SSL certificate for F5 VIP to search head cluster?
We're finishing up our migration from a single search head to a search head cluster. Our company uses F5 load balancers. Per this...
View ArticleWhy has The TCP output processor paused data flow?
Hi, i am not able to receive any data from my forwarder. It stopped working yesterday.port 9997 is open.connection is established.i can telnet to my server(which is my laptop). here is the error from...
View ArticleCollecting filesystem usage in actual units (GB) rather than percentage
Is there any way to collect JFS disk usage in actual quantities (MB) rather than percentage? I only just now realized that my old nmon analyzer spreadsheet outputs didn't have it either, so I'm...
View Articlesummary index replication in indexer cluster
Can we do summary index replication in indexer cluster by using replication_factor and search factor
View ArticleHelp with a search to print date fields
need to print dates from Thanksgiving onward for the rest of the week until Monday index="test" source="test" date=* mon=* year=* (STATDATE>=2016-11-22 AND STATDATE<=2016-11-30) SITE=USA | eval...
View ArticleHow to record/calculate the duration of overlapping transactions
I have a transaction overlap issue. The output below is my data from search query with a transaction command. Here is my search query: **Search** index=* (sourcetype=InCharge-Traps AND (State="Notify"...
View Articleinbuilt index
Can i get metadata about the seaches, dashboard etc created in splunk through any of the inbuilt index ?
View ArticleHow do I convert a timestamp?
Hi, I have a field with timestamp value "2017-09-21T20:48:48.535427Z" in format. I need to convert it to "09/21/2017 3:48:48 PM", Please advise?
View ArticleHow can I index data in real time?
I have created an alert which checks if logs are not present in last 20 mins per source. I have around 32 source files from single forwarder. Many of my files are not getting indexed in real time and I...
View ArticleDoes increasing max_memtable_bytes in limits.conf impact the search head...
ES app creating large lookup file the size nearly 600MB file. So as the work around suggested from Splunk docs we increased max_memtable_bytes value to 700MB in limits.conf on all the indexers. After...
View ArticleIs this possible -- summary index replication in indexer cluster
Can we do summary index replication in indexer cluster by using replication_factor and search factor
View ArticleCan I collect data about the searches, dashboards, etc. through Splunk's...
Can i get metadata about the seaches, dashboard etc created in splunk through any of the inbuilt index ?
View ArticleHelp configuring props.conf and transforms.conf to filter Bro logs at the...
I am having trouble configuring my props.conf and transforms.conf to filter bro data at the heavy forwarder. Since the dns datasource is so chatty, I ONLY want to ingest events where the query field...
View ArticleWhy can't this user save searches? "Argument "auto_summarize" is not...
For some reason I have one user (unfortunately my manager) who is unable to save report or alert. He is getting: "**Encountered the following error while trying to save: Argument "auto_summarize" is...
View ArticleAutomatically capitalize the first letter of every word that follows a period?
I am looking for the proper SPL to capitalize the first letter of every word that follows a period. I have tried several different ways using the eval/upper command. But can't quite get it right. Any...
View Articletimestamp and line breaks
The timestamp and linebreaking doesn't seem to be working as expected. They are nagios/pnp4nagios logs. I get a burst of events similar to the below data every few seconds/minutes and it seems the...
View ArticleAdding iam roles to Splunk TA AWS
Given the number of HWF's we have running the AWS TA, we have to hame some form of automation around getting the roles loaed. I have been using the REST API, which works great but I would like to know...
View ArticleAnother JSON Event Break Assistance request ..
An excerpt from my JSON output ... Trying to Event break at the following line "type": "story", where a new event begins. Have tried several posts but cannot get it working currently. { "total_count":...
View ArticleDecisionTree Graph
Hi, After building a machine learning model using DecisionTreeRegressor or DecisionTreeClassifier, I can use the "| summary" command to list out the content. Is there any better way to visualize the...
View ArticleNetworking Resulotion (DNS) Data Model is not working correctly
Hi All, Recently I have deployed Enterprise Security App for our customer. I have already getting data from our DNS server and send them to Indexer but on Search Head installed ES App they can't...
View Article