query to find out the forwarders
Hi there, is there any query to find out the forwarders which are reporting for last 1 day or f there is a delay in the logs. Thanks
View ArticleHow to alert if a syslog device does not send data in a rolling 24-hour period?
Splunkers, To meet a regulatory requirement, I need to alert on if a syslog device does NOT send data to the Indexers in a 24 hour period. For example: If host splunk1 does send data, no alert needs to...
View ArticleHow to troubleshoot event forwarding from forwarder to indexer
I somehow lost my custom stanza's on my forwarder for sending syslog data to my indexer. I noticed that my forwarder was missing those from the forwarder on the deployment server, so I added that back...
View ArticleTrouble getting syslog_ng to work on a standalone Splunk instance
Ive install syslog-ng on a standalone splunk instance but cannot get it running - ive looked at the following guide : https://www.splunk.com/blog/2016/03/11/using-syslog-ng-with-splunk.html using a...
View ArticleWhere does props.conf need to exist in a distributed deployment?
I think I need to push this from the deployment to each device or at least the forwarder and search head. I have 5 servers making up my SPLUNK Enterprise deployment, 1 SH, 1 FW, 1 DS, 2 Indexers. My...
View ArticleWhy am I seeing "WARN DateParserVerbose - Failed to parse timestamp"?
I have an event like: {"app":"EventHub Service","caller":"kafka.go:110","fn":"gi.build.com/predix-data-services/event-hub-service/brokers.(*SaramaLogger).Println","lvl":"eror","msg":"Error closing...
View ArticleHow do I resolve a warning about incomplete metadata results (after 100000+...
How to resolve the warning "Metadata results may be incomplete: 100000 entries have been received from all peers , and this search will not return metadata information for any more entries." I have a...
View ArticleAmazon Kinesis Modular Input - Data not displaying in dashboards
We have a large number of separate AWS accounts that we are collecting VPC flowlog data from. Each of these accounts will push to a centralized account that has Kinesis streams deployed in all of our...
View ArticleKey-value pair extraction -- regex help
We have some snmp data and want to extract the data as a key-value pair Sample var.12345.5.5 = INTEGER: 10 myTag::var.12345.5.9 = STRING: "abc" myTag::var.12345.5.3 = STRING: "admin"...
View ArticleHow do I dynamically set earliest from subsearch?
Hi folks, been all over this site and google, not finding a working solution. I'm trying to perform a search using a subsearch to populate earliest= | tstats min(_indextime) as firstTime,...
View ArticleSearch to see which forwarders reported in the previous 24 hours or if there...
Hi there, is there any query to find out the forwarders which are reporting for last 1 day or f there is a delay in the logs. Thanks
View ArticleUrgent question about https certificate
Hello, We want to enable Splund SSL, so we put enableSplunkdSSL = true to server.conf. We generated a certificate using the FQDN as the CN of the certificate. Then in our AddOn, we use...
View ArticlePort issue with splunkd SSL
Hello, We want to enable Splunkd SSL, so we put enableSplunkdSSL = true to server.conf. We generated a certificate using the FQDN as the CN of the certificate. Then in our AddOn, we use...
View ArticleMultiple Kinesis inputs - GetShardIterator errors
We have created Kinesis streams in multiple regions within the same account. Each stream has the same name, though a different arn due to the service being region specific (e.g....
View ArticleHow can I use a CSV of email addresses to search indexed data?
Hi everyone, I'm having a little trouble querying with a CSV and wondered if you could provide assistance. I have a CSV with a lot of email addresses: Layout of Emails.csv Emails Email1@address.com...
View ArticleImplementing a script-based Splunk search
What would be the best way to create a search where I can get my results and use them in my JavaScript file? I have custom map that I'm using for my app but I need to show the map markers when the user...
View ArticleFREE Splunk that permits up to 500MB volume per day. How do I obtain this?
Hello! How do I obtain a free version of Splunk that permits up to 500MB volume per day maximum? Is this something that I need to contact Splunk sales for (to obtain a license key)? I have downloaded...
View ArticleRoutinely (24 times per day = 1 get per hour) parse section of HTML page...
Hello, I need to parse a specific web page's table (I'm using PowerShell/WMI ($wc.downloadstring) to download source code) and output to output.txt. If I pull the entire source code, I get duplicate...
View ArticleAppend * to the end of values in a multivalue input
I have created a multivalue parser from suggestions in the Splunk answers in the following form: [stats count | eval src="$dashInSrc$" | makemv src delim="," | mvexpand src | fields src] But what I...
View ArticleRemedyForce
Just want to ask on how can i get incident data from remedyforce so i can input it to the Splunk?
View Article