How to sort the contents of a list
I'm currently querying source="log" | stats list by Id Which gives me nicely grouped data. However I would like the content of those groups sorted by `Timestamp`. That is to say I do not want the...
View ArticleHow to count the results of a rex that returns multiple matches as a single...
I have results from a rex statement that looks something like the first set of results. The rex returns multiple matches per row. I am trying to use the *stats* function to group multiple matches as a...
View ArticleDoes splunk have an option for reading data via http get request?
I've been looking for a way to import contents from an http get request with splunk without success. At first, I thought I could do this by using Rest Api section that build-in Splunk. But after I give...
View ArticleWhy am I getting the following error after updating from 6.6.0 to 6.6.3:...
I'm getting this error: Invalid key in stanza [auditTrail] in /opt/splunk/etc/system/local/audit.conf Looking at the audit.conf.spec, that key is no longer mentioned. In earlier versions it was. I...
View ArticleCan 1 master node be used to manage 50 indexer cluster?
Can 1 master node be used to manage 50 indexer cluster? As Splunk doc specifies 30 indexer cluster per master node . Will having 2 master cluster nodes imply 2 sets of clusters? What is the best way to...
View ArticleBrute Force Access Behavior Detected Tuning
Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and...
View ArticleHow to show different panel based on the user input from the textbox
Hi. I have a dashboard with a textbox allow users search a specific host or IP which is set to "*" by default. Due to the limitation from max result from a subsearch, I am unable to get all the results...
View ArticleHow to compare field values from this year vs last year by date and calculate...
Hi, I have data in 2 fields in table: one is date and the other is some value, for each year respectively. Now I want to perform an action like compare date_1 from 2015 vs date_1 from 2016, then...
View ArticleHelp with writing a join command that joins a security breach to the previous...
This is the requirement. I need to join two events based on a common field “User”. The Event with EventType “Security Breach” should be joined with Eventtype “Login”. The condition is User1 who have a...
View ArticleHelp with installing two universal forwarders on the same Windows box -...
I need to install 2 separate universal forwarders on the same Windows box. I have the install built, one via msi and the other via scripted process. On one install the service shuts down. I connected...
View ArticleHelp extracting information from JSON file
Json Format ↓ { "device":"A123", "data":"28745637", "time":"1505924687", } "2874" = 28.74 , means tempurature , and "5637" = 56.37% humidity . How to display as below↓ if ( tempurature > 25 &...
View ArticleHow do I change the label of the x-axis on a chart?
![alt text][1] [1]: /storage/temp/217592-test.png index="all_eqt" Plant=15 ProcessCode=T DefectCode="*" MachineNumber<26 | stats sum(TotalSquareYards) as "Total Square Yards" by DefectCode How do I...
View ArticleCreating a correlation search using "guided mode" -- error -- type object...
When attempting to create a correlation search using "guided mode" I get this error and am unable to continue making the search. type object 'DataModels' has no attribute 'build_id' Any ideas as to why?
View ArticleDisk alerts need help
Hi , I am using following( default) query for near critical disk alert on Indexer nodes. The daily results are showing 99% where as actual disk usage is much lower. Can you help clarify. I will submit...
View ArticleOut of 3 clusters why are 2 showing similar results and the third is missing...
Hi , Rest API Splunk query results difference We have a query running with JDK REST API. We have 3 spunk clusters. The result on 2 clusters is showing full results. where as one cluster is showing only...
View ArticleQuestion about pipeline parallelization
How can I achieve pipeline parallelization in standalone Splunk indexer to optimize my CPU usage? In Splunk 2016 .conf, it is mentioned to use above method if CPU is underutilized. For this,...
View ArticleHow can I run a search if a field contains the "|" character?
Hello, I need to count the event log line contains AAA|Y|42 but "|" is the pipeline command so that I got error as the following search: I tried to use " double quote at two sides of the string but no...
View ArticleWhy am I near critical disk alert on Indexer nodes?
Hi , I am using following( default) query for near critical disk alert on Indexer nodes. The daily results are showing 99% where as actual disk usage is much lower. Can you help clarify. I will submit...
View ArticleSpeeding up a stats by command
I'm working on some statistics related queries. I'm trying to get the security id, date and count of hosts connected to. index=wineventlog sourcetype="WinEventLog:Security" 4624 | fields...
View ArticleOn a HEF, can I forward a subset of data to syslog and drop everything else?
Here is my situation: I have a Windows HF that is collecting a lot of different data. Some via powershell scripts, some via WMI, some via file monitoring locally and over UNC paths. All of that data is...
View Article