Unified2 only indexed once after creating checkpoint file
Not much info on this TA (Add-On). I have it installed on my (Linux) snort sensor with a forwarder that is set to send to my (Windows) index server. It runs once, writes the checkpoint file, and sends...
View ArticleSend SNMP using NetSNMP from an Alert
Hi, I have successfully configured Splunk to send SNMP alerts using NetSNMP via a cmd script file. All good there. The scenario I have is that I manufacture a node-up / node-down alert based on...
View ArticleDMC Alerts - Saturated Event-Processing Queues : One or more of your indexer...
Hi I have a splunk distributed architecture with 5 indexer and 3 SHC. But currently I am facing some issue. On Distributed Management Console , all aspects looking good and normal , except below alerts...
View ArticlePagerDuty Alerts for Splunk: Can the pagerduty.py script be modified to...
Hello, We are attempting to use the PagerDuty Alerts for Splunk app with our Splunk instance. We currently have our Splunk instance on a Linux server that uses a web proxy. We are able to curl to the...
View ArticleHow to use tags to identify complete subnets?
I am curious whether tags can be used to identify complete subnets. For example, I would like to assign the tag name "dmz1" to the field value pair `dest_ip=10.1.0.0/16`. I would also like to assign...
View ArticleHow do I search the network data model to track certain ports?
I'm very new to searching data models in Splunk and I want to search within my network data model to monitor certain ports. I know I can use the All_traffic.dest_port, but I can't figure out how to...
View ArticleRegex search not working
So I have a couple of lines that I am trying to get info out of using regex and it's not going quite the way I was hoping. Say in my events I have the lines below 1.) `\Device\HarddiskVolume23\Test1`...
View ArticleFields that were once extracted aren't being extracted anymore... why?
Hey there, I made an app. It worked good and extracted data exactly the way I wanted it to. I am now trying to duplicate the app, using the same custom field extractions, but some key fields aren't...
View ArticleWhy is must_break_after configuration not working?
I have a large (10's of thousands of lines) data stream that runs every 10 minutes and I want it to break after this line: sharing = default_shared I tried putting in: MUST_BREAK_AFTER = (sharing =...
View ArticleHow do I edit my search to calculate Ticket Resolution Time?
Hi, So currently I am pulling a report with all tickets that have been created this year. For the Ticket Resolution Time, I am trying to obtain how long it takes for a ticket to go from an open state...
View ArticleSplunk App for Salesforce won't download
Did the app get taken down? It seems the app is no longer available for download.
View ArticleHow to get a scripted input to do something and then restart Splunk?
So I am working on handling variable situations in a deployed environment so the way I was solving this issue was to use Splunk's scripted input capability to run an initial script (powershell) on the...
View ArticleHow do I edit my search to find how many sessions are missing a certain log...
I am logging events of my application by session. i.e whenever the app is started, I generate a new SessionId and then generate events. Two of the events generated are "Startup" and "Shutdown". Each...
View ArticleHelp Needed with Regular Expression
Hi All, i am newbie to splunk platform and seeking some help in writing a regular expression to pull a "" value from the XML type log. Sample XML is as mentioned below. 835065769Request...
View ArticleHow would I examine a field and set another field based upon that value?
Hi, I have some hosts that follow naming conventions and I want to create and set another field based upon those naming conventions. How would I do that? For example, some of these hosts have "MMK" in...
View ArticleHow does splunk email alerting work..?
I have a search scheduled to send an email alert when count > 10 in an hour timespan. index=webserver sourcetype=web_logs loglevel=error | stats count by user | where count > 10 let's say if i...
View ArticleConfiguring a snort to index a universal forwarder
I have successfully installed my universal forwarder and has a connection to Splunk. Though I am getting data (not sure if its my snort logs) in source=_internal with a host = bss (which is my host...
View ArticleUnderscore in logs
All, Can you explain how the underscore is treated by Splunk? I see they are dropped at search times. I am seeing a log that has _message="some words" But its extracted as automatically message=""...
View ArticleI have a saved report, but when I call it, why do I get "Warning: saved...
I have a saved report, but when I call it, this appears: Warning: saved search not found splunk What happened?
View ArticleHow can I use a search results table to power another search per line?
I have a search that returns a table like this: IPAddress1 StartDate1 EndDate1 IPAddress2 StartDate2 EndDate2 IPAddress3 StartDate3 EndDate3 I'd like to have another search to find data about each IP...
View Article