How to use the main search's time range in a subsearch time range adjustment...
I have a search to build audit data for system changes. The systems in question have a commit/save type feature, and so the subsearch looks for commit statements in the last 15 minutes, using...
View ArticleHow do I deal with performance issues using the transaction command with a...
I have a new application that I need to extract one field, **taskname**, from the main task table (5+ million records) and merge into the subtask table (less 1 million records). When I ran with the...
View ArticleAppend Top Desitnation
I'm using the Enterprise Security Web Center search for Top Sources. I'd like to append what the top destination for each top source is to the chart so I can see where they may be calling to a majority...
View ArticleSplunk Windows Infrastructure App Active Directory Overview
Hi guys, Currently in the project I am working on, the client has 11 Domain Controllers with 1 of them as the Master node, from what I was told, the Splunk App for Windows Infrastructure will have a...
View ArticleError calculating time difference between two xml tags in same event
Hi ,Iam facing issue in calculating time difference with two timestamp fields in the same xml event. The difference field is always coming as spaces if I use the below query.Please advise if there is...
View Articlesplunk cluster index replication: how many index can splunk handle ?
Hi All, splunk cluster index replication: how many index can splunk handle ? We have 300 indexes. Is there any limitation about index replication ? tks~:)
View Articlelogs getting truncated
Hi, I am facing an issue where logs are getting truncated even though I have set TRUNCATE and MAX_EVENTS to very high values. sample log: **TRUNCATED LOG** 2016-02-02 02:48:57,511 -0500 |...
View Articlehow to set up global deployment server
In my existing landscape, i have 10+ deployment servers that caters to the deployments of varous Datacenter. We have configured 1 deployment server per data center. We are finding it difficult to...
View ArticleWhy is rename not working with stats or chart?
I'm not able to rename file names to display in a pie chart...any help would be appreciated... I tried both ways.. index=web_server sourcetype=web_access (file="pr.prod" OR file="cr.crt" OR...
View ArticleIs it possible to reconfigure an existing universal forwarder to...
Is it possible reconfigure an existing universal forwarder to low privileged mode? We installed our UFs as local system and are being asked to change them to a user in low-privilege mode.
View Articlehttplistener exception read timeout using python sdk
Im seeing the following error in splunkd.log: 02-03-2016 14:00:36.034 -0500 ERROR HttpListener - Exception while processing request from 10.202.31.9 for...
View ArticleWhy does Splunk for VMware 3.2.1 build 180 kill Splunk after installation...
Good Afternoon Everyone I have Splunk Ent. 6.3.2 and Splunk for VMware 3.2.1 build 180 running on a Windows 2012 R2 x64 VM in a ESXi 5.5 Infrastructure. I install the base Splunk have no issues can...
View ArticleHow do you order stats by multiple hierarchical fields
There are similar questions to this, but none are quite the same so I apologize for the overlap. Suppose I have a set of data (events) that have a type and a subtype. type = A, subtype = A1, A2, A3...
View ArticleHow to allow users to view some search results from an index in a dashboard,...
There is a lot of useful detail in the `index=wineventlog`. I would like to be able to allow my front tier service desk access to dashboards that show things such as "user accounts locked out" or...
View ArticleDoes Splunk Enterprise Security support version 2008-R2 / 2012 of Active...
Does anyone know if Splunk Enterprise Security supports Active Directory (or LDAP) for authentication, version 2008-R2 / 2012?
View ArticleDB Connect 2: DBoutput tests OK, but why does the scheduled output fail to...
Fresh install of DB Connect 2 (2.1.2) on Splunk Enterprise search head (6.3.1). We've been able to configure a Connection, Identity, and an Output and everything tests fine. However, the scheduled db...
View ArticleWhy are 2016 inputs to qualys_kb.csv not listing in splunk search?
I was looking at my active vulnerabilities which I count by title and was missing 5 that the qualys scanner showed as open. When I searched for the QID in splunk_kb_lookup I had no results. When I...
View ArticleIs there a way to configure Splunk to parse a sourcetype with mixed data types?
All, I have a log file which is largely key value, with some random human readable language tossed in. Recent upgrades have resulted in XML getting mixed into the party. Does Splunk have a mode to...
View ArticleIf I package an app to transfer to another server, do I have to upload it to...
Hello, I'm packaging an app for install on another server. I've got it tarred and zipped. The final step on the Windows packaging instructions says it's now ready for upload to Splunkbase. I don't want...
View ArticleWhy is a deleted sourcetype still getting indexed?
I have removed a sourcetype from my inputs.conf [monitor:///data01/.../current/logs/*.log] disabled = 0 sourcetype = log4j index = oms blacklist = gc\.(web|Node)[1-4]\.log It's been changed to split up...
View Article