Splunk Prerequisites -Key value store must be enabled
Hello All When i open Win App for splunk i get Prerequisites message - Key value store must be enabled i already deleted the mongo lock file and grant 400 permissions to...
View ArticleHow do I edit my search to remove specific substrings from URI values in my...
I wrote the query which gives below result in statistics tab URI Count HTTPS://XXXXXXXX//AAAA.aspx%3FUIC=GuidID=8090443C5BA5ED33%26_SecEntityType=1%26BID=71E160E1E55478D5 1...
View ArticleHow to pass parameters into a custom JMS Modular Input Message Handler
I'm working on a project to convert binary JMS message bodies to Strings. I've built the converter and will integrate it using the template you've laid out in Splunk Answers...
View Articledo unused search time field extractions significantly impact performance if...
I have a new analyst requesting to add some search time field extractions for sourcetype=syslog to simplify reporting for a subset of syslog events. I'm concerned that running all the extra extracts...
View ArticleScheduled Reports not Cached
Background: I created a dashboard (actually a few dashboards) that used many heavy hitting searches. Well, the Splunk servers couldn't handle the load so I redesigned to using scheduled reports. The...
View ArticleEmail alert fields
I am alerting on a failed login search provided below:- host=CATSG14 "Failed login" GATEWAY="***" USER_IDv3="***"| stats count by USER_IDv3 I would like my email alert to say:- The alert condition for...
View ArticleCan I blacklist sourcetype or Index?
We have client logs getting indexed using RestAPI and our license is overloaded with high volume. Because of restapi setup we don't have forwarder pushing logs to Splunk indexer-- its getting indexed...
View Articlex509: cannot validate certificate because it doesn't contain any IP SANs
I'm trying to submit logs to the HTTP Event Collector from a go application. I've correctly setup the Event Collector (I can successfully curl it), however I see the following error when I submit a...
View ArticleCan you tell Auto KV to honor values within single quotes instead of double...
I feel like I should know the answer to this, but just in case I missed something.... Splunk automatically handles field extractions for events like this very well: Thu Jan 14 10:46:02 EST 2016...
View ArticleHow do i heavy forward on single line
Hi, I need to change a bit of my splunk architecture and split the data output as follows: 1. Forward from Heavy Forwarder to Splunk Indexer 2. Forward from the same Heavy Forwarder to a Syslog server....
View ArticleWindows UF IP using Splunk_TA_windows
I would like to get the IP address of my Windows UF's. [WinHostMon://NetworkAdapter] doesn't give an IP, just MAC address. [WinNetMon://inbound] and [WinNetMon://outbound] give an IP address, but it is...
View ArticleHow to escape equal signs (=) in key value data?
Some of our data is logged in key value format separated by an equal sign (=), e.g.: field1=data1 field2=data2 Splunk's auto-extractions works very well with that. However, if a field's data contains...
View ArticleRegex for field extraction is not working properly
I just did a regex for proxy fields extractions and it seems that is not working as it should have. Not sure why. Fields for some of the proxy logs are getting extracted but some don't. The weird thing...
View ArticleIs there a CLI command to enable or disable serach peers in Splunk 6.3.1?
I have added the PROD and DR indexer hosts using add search-server CLI command. Now my requirement is to keep the PROD indexers as enabled and DR indexers as disabled. Is there a CLI command to achieve...
View ArticleAre there scalability issues with Splunk
At first install, all searches were quite fast. After about 1 week of data, the search results started slowing down. Which prompts me to ask, are there scalability studies and/or optmization pointers...
View ArticleTricky latest login state question
Hi Guys, I'm having a bit of trouble with this. Basically I wish to show who is into this device on a dashboard and I have a great search which takes the last login state and should work. My problem is...
View ArticleTimeStamp problem
Hi, I have a timestamp problem on Splunk. I am working with log file who looks like : > numberline;date;ipsrc;ipdst> 102;13Jan2015;10.10.10.10;12.12.12.12 On splunk the date is 15 january but on...
View ArticleSearch Head not Getting latest events from Indexer
Good morning, We have an splunk architecture with 2 Search Heads and 2 Indexers. This morning when our user tried to look for today's logs from the SearchHead, he could not retrieve any data. Concerned...
View Articlerefresh.auto.interval not working
Hi, I use a drop-down menu to set the refresh.auto.interval for a table:Real-Time StatsPanel Refresh Override5 seconds1 Minute5 Minutes300eventtype=mlc2 sourcetype=tps | stats avg(duration) as average,...
View ArticleReformat table so values become Column headings
I have a search that ends with | stats sum(count) AS Hits by _time GUID cs_uri_stem Which results in a table ![alt text][1] I would like to reformat the table as follows, but have had some difficulty....
View Article