How to migrate DB lookup tables from Splunk DB Connect v1 to latest version?
Hi Splunkers, Our database team has a Database reporting app which uses Splunk DB Connect v1 add-on and DB lookup tables. We would like to have them migrated to the new Splunk DB Connect add-on which...
View ArticleAfter the Daylight Savings Time change, why am I not getting results using...
We have some dashboards running searches with timewrap. I have noticed that after the Daylight Savings Time (DST) change on 03/12/2017 night, our searches are giving "0" as a result, whereas I can see...
View Articlesearch matching big multiline string
Hello All, I have a multiline very big string exported from excel CSV file to splunk...it worked good i can see all the values in fields now if I want to search index = xxxxxx source = yyyyyyyy field =...
View ArticleIs there a way to search for a list of strings, and for each match, put that...
Is there a way to search for a list of strings, and for each match, put that string as the value of the same field? edit: here's what I'm trying to do ie, "eval myField=( "value1", "value2", "value3")...
View ArticleHow to find latest events within multiple transactions?
I have multiple transactions similar to the following: Event Start Motor 1, Steps 2345 Motor 2, Steps 2232 Motor 3, Steps 2235 Motor 2, Steps 2532 Motor 4, Steps 2342 Motor 1, Steps 2642 Event End What...
View ArticleHow to restore data from backup into indexes?
Oldest data on Splunk indexes has been deleted, so we would like to restore it from Backup. May I know what is the procedure to add oldbuckets back to the Splunk index from external? I thought to place...
View ArticleHow to retrieve the actual data file from indexed data?
Hi , My file got indexed. Unfortunately both the actual file and the indexed data got deleted but we have backup for indexed data. We are trying to retrieve the raw data from indexed data backup and...
View ArticleRunning btool shows there are no system/local folders. How to edit props.conf...
Troubleshooting a problem with trying to route events to nullQueue. Ran the btool props list --debug to see what was being applied and found that none of my "local" folders are listed. I thought those...
View Articlesubsearch question
Cannot get results from query using subsearch. I would like to compare the previous percentage of used space with the current percentage of used space. My subsearch looks at the current percentage of...
View ArticleRunning splunk:6.5.2-monitor with "SPLUNK_USER: root" causes docker-compose...
*Goal*: I want to monitor my docker containers using `splunk:6.5.2-monitor` and its built in docker app for splunk. *Context*: 1. My docker-compose.yml contains `splunk:6.5.2-monitor` and several other...
View Articlehow to list all the saved searches,macros,tags which contains a source=ABC?
Is there any way to list out all the saved searches, macros, tags,etc which have a source=ABC ib the query? Is there any query i can list them? Or what could be the grep command to check in the backend...
View ArticleHow to create a CA Service Desk Manager ticket through Alerts?
Has anyone created an app or script to integrate with CA Service Desk Manager (SDM) (such as open an incident via API) which they wish to share? I'm trying to create a CA SDM ticket through the Splunk...
View ArticleHow to remove fields from appearing in my timechart panel?
i'm trying to remove field from the timechart panel eg: `index=os host=xyz | timechart avg(usedMB) as DiskUsed avg(freeMB) as DiskFree avg(sizeMB) as DiskTotal by host |evalDiskUsed =...
View ArticleHow to resolve error "ERROR: The mgmt port [8089] is already bound. Splunk...
Hi all, I was trying to restart the splunkd process on deployment server and i landed up getting this error "ERROR: The mgmt port [8089] is already bound. Splunk needs to use this port" please do let...
View ArticleHow to create a consolidated report for a multiple panel dashboard?
i have 12 panels in one Dashboard.. i want to write a search which should give me the consolidated report of the 12 panels.. except Edit > Schedule PDF Delivery. is there a way? i'm using Splunk 6.2...
View ArticleHow to add previous data to a number from another field, and put it as the...
I have 3 main fields: _time, total_vehicle, and changes. total_vehicle is only generate periodically and I would like to find out what is happening in between with the "changes" field. Just plainly...
View ArticleHow to create a pie chart or graph based on web log CSV?
I have a csv file that contains the date and time, visited url (which is a complete url, not just the domain), and visit count of a user's web history. I've already pulled the csv into Splunk and...
View ArticleAny recommendations on slide showing Splunk ES dashboards on our SOC wall?
All, So we have Splunk ES working. Some of the dashboards are pretty nifty and we're thinking of doing a wall display of them. I figure every 2 minutes it should cycled to another dashboard in the app....
View ArticleWhy does searching "index=sonicwall" only returning "tid=555...
Hi all, I've configured the dell sonicwall to send it's ipfix through port 2055 to our collector. I am seeing the regular sonicwall events, but when i do index=sonicwall, i only see events like this:...
View ArticleIs it possible to configure Splunk to show the filename only and not the...
In the Splunk deployment we have, I'm using the Splunk universal forwarder to monitor changes to a folder, specifically when a file is added, on an sftp server. So far this is working, however it's...
View Article