How do I make changes to server.conf?
I need to make some changes and Splunk proServe tells me that I can use the deployment server to make this change. How is this done outside of the ../etc/systemp/local/ dir? Bundle it in an app? If so...
View ArticleCan appendcols be used for grouping?
I have the following query index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*" Point_Name="ActFlow" |bin span=15m _time |stats last(Value) as AirFlow by Device, _time |appendcols [|search...
View ArticleIssue with setting up my forwarders to Syslog servers
Hi, I have the following setup on my heavy forwarder: outputs.conf [tcpout] defaultGroup = default-autolb-group indexAndForward = 0 [tcpout:default-autolb-group] disabled = false server =...
View Article"Splunk Enterprise Setup Wizard ended prematurely" and 20+ ERROR messages -...
Hi there, do you have any idea ? Splunk Services will not run. Repair by Installation gets error: ![alt text][1] Splunkd.log: 08-31-2017 18:36:09.265 +0200 INFO loader - win-service: Starting as a...
View ArticleHow to create a timechart with actual values instead of some function of the...
I have a splunk query of the following: | timechart avg(cache_size) by host_instance That will give me the average cache size per day. However I want to use the time metric for the log to visualize how...
View ArticleCollecting macOS Sierra auditable events into Splunk Enterprise running on...
Has anyone had any luck collecting the following events in macOS Sierra 10.12? How did you do it? PLEASE. One tech has suggested syslog be configured to forward to receiver but I am unable to collect...
View ArticleWhy can't I use my lookup command after stats command in my search string
I am trying to use stats command to display data organized by `My_Field` where `My_Field` is populated by running `lookup my_lookup_script username AS user` Here's the example of the search string: |...
View ArticleWhat is the best way to estimate frozen storage sizing needs?
Hello All, I'm trying to assess some offline storage needs for archiving old Splunk data. I'm planning to adjust my retention policy to 90 days for hot-warm-cold (i.e. "online", searchable data) and...
View ArticleHow can I chart data as a gnuplot in Splunk?
Hi, I have fake data like this. ![alt text][1] How can I draw a gnuplot's plot-with-steps like graph as below? Or is there any Splunk apps for this? ![alt text][2] Thanks. [1]:...
View ArticleWhy is my _internal log suddenly receiving 50-60 million entries per day up...
Several weeks ago our _internal index suddenly started receiving a massive amount of entries per day. When I do a search for the month of July, Splunk has an average of **49,000** events per day, with...
View ArticleI need to combine two results names into one
So search command | stats count by user | *want to rename or combine the two results into same name* i.e. **User ** **Count** eid 1234abc 2 Bobbie Smith 12
View ArticleNumber of returned events doesn't equal number of events displayed
During some searches the number of events that are supposed to be returned does not match the number of events that are actually displayed. In one instance the Events counter showed 13 events, but the...
View ArticleDo we have duplication of data?
We have Cisco IPS data coming through estreamer into Splunk ES search head which in turn forwards to indexers. And we also have data from firewalls with SFIMS header coming into indexers does this mean...
View ArticleEvaluating static field over time with Splunk values?
Hi Splunkers, I have some data set with Ticket start and end times, I have created index=x sourcetype=y | eval opentickets=if(start>relative_time(now(),"@y"),"Opened","") | eval closetickets =...
View ArticleTable command losing field names in non-Verbose searches
Hi, One of my users reported a bit of an odd issue that spontaneously developed recently. He's got a very long and complicated query which had worked fine for months, but, for some reason, no longer...
View ArticleSplunk not detecting local files recursively.
I am I have a couple hundred log files I pulled from client computers using powershell. I am experimenting with having Splunk index them. It was working prior to upgrading to 6.6. basically if I...
View ArticleTransforms to mask a bank ID
Hi, I am writing the transforms to hide the bankID for the below event. 14:14:09,573 ERROR [J2DefaultEngine] [0.0.0.0] [111111] [abcfder1,,stg8sfv8_ACNSFQA1.,dbquote3,data1,data2,en_US] Failed record...
View ArticleIs Splunk Add-on for McAfee Web Gateway compatible with 6.6?
Splunkbase shows the add-on is compatible with 6.5, 6.4, 6.3. Just curious if it is also compatible with 6.6 but possibly Splunkbase hasn't been updated.
View ArticleIs the Splunk Add-on for Symantec DLP compatible with 6.6?
Splunkbase shows the add-on is compatible with 6.5, 6.4, 6.3. Just curious if it is also compatible with 6.6 but possibly Splunkbase hasn't been updated.
View ArticleAdministrator Access
We are using Splunk Enterprise as a service in Cloud Foundry platform. But we don't have the admin access due to which we are not able to share dashboards with users since the option "edit permissions"...
View Article