Is there a way to report on the devices depositing syslogs on my heavy...
I need to write a query to report on what devices are sending logs to my heavy forwarders using syslog-ng to the /var/log/splunk/* directory. The issue is those directories under splunk are mostly by...
View ArticleWhen should I upgrade splunk
To all the Splunk Gurus, I have been looking forward to upgrading splunk from Splunk 6.0.4 (build 207768) to the latest stable release. We have a distributed environment of 2 heavy fwds (in HA), 4...
View Articlefields in subsearch not showing all results?
Hi all, I tried to find log entries of same mail using queue id from sendmail log. However, for the same time span, following search gives different results. e.g. Gives all records at all time:...
View ArticleSplunk App for Web Analytics: Why are sites are not populating?
I set up what would be about 170 site-source entries with wildcard log locations. It looks like it's going to be a truly monstrous amount of logs. Previously when I was previewing it, I set up for 2...
View ArticleHow to use the REST API to securely store and access a password within an...
Is there a way to use the REST API to securely store and access a password within an alert action script?
View ArticleHow to set up the Kafka Messaging Modular Input in a Splunk 6.2.4 search head...
I'm trying to get this set up, but I'm a little mixed up... the directions mention: Configuration *As this is a Modular Input , you can then configure your Kafka inputs via Manager->Data...
View ArticleWhy does searching by source not work sometimes?
This command does not work. index=grb_test sourcetype=QServiceManagerFormat | source="\\\\netapp4\\Quants\\ST\logs\\dailyTest20151020_152356rhbyvk\\qservicemanager.20151020.log" This one returns...
View ArticleWhy does search typeahead no longer show "matching terms" after I upgraded to...
I upgraded to Splunk 6.3 and it's working beautifully, however, I no longer get "matching terms" as I type in the search box. In previous versions of Splunk, if I typed: `err` in the search box, I...
View ArticleHow to schedule daily summary indexing with a search that uses the geostats...
My search is simple: sourcetype=log_data | iplocation c_ip | geostats latfield=lat longfield=lon count but I have a lot of data, about 100,000,000 logs a day, and the customer wants a monthly summary....
View ArticleHow to use transforms.conf to assign a custom index and sourcetype?
I am currently trying, unsuccessfully, to assign a custom sourcetype and index from within a local/transforms.conf file. The following is a sample log entry: Oct 20 18:00:01 cc-mailserver event="Mail...
View ArticleHow to troubleshoot why forwarder to receiver session setup/teardown is...
All of a sudden, it's taking a really long time for forwarders to connect to receivers, mostly sending cooked data. This is true for all of our receivers (4 indexers and 3 heavy forwarders). It also...
View ArticleHow to extract everything after a carriage return?
Is it possible to get everything after a carriage return? Example Bills to pay: Car House Boat etc I tried to use rex : "[\r\n]+(?.*)" but this did not work.
View ArticleHow to connect s3 buckets in Glacier to the Splunk App for AWS?
We are having problems with s3 bucket injection. Our corporate security policy states we need to keep 2 years of our ELb logs in s3. So we lifecycle them into glacier. This unfortunately means that...
View ArticleSplunk App for Web Analytics: How to exclude images from a search, and how...
So, looking at audience, I can see where they're connecting from etc - is there any way to see what organization, say, stanford.edu, and sort by universities or .edu addresses? Also, is there any way...
View ArticleHow to write a search to return a value from one of three columns in a CSV...
I am trying to write a lookup that will pull a value out from one of three different columns. for example Col_A, Val_A, Val_B, Val_C I want to look up only one of the values depending on a field. So if...
View ArticleWhy is AWS Billing failing with "there's no any timestamp column in header"...
We configured AWS billing on the aws app. Things worked fine until we moved the app from the search head to the heavy forwarder. Now we are seeing a lot of failures with the following error: File...
View ArticleData Curator app does not show all dashboards. I need to install it on all...
Does the Data Curator app go on to all indexers too? I just installed it onto the deployer and search head cluster members. Does that not work?
View ArticleHow to extract just the date from a timestamp converted from epoch time?
I have a conversion set up to change the epoch time `| convert ctime(_time) as date time`. I would like to keep just the date and ditch the time function. The field looks like this: 10/20/2015 06:30:15...
View ArticleWhy is Splunk Enterprise not accessible in the Android Splunk Mobile App...
Hi, I'm running Splunk Enterprise 6.2.2 and am trying to access my Splunk dashboards thru a reverse proxy (due to firewalls) using the Mobile Access Server. I am able to log in thru my proxy when using...
View ArticleGetting two time stamps in a syslog entry - how to correct
Hey all. Trying to figure out how to clear up my issue. I'm getting two separate time stamps on a syslog entry coming from a Linux box. As you can see below, it is sending over the FQDN and short name...
View Article