How do I search using a data model?
I've been working on a report that shows the dropped or blocked traffic using the interesting ports lookup table. I want to change this to search the network data model so I'm not using the "*" for my...
View ArticleWhy is the Splunk DB Connect app suddenly not pulling logs into our index?
Hi Splunkers, Suddenly I am not getting logs in to index fetching from database via Splunk DB Connect App. The error logs which I received from dbx_debug sourcetype as below....
View ArticleLogin with Certificate
Hi, Is it possible to make SPLUNK log me in if I have a certificate plugged on my computer ?
View ArticleHow to get total of unique senders and recipients from Index=msexchange
I think I was able to get the total number of unique senders and unique recipients. But, now I need the total of unique communicators (senders + recipients). Looking for formula to add the two numbers....
View ArticleHow to configure props.conf to set specific Datetime-configs on specific...
I have an issue with two servers with WebSphere logs that have a overriding different timezone setting in the jvm. Other servers don't have an issue. To prevent wrong interpretation of timestamps, I...
View ArticleHow to integrate Splunk with a ticketing system so if something fails, an...
I have an enterprise app that of course does a lot of things. When some of these things fail, we want to either call a webservice, or possibly send an email, that generates a ticket within the IT...
View ArticleHow to edit my search to filter out certain complete transaction data?
Hi guys, Currently we are doing a search across our unicorn error logs, basically excluding a bunch of garbage that we don't want to be alerted on. After this search is run, however, we want to also...
View ArticleHow to automatically extract the JSON object before indexing so I don't have...
Hi, How do I extract the JSON object before indexing itself? Right now I'm extracting using the below search. This is the data: 2016-01-18 16:24:40,406 INFO [org.apache.log4j.Logger]...
View ArticleIf the system-wide real-time search limit is reached, can users still run...
If the system-wide real-time search limit is reached, can users still run regular searches, or will all searches at that point start being queued until a real-time search is closed?
View ArticleHow to configure a universal forwarder to receive syslog messages, and then...
Trying to figure out how to receive syslog messages sent to port 6514 over TLS on a Splunk universal forwarder, and then forward those syslog messages on to Splunk Enterprise on another server.
View ArticleWhy are we getting error "Forwarding to indexer group primary_indexers...
Following the steps in this document: http://docs.splunk.com/Documentation/Splunk/6.2.5/Installation/MigrateaSplunkinstance This is Linux to Linux - Prior to doing this on the new hardware, we are...
View ArticleHow can we check top 5 license consuming hosts?
How can we check top 5 license consuming hosts?I want to identify the top 5 consuming hosts in splunk.can you provide the command how to find them.
View ArticleHow to export/import lookups from 1 search head to another in Splunk?
I have a web environment with this situation: I have set the lookup tables on one search head and it's working fine. Now I want to use the same lookup table in the other search head and it is not...
View ArticleHow to use a proxy in conjunction with Splunk's web hook alert action with...
Cant connect to Slack. Need to use a proxy (just for slack) but where do i put it so it doesn't get used for everything else?
View ArticleDo we need to use a subsearch to divide the results of one search by the...
Hi, We are looking for timeout percentage from the total events. For Ex: 1. Query1: index=datapower Time=*|stats count 2. Query2: index=datapower Time>10000|stats count Now we are looking for...
View ArticleWhy are syslog events sent over TCP-SSL not human readable, but works fine...
Trying to get syslog sent using SSL. Port 1468 without SSL is working fine. Port 6514 is receiving syslog events, but not human readable. [tcp://1468] connection_host = dns sourcetype = syslog...
View ArticleWhy are there missing days in the results of my "Month to date" chart search?
I have a search where I want to calculate total transaction volumes over time by transaction type. I'm populating results, but I notice there are some days missing. Here is a screen shot:...
View ArticleWhat specs are needed for a deployment server to manage 1500 - 2000...
Hello, I am assembling a multisite clustered Splunk implementation. I am having a little trouble finding what sufficient specs are needed for a deployment server that will manage between 1500 - 2000...
View ArticleEnterprise Security: How to build a workflow action that passes an epoch time...
I want to build a workflow action in Splunk Enterprise Security which passes an epoch time to a new search, and then find all events from a specified sourcetype +/- 5 seconds from that event. Any...
View ArticleCan a search head cluster search across several indexer clusters?
Here are my requirements: - storing data on country-specific sites (for legal reasons, the data that is going to be indexed needs to physically stay in the country were it got created) - searching...
View Article