Domain Controller Security Events falling behind
Good day, We have one domain controller that is always about 5 hours behind in having the logs available in Splunk. This is our busiest domain controller and the security event log file is set to 1GB...
View ArticleIs it possible to create the custom fields automatically, when other user...
In my app I created custom fields to write the search query. So when other user installed my app , custom field have to be create automatically . Is it possible?
View ArticleRedefining the Date
I have a requirement where my fiscal year starts in 1st SEP and my day starts counting at 7am and ends at the next day 7am instead of the usual 23:59:59. Are there any way I can redefine what is a day...
View ArticleHow to split and filter transaction events?
We have denormalized some JSON events into CSV. The events themselves have simple fields (in the example data, *id*), and two arrays of objects (in the example data, *foos* and *bars*), and so the CSV...
View ArticleWhen using the transaction command, how do I format the duration into H:M:S?
I'm sure this may have been asked before. When using transaction, I would like to format the duration into `H:M:S`, my search results for **jobduration** looks like 19 is being added to the result. Any...
View ArticleHow to edit my search to get the average for multiple values each day?
Hi, I have results table like below. How can I combine these multivalues per each day such that need to get single value (average) for each day. Now we can see multiple values listed (since we have...
View Articlehow to compare values from two different searches
Hi, I need to run a compare against the count of two different searches - how would I do that? I'm counting the number of unique sources from two different indexes, and they need to be the same.
View ArticleHow to determine the indexing time per index to measure and benchmark...
Hello together, I would like to benchmark Splunk's indexing performance. Because I would like to do it automatically, I would like to use its CLI commands. Does this command: ./splunk search...
View ArticleWhy is my universal forwarder reporting "INFO WatchedFile - Resetting fd to...
One of my servers running a universal forwarder is spitting out this message quite frequently: 02-04-2016 16:48:49.607 -0500 INFO WatchedFile - Resetting fd to re-extract header. What is this telling...
View ArticleIs there a way to get a complete list of all deployment clients via the REST...
When running the following I only get 30 deployment clients on Splunk 6.1.3 https://deploymentserver:8089/services/deployment/server/clients or curl -k -u user:pass...
View ArticleHow to extract key value pairs from my sample data and have the output in...
I have a log that looks like this (with lot more fields): 04FEB2016_18:05:49.440 10789:1 INFO Struct='SListmanTskSubTranV6' IO='O' EventId=17086 Event='LISTMAN_UPDATE_FOR_EXEC_RPT REPORT' Order=1094966...
View ArticleHow can I install an App so that it deletes files in the local directory?
I have the case that when we install our new version of our app, we need to make sure that some of the local directory versions of the file have been deleted. Since we don't have the file in the local...
View Articlestats table with individual count and a total count for two fields
Hello, Say I wanted to create a table with the fields State, City, City Count, and Total. If I try to use `|stats values(city) as city, count by State` I get a chart that only lists cities, but does...
View ArticleBest approach for a search with a lookup
Hi, I have been asked to create a search (and then a report) that shows vpn logins for the last XX minutes (probably going back 1- 4 hours). I have that search - it returns 4 fields, and it could...
View ArticleSplunk ver.5.0 の OpenSSLのバージョンについて
Splunk ver. 5.0 のリリース・ノートに掲載されている OpenSSLのバージョンが 下記のように前後しているのですが、これは正しいのでしょうか。 Splunk ver.5.0.9 - OpenSSL ver.1.0.1h Splunk ver.5.0.10 and 5.0.11 - OpenSSL ver.0.9.8zb Splunk ver.5.0.12, 5.0.13 and...
View ArticleSplunk service needs to be restarted to keep it running. How do I resolve it?
Hi, I have a t2.micro linux instance running as a Splunk node. The splunk instance sometimes doesn't pass status checks on AWS. When I stop and restart the instance again, it works. I SSH into the...
View ArticleAdd-on for Check Point OPSEC LEA - Version 2.0.4 needed
Hi Splunkers; I need to install Add-on for Check Point OPSEC LEA v2.0.4 on my splunk v5.0.11 instances. Does-anyone knows where I can find this release ? Thank's a lot. Cheers !
View ArticleUpgrade to 6.3.3 on an Ubunto server went wrong.
Here is what I have done. Ubuntu 15.10 running Splunk Enterprise 6.3.2 fine. Download **splunk-6.3.3-f44afce176d0-linux-2.6-amd64.deb** to the server. Installing: dpkg -i...
View ArticleI have search head clustering and SSO set up with reverse proxy...
I have a search head cluster and I set up SSO with reverse proxy authentication and set scripted authorization using a Python script. This is working very fine. This setup is within intranet. Later I...
View ArticleHow do I set up a Splunk forwarder to monitor and forward log files within a...
We are wanting to modify our Splunk forwarders on workstations to look at other log files and I am curious how to go about doing this.The location of the log files on the computers are as follows. I am...
View Article