Why am I getting error "Connection reset by peer" trying to deploy an app the...
Hi, We are getting an error when I have tried to deploy an app from deployer. Error while deploying apps to first member: ConfDeploymentException: Error while fetching apps baseline on...
View ArticleCan the "Today's License Usage (GB)" panel from license server "Settings »...
Here is the underlying SPL of the license server panel: | rest splunk_server=local /services/licenser/pools | rename title AS Pool | search [rest splunk_server=local /services/licenser/groups | search...
View ArticleHow to fix "ERROR TcpInputConfig - SSL context not found" when using...
Getting error: "TcpInputConfig - SSL context not found" when inputs.conf in etc/system/local has: [tcp-ssl://6514] connection_host = dns sourcetype = syslog disabled=0 What must be done to fix this error?
View ArticleHow to set up an alert to send an email if a certain event is found, but not...
I have an alert setup looking for an event. What I am looking to do is have an alert email sent out if there is an event, but I want to limit it so that if there are say more than 100 events to not...
View ArticleConverting local apps into deployment apps, will forwarders start sending...
I have a handful of forwarders which have locally-configured apps on them, and I want to start converting those into deployment apps to streamline the management/update process. Creating the deployment...
View ArticleAccessing Search app is slow
Search head cluster with 3 search heads, running 6.3, 8 gb ram, 4 CPU. Recently (2 weeks ago), performance in the search app (on all three servers) has been real sluggish. Getting into the search app...
View ArticleWhat is the difference between Splunk Enterprise 6.3 and SAP Enterprise...
Hi , I was wondering if someone can help with what the difference between SAP Enterprise Threat Detection and also Splunk 6.3 for SAP. my understanding is that Splunk can be used to gather and analyse...
View ArticleEval Case limit to number of cases?
So, I am trying to simplify my Proxy Web Categories (it tends to have multiple categories listed on single sites, making what would be 100 unique categories over 10,000 categories in a 24 hour period,...
View ArticleWrap a webhook for use with HTTP Event Collector
I have an external system that generates a Webhook that can be posted to a URL of my choosing. I would like to log this event as is with a sourcetype of my choosing to an index of my choosing. I looked...
View ArticleCan't seem to figure out wildcards when monitoring files (inputs.conf)
I've been messing about with this for a while now and I can't seem to figure out the rhyme or reason behind how wildcards work in the Splunk inputs.conf file. I'm trying to pull in logs from...
View ArticleAre older indexer servers slowing down overall search performance?
Hi, we recently installed new indexer servers to help the existing indexer servers that were under heavy load. The new servers are newer and have more cpus/ram. It might not be a good idea to mix...
View ArticleHow to combine data from 2 source types?
All, I have 2 source types , one being XML and other being a trace log file events. I have a requirement to combine values from both. Sourcetype 1 : ITCM (trace log files) and for a given Locomotive...
View Articlemulti field grouping
Hi Team, we have a query to get response times from our logs and then do a range to group the Response Time index=* host=hostname sourcetype=perf* "*string pattern*" | rex "GET.*\s(?\d+)" | rangemap...
View ArticleCan SPLITROW in Pivot include null fields in the results?
I have a simple pivot search that uses SPLITROW to create a table showing the number of events in an index broken down by the field specified after SPLITROW. | pivot MyModel SomeObject...
View Articlesending WinEventLog://Application to different indexes
I have the following requirement:<ul><li> send WinEventLog://Application , except for one specific EventCode to one index</li><li> send that specific EventCode to another...
View ArticleIndex time field extractions path
I'm attempting to do an index time field extraction Here is my prop.conf [source::/tmp/fake-tacplus] TRANSFORMS-host_ip = tacacs_host_ip_username_extraction TRANSFORMS-username =...
View ArticleHow is LZ4 faring so far in 6.3+ compared to gzip for indexer rawdata...
Digging through the new stuff in 6.3 in preparation for some upgrades, I see LZ4 compression is available for bucket rawdata journal compression in indexes.conf. Awesome! I'm excited. Splunk bucket...
View ArticleRemove multiple values from a multi-value field
I would like to remove multiple values from a multi-value field. Example: field_multivalue = pink,fluffy,unicorns Remove pink and fluffy so that: field_multivalue = unicorns I am thinking maybe: |...
View ArticleSearch for user day 1 retention
I'm taking a shot at providing metrics on day 1 retention numbers of users in our system (Create a profile and the next day use server again). I can grab a list of users and the _time they created...
View Articleip address link to external url
I want to be able to click an ip addres in a dashboard panel and it link to http://www.tcpiputils.com/browse/ip-address/<ipaddress> where is passes the ip address and adds it to the end of the...
View Article