Splunk - Adjusting source file timestamp
Given: I have two log files (file_1, file_2) Each from a different server (server_1, server_2). The servers are not property synchronized via ntpd. (Example: server_1 is 13 seconds ahead of server_2.)...
View ArticleSplunk App Packaging: How to package app with multiple add-ons to a single...
I am trying to package the app with> splunk package app abc But since there is another add-on which I installed from splunk-base i.e. xyz isn't get packaged along with it. Is there any way to...
View ArticleHow can I install multiple instances of the universal Forwarder
My team are the IS Security folks for the company. We are migrating to SPLUNK from McAfee Nitro and currently we only have a need to look at Windows security event logs. We have our business folks...
View ArticleNeed to Pull the Full Contents of each config file as a single log entry
Hi Team, We got a request to monitor the config file and raw data would be like this as mentioned below: But while indexing Splunk is taking each and every line in the config file as a separate event...
View ArticleHow to change "No results found" in a dashboard to a custom message
Per some research it appears that there is an simpe XML solution for by using the job propperty = job.resultCount Example " " What I am not sure of is how to add your custom message.
View Articledata is send to main index only
in system/local directory below is the configuration. [monitor:\\{Log Location}] sourcetype=test index=chilqa disabled = false but it is surprising why data is sent to main index still. is there any...
View ArticleDuration of all events without time overlap in total?
Hello everyone, beginning on Splunk and asking for your help I've got something like this in my transaction : Event 1 : 9:00:00 Start and 11:00:00 Stop Event 2 : 10:00:00 Start and 11:30:00 Stop Event...
View ArticleHow to find out the total events by count and size from Splunk search
How can I get the report of total events (licensing) by count and size (GB) from Splunk search from the past 7 days? How to get the total spaces from hot or cold buckets from all indexers? Thanks.
View ArticleConnecting events that don't have a common field
Hi guys, more like a generic question: how do you make sense of events which are not necessarily linked by a common field? For example, one of our applications produces logs that generate many...
View ArticleHow can I authenticate to the REST API, pass the query, and close the session...
How set several request in one input ? I must first authenticate to the REST API, then pass the query, and at end close the session Regards
View ArticleIndex-time field extraction issue
Hello all, I'm a bit stuck with my issue. I do have this splunk infra : Sources ==> UF ==> Indexer cluster (3 + master) Search head cluster. I'm trying to extract fields at index time to...
View ArticleHow can I install multiple instances of the universal forwarder?
My team are the IS Security folks for the company. We are migrating to SPLUNK from McAfee Nitro and currently we only have a need to look at Windows security event logs. We have our business folks...
View ArticleHow can I filter a transaction that contains multiple matches - and force a...
I have used the 'transaction' command to isolate transactions that are made up of roughly 45 events each. I have a regex that identifies a TaskName and the TotalMilliseconds for each event, producing...
View ArticlePowershell Issue
I wrote the powershell script below that functions when I manually run it as either my domain admin account, or under the local system context. However, when deployed via Splunk, dns.exe on the domain...
View ArticleSplunk Add-On for Microsoft IIS Default Settings
This application includes several FIELDALIAS comands in props.conf for the sourcetypes defined. One of these is "FIELDALIAS-s_computername = s_computername as host" which reassigns the host value at...
View ArticleData is sent to main index only
in system/local directory below is the configuration. [monitor:\\{Log Location}] sourcetype=test index=chilqa disabled = false but it is surprising why data is sent to main index still. is there any...
View ArticleWhy isn't my discard working?
I'm trying to discard entries from one of my data sources and it isn't working. Why? All the following are set on the indexer, not the universal forwarder. I've triple checked my work. **inputs.conf**...
View ArticleUpdating app to convert base xx to Decimal
Can you update your app to convert TO base 10? I have some base36 data. Thanks!
View ArticleReplace a null value after search appending
Hello All, I have a search query as below: index="alpha_all_aal_event" type=twaReport|search callId=0 userId=a2ebd4aa-f91a-4088-8667-60143707c368|fields *|rename eventTime.$date as eventTime|eval...
View ArticleHow can I find AD accounts that haven't been used for a specified time period?
Query that can tell me non-disabled active directory accounts that have not been used in 12 or more weeks? All in the title. I'm looking to run a query that can give me this data. Thanks all.
View Article