Are there versioning restrictions when upgrading a multisite indexer cluster...
When performing a site-by-site upgrade, am I limited by the number of versions I can upgrade across?
View ArticleHow to configure line breaking for my sample JSON event?
I've been through this thread: https://answers.splunk.com/answers/295142/line-breaker-in-single-line-printed-json-doc.html without any success. I have JSON data coming in as 1 event, and I need it...
View ArticleIs there a way to specify the Splunk search Schedule Window defaults?
We have a distributed environment, and a lot of people have searches set to run every 15 minutes. This is leading to a huge spike in searches every 15 minutes. Is there a way to specify the Schedule...
View ArticleWhat is a summary index and how can one check whether the summary index gets...
My main question is I am trying to check whether the current summary indexes in our environment were getting the data from a particular sourcetype. How can I do that and actually where can i check all...
View ArticleHow to edit my transforms.conf in order to set the sourcetype for each syslog...
Hello, I have a customer sending three different kind of logs via syslog. I am pulling the logs off of a network feed where I had him point the syslogs to. It's listening on port xx514. The logs look...
View ArticleHow to edit my search to filter out results where the HTTP Referrer contains...
I have a search as follows: (Referrer!="*bing*" AND Referrer!="*google*") Note: Referrer is the http_referrer field from Apache Logs. The above includes log entries that have the Referrer as **blank**...
View ArticleWhy is my newly created field extraction not showing up in the fields sidebar?
I've seen similar questions to mine asked, but none of the advice has solved my issue. I created a new field extraction (which correctly pulled the data in the 10,000 event sampling) and it shows up in...
View ArticleSplunk DB Connect 2.4.0: My lookup SQL query has $field$ which is failing to...
I'm trying to replicate the lookup tables in old Splunk DB Connect v1 add-on into Splunk DB Connect v2.4.0 add-on.I need a lookup on this table in new DB v2.4.0 to fetch and relate the feilds in our...
View ArticlePlotting time ranges for hosts based on start/stop events
I'm trying to create a search that'll visualize when a network scan is being run against a particular target. To do this I'm extracting a start and stop time based on a target and unique job (since job...
View ArticleUsing Splunk Forwarder with Splunk Free keeps stating license not available
From my understanding the splunk free license still lets you forward logs from other servers using the splunk universal forwarder. On my indexer web interface, I can view the splunk forwarder server...
View ArticleSearch syntax highlighting is not working
Our search heads syntax highlghting does not function for any of search commands. This is with search_syntax_highlighting = true for the user prefs. I'm with the version 6.5.2. *[general]...
View ArticleUsing the Splunk Tutorial data, how to find the number of hits and top 20...
How to find the number of hits and top 20 category and top 20 domain using the tutorial data on Splunk. Please help, I am new to Splunk. I also want to know the "status code count" of it so please help...
View ArticleHow to edit my search to convert values in seconds to days, hours, minutes,...
i have values with seconds so i need to convert those into days, hours, minutes, seconds, and milliseconds. i am using this search but am getting 1 day extra. eval...
View ArticleHow do I delete old log data past a certain time on an index?
We're running out of disk space. How do I delete old log data past a certain time on an index? If I set a max index size, what happens when that limit is reached for an index? How should I rotate logs...
View ArticleHow to set 1 Search Head cluster member to send all alerts?
We currently have a Search Head (SH) cluster with members at 2 different sites. 1 site is failing to send emails and create Jira tickets successfully. We are looking into the network changes that need...
View ArticleHow to use wildcard characters in Splunk search?
How do i use wildcard characters in my Splunk search? For example : i am looking for only 4xx http errors . index=my_index host=host123 "dummy-web.com" http_status_code=4XX in regex i can use `4..` or...
View ArticleHow to disable default drilldown in the search window for certain users?
For certain users, we do not want them to drilldown in the Splunk Search window, and for another set of users we do want that functionality. Is there a role or conf file setting we can use to limit as...
View ArticleCylancePROTECT App for Splunk: Is there a way to create a search to filter...
New to splunk. I've setup CylancePROTECT App for Splunk. You may be familiar with this, but Cylance has “Zones” that it uses to group and classify devices for a client. So we have one portal setup...
View ArticleHPE Aruba ClearPass App for Splunk Enterprise: How to configure the app for...
I have a Splunk instance with a Search Head (SH) and two load balanced Indexers. There are two Heavy Forwarders (HF) dedicated to forwarding syslog data to the indexers. The installation instructions...
View ArticleHow to disable processes run frequently by Splunk universal forwarder?
I see that these commands are executed every minute: splunk-powershell.exe splunk-winprintmon.exe splunk-regmon.exe splunk-netmon.exe splunk-admon.exe splunk-MonitorNoHandle.exe The first one actually...
View Article