Alert manager exec errors in cluster
Since we've added our indexers into a cluster, we're getting the following exec error message: message from "/opt/splunk/etc/slave-apps/alert_manager/bin/alert_manager_scheduler.sh" python: can't open...
View ArticleInteresting fields or extracted through REST API
Hello, I'm using https://sh:8089/services/search/jobs/export --data-urlencode 'search=search index=... earliest=-1d@d latest=@d | table ws' -d 'output_mode=xml' Field ws is correctly extracted. I would...
View ArticleUnable to upload module lab data
I have just enrolled to the course Splunk 6.X Fundamentals Part 1 (eLearning). I am facing "Upload failed with ERROR : Read Timeout", while uploading the module 4 lab data. I have tried to install the...
View ArticleHow do I include samples that did not highlight my extracted field?
Hi, I'm trying to extract a field call Priority and I have highlighted a sample of it. Upon validate, I realized there are some rows that did not hightlight "Priority: 3" and these rows has a red cross...
View ArticleFailed Login to Locked out account
I am trying to identify an event that fires when a login has been attempted to a previously locked account. I am not looking for failed logins or lockout events. I just want the failed login attempt...
View ArticleSupport Splunk6.6
It looks like the app does not support Splunk 6.6. Will there be a update coming out soon?
View ArticleVariable in eval for URL
I'm sure this is fairly simple to do, just can't seem to find the right way to do this. Let's say that I have a search string that returns multiple fields. Of those fields, we have: foo: 100 bar: 200...
View ArticleWhat IP do you set on the fortigate to send logs to Splunk?
Hello all, I have 3 indexers in our setup and we would like to setup Fortigate to send logs to Splunk. what is the best way to set this up? the indexers are not clustered.
View ArticleHow to set a Variable from an Eval match?
I am trying to set a new variable for each event, by using the eval command. Maybe I should a different command? I want to set a variable, isImportant, by IP address. I am trying to see if it falls...
View ArticleHow to use the Rex command with text copied from Field Extractor?
Hello all, I've used the field extractor to pull out the following field, but because the permissions are a little screwy I can't use it. How do I use this search expression with the Rex function to...
View ArticleWhy would INDEXED_EXTRACTIONS=JSON in props.conf be resulting in duplicate...
Using Splunk to analyze bro network transaction data in JSON format. I noticed the stats command and field summary stats would show a count of 2 for unique session ID's, although search results only...
View ArticleHow to create stacked bar in timechart for only 2/4 extracted fields?
Hi all, So I have produced a timechart which contains distinct count of four fields, lets say A, B, C ,D. Now I would like to produce a bar chart of the results (which was quite easy) but I have now...
View ArticleSplunk Migration to other instance
I need to backup all the splunk data/dashboards/input/etc ..before I migrate to a new instance with the same version. Can you help me by providing the list of folders which I need to backup to restore...
View ArticleHow to find and stop real time searches running on indexers?
Hi there, I am seeing some real time searches running on indexers. Can I please know how real time searches are running on indexers as they should be running on search head and also is there any query...
View ArticleWhat is the most efficient way to define directory inputs?
Right now I'm using this for inputs: [monitor://\\share-server\PROD\APP\APPDIR1\log\...\*.log] stuff = true [monitor://\\share-server\PROD\APP\APPDIR2\log\...\*.log] stuff = true...
View ArticleIs there functionality like LinkSwitcher in Splunk 6.2 version, but using...
Hi, I am using Splunk 6.2 version. I have created two dashboards. One for incoming transactions and other for outgoing transactions. The search criteria (tokens) and query for both dashboards is...
View ArticleHow can I use CLONE_SOURCETYPE to send a cloned modified event to a 3rd party...
How can I use the CLONE_SOURCETYPE feature to clone an event that I need to modify and send to a 3rd party without indexing the cloned event as well? The intent is to index the original event and send...
View ArticleWhy is my search not returning any results?
Can anyone tell me why I am not returning any results? index=nessus cve=* | eval CVSS_SCORE = cvss_base_score + cvss_temporal_score | stats list(host-ip) as host-ip, list(IP) as IP count(host-ip) by ID...
View ArticleHow to edit my search to list jobs in a table per user, per day?
Hello, One of my co-workers is using a search to make a table listing the days the events of interest took place, as well as the corresponding User IDs on those days and the Jobs that are associated...
View ArticleHow to get a Line Chart with 3 Split by Clauses?
I have a set of lab samples that have a Percent value measured in 3 different locations across the sample, identified as A, B, and C. Each sample is also associated with a different style. My end goal...
View Article