Left Join not working properly in 6.6.2
Hi, I have written a simple left join query which doesn't seem to work properly. Objective: To find out host which are present in csv but are not coming in search results. | inputlookup hosts.csv |...
View ArticleHow can I prevent collecting unwanted event IDs and only collect whitelisted...
I'm getting lots of data back from forwarders that are for Event ID's not listed in my Inputs.conf whitelist. Why? It's about 30% of my returned data, so a substantial amount of my data limit is being...
View ArticleLeft join not working properly in Splunk Enterprise 6.6.2
Hi, I have written a simple left join query which doesn't seem to work properly. Objective: To find out host which are present in csv but are not coming in search results. | inputlookup hosts.csv |...
View ArticleERROR BTreeCP ~~~~ \snapshot.old: Access is denied. error
Getting this error on a few systems... " 08-28-2016 22:03:18.924 -0400 ERROR BTreeCP - failed: failed to rename C:\Program...
View Articleescaping characters when setting token value in my drilldown
I am trying to set a token to have the following regex value `rex "by (?[^(]+)"` this regex is part of a larger search string. This line of code `| rex "by (?[^(]+)"` almost works but it is having...
View ArticleDrop Down issue
Question : I'm trying to create a cascadin dropdown i,e ( On Selecting One , relevant for others shoudl populate) I'm able to do so but I want to have an ALL option for the second drop down as well...
View ArticleHow can I display KML link updates on a map?
I have a KML link that is updating every 20 minutes or so. I need to display this KML on a map. We tried using the Clustered Single Value Map Visualization app, but the app seems to cache the KML....
View ArticleHow to move the CIM related eventtypes and tags from the dashboard app to a...
This Splunk TA has field extractions, inputs, index time props. However, it is missing the CIM related eventtypes and tags. These are in the dashboard app. However, it would be nicer to just move those...
View ArticleHow can I escape the signs so that the token will properly hold my regex with...
I am trying to set a token to have the following regex value `rex "by (?[^(]+)"`. This regex is part of a larger search string. This line of code `| rex "by (?[^(]+)"` almost works but it is having...
View ArticleHow do I use a value in an existing field to create a new field and assign...
I'm trying to create a new field called TYPE, which is dependent on the word "summary" or "detail" appearing in the TITLE field, so I can then count by TYPE. I successfully filtered my logs to identify...
View Articlestats results using lookup and index fields, event count =0 or more, so I can...
I've seen many fine examples on how to present stats results even if a zero output, but for some reason I cannot get it to work in my environment. Not sure if there is a loop causing false output or...
View ArticleHow to monitor files using Splunk SDK for C#
Please let me know how I can monitor files using Splunk SDK for C#. Are there any predefined modules for this?
View ArticleAny alternates for Splunk outer join in my search?
I set up a savedsearch to monitor the status from some critical reports (from a "critical_reports.csv" lookup) within a certain time range such as 7 days. I used outer join to find out if the reports...
View ArticleWhy do I get eventdata from events that are NOT in the whitelist of Inputs.conf?
I'm getting lots of data back from forwarders that are for Event ID's not listed in my Inputs.conf whitelist. Why? It's about 30% of my returned data and now I'm getting data I don't want and it's...
View ArticleHow can I figure out why my lastlog directory is huge?
Hi guys, Why is my lastlog directory so huge? -rw-r--r--. 1 root root **216G** Aug 7 17:35 lastlog What can I do to reduce it? Thanks
View ArticleIs there a way to send a single sourcetype to a heavy forwarder?
Hi there, Is there a way to send specific sourcetype to a heavy forwarder? For example, I would like to send the "database_access" sourcetype to the heavy forwarder for regex parsing and then send the...
View ArticleUnable to initialize modular input "jmx" defined inside the app...
Anyone aware of this error, I am trying to install JMX Addon on instance and getting this error. my java path is programfiles/java.
View ArticleHow to customize the search app search dashboard?
We would like to remind Splunk users to always include an index in their queries. With over 200 indexes it is taxing to search without an index. The idea is to edit the search dashboard in the search...
View ArticleSplunk ES detecting changes to OS auth files
Hi All We have a request to generate a notable event in Splunk ES for any changes made in the linux OS to /etc/passwd and groups Does ES have a built in search to detect such a change? I have no desire...
View ArticleChange name of default dashboard
Hello, I would like to rename the "reports" and "alerts" dashboard to something else. Is there a way to do this, or are their names set? Thank you in advance!
View Article