ports that are not...
View ArticleHow to set up an alert if an ack message is not available for a particular req?
Hi, i have messages like this how to setup an alert if ack message is not available in the logs for particular req. and between req and rsp is more than 30 sec i need to setup an one more alert. my...
View ArticleCan you please recommend a Splunk friendly FIM monitoring solution for Windows?
All, Can you recommend a simple/cheap/Splunk friendly FIM for Windows systems? Ideally something with an app ready to go? thanks -Daniel
View ArticleHow to edit my search to find the sources from soucetype?
Hi, I am using the following search `| metadata type=sourcetype| where match(sources)` to find all the sources that a particular sourcetype has. Can someone please help in the correcting the search?
View ArticleHow to resolve "Problem replicating config (bundle) to search peer...
Have 1 indexer and 1 search head. Separate VM's. When trying to view indexed data from search head UI we receive the error "Problem replicating config (bundle) to search peer 'xxxxx.yyyy.com:8089', got...
View ArticleIs it better to use 'offline' mode or 'maintenance mode' in a multisite...
We need to replace one of the local hard disks in a Splunk indexer that is part of our multi-site (2 site) index cluster. We want to do this without kicking off any bucket fixup activity because we...
View ArticleSplunk DB Connect: Is there a limit on the size of a SQL query?
Hi All, I am using Splunk DB Connect v1 to run SQL query in Splunk. My query size is 8,865 characters. The query runs fine in MySQL client but does not run in Splunk. If I reduce the size to ~8,200...
View ArticleHow to filter results based on date (not _time)?
I'm trying to filter my data results based on the following: myDate format: **yyyy-mm-dd HH:MM:SS** (Ex: **2017-03-14 03:59:59**) I need to filter results where the myDate is within the last 3 months....
View ArticleHow to find out why an indexer is using more license than other indexers?
how to find out why an indexer is using more license than other indexers? Because i have 5 indexers, out of which 2 indexers were using 12% whereas other 3 indexers were using 11% and license pool...
View ArticleIs configuration bundle used to remove an app or add-on?
We are moving to a new Anti-Virus vendor and I will need to add the add-on (TA) for the new vendor. My question concerns the old TA. If I remove the $SPLUNK_HOME/etc/master-apps/ section concerning the...
View ArticleWhy is my simple alert not firing?
I have a simple scheduled search that is running every 5 minute. The search runs fine and I can see there are results, normally between 10-20 results. The alert trigger is set to 'Trigger Condition:...
View ArticleHow to use result from subsearch in my search?
Hi All, My data looks like this: sourcetype - Loginstats contents - Hostname, host, Address sourcetype - Clientstats Contents host, Address, "Symbol subscriptions" What I want to do is use a subsearch...
View ArticleIndexer Clustering Replication Status Pending
Hi dears, I have * 21 indexers * in my Splunk environment running in index cluster mode. **After upgrading** the whole site from **version 6.3.1 to version 6.5.1**, I have the problem with **...
View ArticleExtracting a field and sending alert
Hi, I have the below event for which I need to get an alert whenever the event occurs and get the version of the file . [2017-03-13T16:16:07-04:00] INFO: Processing...
View ArticleIs there a way to make pivot tables look better?
Hello, I've been working with statistics tables and I've noticed that they're quite ugly to look at. For example, if I split a chart across more than one column, the column header becomes:...
View ArticleCommands not usable from Enterprise Security?
I have an app installed from Splunkbase, which has custom search command defined in it. I've set the commands to be globally available, and it works fine. I can invoke the commands from any of the apps...
View ArticleIndex all but one input
Guys- I'm facing an (apparantely) challenging task: I have a standalon splunk test instance which serves as a first point of ingestion for new inputs- however, what i want to achieve is the following:...
View ArticleProblem with JSON file
Hi all, I've got some problems with by RegEx commands on a JSON file. I'm trying to do a linebreak on each },{ value and remove the header and footer. The last two seem to be working quite well. I...
View Article