How to use the field in search query EXTRACTED using REX command
I have a field named "content" with multiple values to it as follows content=value.deva content=value.devb " =value.devc ...... I have written a rex expression in my search query .........| rex...
View ArticleOn a HF, can I forward a subset of data to syslog and drop everything else?
Here is my situation: I have a Windows HF that is collecting a lot of different data. Some via powershell scripts, some via WMI, some via file monitoring locally and over UNC paths. All of that data is...
View ArticleHow do I search for a string with a partial portion of the string?
Can someone help explain why "partial" search doesn't work for me? It's an ASA syslog... when I search for a full syslog event "%ASA-4-713903" it finds it, when i search "%ASA-4-" the "%ASA-4-713903"...
View ArticleHttp event collector not working?
I have a token set up in http event collector and try to do a curl command to test if it works. I read the instruction from this site http://dev.splunk.com/view/event-collector/SP-CAAAE7F which...
View ArticleAppend Domain name at index time?
All, I have logs coming in from /var/log/messages and /var/log/maillog which have the hostname not the FQDN. There is just too much change control and politics to get them fixed at the source. Looking...
View ArticleCounting a value out of a lookup table that does not exist in the logs
Hi, I have a search that works just fine that shows a list of users in a lookup table that have not logged into Splunk in the last 7 days: | inputlookup user_role_lookup.csv | rename userName AS user |...
View ArticleWe are having indexers with hot bucket data is almost full ?
The primary indexers data (Hot+ Warm) data is being full .Please help us in solving this issues . .We are trying to shrink the hot and warm are our primary indexers . The retention period for hot +warm...
View ArticleCan 1 master node be used to manage 50 indexer cluster?
Can 1 master node be used to manage 50 indexer cluster? As Splunk doc specifies 30 indexer cluster per master node . Will having 2 master cluster nodes imply 2 sets of clusters? What is the best way to...
View Articlehttp event collector error inputting data?
I want to try to inputting a simple event to http event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error...
View ArticleCreating a chart based on time values not epoch time
Is it possible to create a chart using time values "4:53:43" vs. converting them to epoch time "1505930393"? I'd like the Y-Axis to be time (3:41:32) - (6:43:21) and the X-Axis to be a name. Basically...
View ArticleWhy is my stats by command so slow and how can I speed it up for longer time...
I'm working on some statistics related queries. I'm trying to get the security id, date and count of hosts connected to. index=wineventlog sourcetype="WinEventLog:Security" 4624 | fields...
View ArticleOn a heavy forwarder, can I forward a subset of data to syslog and drop...
Here is my situation: I have a Windows HF that is collecting a lot of different data. Some via powershell scripts, some via WMI, some via file monitoring locally and over UNC paths. All of that data is...
View ArticleHow to create a dashboard showing in progress, completed, and pending status
Hi, I am preparing a dashboard for Websphere team job monitoring. I have 29 jobs. There is a started kind of logging in server and also completed successfully kind of logging in server. I have to show...
View ArticleHelp with search to show the top 5 results
index="all_eqt" Plant=15 ProcessCode=T DefectCode="*" MachineNumber<26 | stats sum(TotalSquareYards) as "Total Square Yards" by StyleName | sortStyleName I'm trying to limit the data shown on the...
View ArticleBest practices for hot/warm bucket retention?
The primary indexers data (Hot+ Warm) data is being full .Please help us in solving this issues . .We are trying to shrink the hot and warm are our primary indexers . The retention period for hot +warm...
View ArticleHTTP event collector -- error with data format?
I want to try to inputting a simple event to HTTP event collector just to test if it works. I think it was able to find the web address and also authenticate it with the token value. But I get an error...
View ArticleCreating a chart based on time values, not epoch time
Is it possible to create a chart using time values "4:53:43" vs. converting them to epoch time "1505930393"? I'd like the Y-Axis to be time (3:41:32) - (6:43:21) and the X-Axis to be a name. Basically...
View ArticleAutomatic lookup on a fieldalias field -- Is it possible?
My automatic lookup is not working on fields that were created via FIELDALIAS's. I have automatic lookups in my "search" app local/props.conf running on things like "src" and "dst" fields. These are...
View ArticleDashboard like ITSI
I would like to make a dashboard close to ITSI. (Especially Deep Dives !!! Is there a visual APPS that is similar to this? I think ITSI is very good. This time it was over spec... It will be helpful if...
View ArticleCan i use multiple sourcetape from syslog in Splunk Add-on for *nix
Hallo, i want to know, if this Add-on works with other sourcetypes than syslog. I have change the base-sourcetype from syslog to syslog_linux, so I can use in the transforms.conf this as stanza and can...
View Article