Unable to filter WinEventLog inputs with RenderXml and XML character entities...
Filter attempts (whitelist or blacklist) on Message key value data appear to behave differently when renderXml = True compared to when renderXml = False. Taking the following Event Message data for...
View Articlepermanently extracting a field
Hi, I am using regex to extract a field. However, I need to make it permanent so that I don't have use regex in future searches. The regex is: rex field=message "(?(\w{5,3}\s+)+" I would really...
View ArticleCheckbox and dropdown
below is my dashboard code, when checkbox is selected i want splunkd* only to be shown in the dropdown else all. below code seems like is finding checkbox is selected and going to if section ,...
View ArticleExtracting fields from SNMP GETBULK data
Hi everyone, I need to extract fields from data continuously polled for via SNMP Modular Input. Each event looks like this: IF-MIB::ifInOctets."1" = "1587826952" IF-MIB::ifOutOctets."1" = "3472375195"...
View ArticleHow to index by old sourcetype , after logs monitoring has been disabled
Hi, We have below configuration: 1. **source**: <Path>/access.log 2. **sourceType**:AccessLogs 3. **Index**: AccessLog Now, we need to create new sourceType (and also new index) as per...
View ArticleHow to split one Line into multiple lines while search
In reference to my other post https://answers.splunk.com/answers/337397/how-to-break-xml-in-search-time.html I am adding other way of the question. I have total xml data in a field like below. GREAT...
View ArticlePass String Field from Outer Search into Inner Map Search
My search looks like this: index=index_name source="Source A.csv" | eval Start2=strptime(Start, "%m/%d/%Y%H:%M") | eval End2=strptime(End, "%m/%d/%Y%H:%M") | map maxsearches=99999 search="search...
View ArticleLDAP errors after an employee is replaced and ownerships were edited in...
We have an employee replacement and the saved searches & objects ownership was changed from $SPLUNK_HOME/etc/<app>/metadata/local.meta file and restarted splunkd. All the objects were...
View ArticleHow to schedule SOS dashboard view?
When I run the SOS dashboard Disk Usage from <URI:8000>/app/sos/index_disk_usage as a search, I get all the data and unable to get the dashboard view as seen in SOS. Is there any way to schedule...
View ArticleHow to calculate the duration between the last 2 events in a transaction?
I would like to calculate the duration between the last two events in a transaction. An example transaction looks something like: 2015-12-31 13:03:03,695 Outgoing UserId="99999999999" MsgType="Menu"...
View ArticleDBConnect indexing field with backslash character
I'm indexing a field with DBConnect that contains the backslash character, eg \, in order to escape quotation marks and hyphens within the data. This has a side effect of breaking the field extraction...
View ArticleRegarding autoextraction of Fields in Splunk
Hi, I was able to run search queries in Splunk and the fields were getting automatically extracted in the Interesting Fields and depending upon that we were able to modify queries. But currently i am...
View ArticleHow to embed image and apply dynamic data
Hi Experts, We are developing Data Center layout with dynamic data like Power consumption, Temprature data, Is it possible to embed any layout in Splunk Dashboard?.
View ArticleDBConnect V2 indexing timestamp
I have DBConnect V2 running on SPlunk 6.3.1 and it was working fine until the new year. All records were indexing correctly pre 01/01/2016 00:00:00 but since then they are now indexing against...
View ArticleLogging Aggregation for Checkpoint Firewalls Logs
I am going slightly over my license limit from time to time because of the Checkpoint firewall logs. Is there a way to aggregate some of the firewalls logs before start indexing them into the Splunk...
View ArticleField extractor bug in space-delimited timestamp
Since we're using Splunk Free I can't open a case to submit a bug report. Hopefully someone here can either tell me this is expected behavior or reproduce the bug and file it. I was working on adding...
View ArticleRegex - Search for Number Range within Array/String
Sample Data: ID | [[`Event1`,1435],[`Event2`,78],[`Event3`,142]] | etc..... I'm wanting to build a query which will display the ID and the entire field of event data where 'Event2' is greater than (x)....
View Articlewhat is the framework in splunk enterprise 6.3?
i'm using splunk enterprise 6.3 edition.i want to know that how can i find the framework for this version of enterprise... please,guide me in a respective path....
View ArticleSearch Head Cluster: Pre 6.3 we could run more number of Schduled Searches...
Prior to 6.3, quotas were enforced instead on a member-by-member basis for SHC we have the System Wide Quote Working. Here is an example for this Let’s assume that we have 2 members in the cluster- set...
View ArticleBest practises to integrate servicenow with splunk
Hello Splunkers I am new to splunk and we are planning to integrate servicenow with splunk.I have few questions to ask they might be silly but your answers worth me a lot. 1-Does splunk app for...
View Article