Sourcetype not applied to JSON Message received at HTTP Event Collector
My HEC is listening to **raw** JSON events that has got JSON objects and arrays of JSON objects nested within it as values. Each event blueprint is the same and somewhat like this but may be bigger and...
View ArticleMetadata showing wrong last Indexed time
I have a query that runs once a day to tell me if certain source types have no data coming in after X time. The query has been working fine for some time; but recently has started alerting me that a...
View ArticleExtracting id field from one event and looking for this id in another event
Hi All, I have the below two event logs: Event1: ns=app1, id=12,Error='400', Service='CallGetAccount' Event2: ns=app1, id=12,', Service='CallGetRetro', Account='12345' Now I have the below Search query...
View ArticleDose the map command run the entire command, then each row?
So I noticed this while using sendmail can somebody confirm that I understand the map commands functionality? I cant see it in the docs if the command was "search ...| map [ | sendemail ..etc.. ]" it...
View ArticlePassing eval value to table command
Hi, I have a string with fields that I want to show in a table. (eval -> my_fields) This is my search: | makeresults | eval my_fields ="field_a field_b" | eval field_a ="My Value A", field_b ="Other...
View ArticleCreate a Search of column values
Is it possible to create a new search based off of results of previous search. My example below I use regex to extract a new column with all my users names that are extracted from User. index="source1"...
View ArticleHow to rank data based on field within event? and output whole event while...
I've got data say in following format name,department,location,score jack,finance,houston,220 jill,finance,london,490 jake,finance,paris,200 jude,finance,vegas,600 tom,developer,dubai,350...
View ArticleOnly include certain hours/days for a long term search
I'm looking to run a search over a 4 week period here I find the count of results per week but I want to look for a specific time range - Sunday 11pm to Friday 11pm. Having found an answer to a similar...
View Articlelicense usage vs raw byte count
should: "| eval evt_bytes = len(_raw)" match license usage I am seeing large discrepancies. If not, what is the difference between the 2?
View ArticleHow to monitor a specific Windows Application EventCode?
I'm trying to monitor a specific Windows Application EventCode (via a whitelist), yet the events are not being sent to Splunk. I've found numerous posts on the answers site, most of them with different...
View ArticleHow to draw a gnuplot's plot-with-steps like graph?
Hi, I have fake data like this. ![alt text][1] How can I draw a gnuplot's plot-with-steps like graph as below? Or is there any splunk-apps for this? ![alt text][2] Thanks. [1]:...
View ArticleHow to merge multiple searches and combine the result in a tabular format
Hi All, I have the below independent search queries giving the count. ns=app1 Service='trigger1' id=100 | Search Response | stats counts as "Success Count" ns=app1 Service='trigger2' id=100 OR 110 |...
View ArticleForwarding 2 sources to 2 different syslog servers
Hi, I have the following setup on my heavy forwarder: outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] disabled = false server =...
View ArticleExcessive logins correlation search
Id like to edit the "Excessive Logins" correlation search in Splunk ES to not flad on any events that have a successful password change within 20 minutes of the last event. The windows event code is...
View ArticleHow to split data into separate sourcetypes with transforms
Hello I have a input that is monitoring a file. In this file theres data of multiple formats including timestamps, its bad, but I was thinking I could use a transform to set sourcetype in props that I...
View ArticleSplunk Services not start ... ImportError: cannot import name urlsplit? How...
Hi there, do you have any idea ? Splunk Services will not run. Repair by Installation gets error: ![alt text][1] Splunkd.log: 08-31-2017 18:36:09.265 +0200 INFO loader - win-service: Starting as a...
View ArticleWhat servers does Splunk use?
I deployed Splunk in an AWS environment and want to know what servers Splunk uses? like webserver, application server
View ArticleHow to only display rows in table when one field changes?
Hey folks, I have a hard time believing this hasn't come up before, but I didn't find the right kinds of questions/answers when I went a-searching. I have an inventory of hosts (specifically, data from...
View ArticleUsing transaction to detect timeouts
I would like to use the transaction command to find adjacent log entries with the same IP and different Session IDs. Ideally, I would only like to return adjacent pairs of log statements with at least...
View Article
