How can I count failures in the neighborhood events matching a rex
I have a question similar to: https://answers.splunk.com/answers/2602 and https://answers.splunk.com/answers/448796 I would like to get a search match (for which I define a field) and also search the...
View ArticleTripwire TA that integrates with Splunk Enterprise Security?
The last post I see on this subject is almost three years old. Does anyone know if there is a Tripwire TA that integrates with the Splunk Enterprise Security Application? We are following best practice...
View ArticleHow should I go about using the geospatial lookup to add fields to my root...
Using Splunk 6.6, I tried for the first time to create a Data Model. My Root Event Dataset consists of events which have latitude and longitude fields. I have a geospatial lookup with all the states of...
View ArticleUse REST API to find and run adaptive response action (Selecting one) to a...
Hi I was trying to find a way in order to reproduce "http://docs.splunk.com/Documentation/AddonBuilder/2.0.0/UserGuide/CreateAlertActions#Create_an_adaptive_response_action_for_Enterprise_Security"...
View ArticleHow can I create a barchart comparing active unique users vs. total users by...
How do I create a comparison bar chart of active unique user vs total user by month on Splunk search head? Both are coming from separate data sources.
View ArticleHow to set earliest_time variable to month/day/year in HTML format?
I have a html table then the search for the table has the different fields for example: var search1 = new SearchManager({ "id": "search1", "cancelOnUnload": true, "latest_time": "$latest$",...
View ArticleHelp with drilldown and tokens on a dashboard
I have a dashboard, with a series of different panels on it. Some for user specific information, process info, hardware, etc.. The top of my dashboard looks like This: ![alt text][1] This, is an...
View ArticleHow to audit security logs to find password compromises?
We audit the security logs looking for password compromises. A user will put the password in as the username and result in a 4625. The user will then log in within minutes on the same machine and show...
View ArticleREST modular input JSON custom handler for AWS Pricing Data
Having a bit of a struggle. AWS has a pricing API available at: [AWS JSON Pricing API URL][1] Because of how the JSON is formatted, it looks like a custom handler is needed. Snipped of the JSON is: {...
View ArticleNew Splunk install -- why am I getting an error saying that my license has...
I've just created an account and I've installed the free version of Splunk Enterprise. However, when I try to logged in, I get an error saying that my license has expired. How it can be possible ? I...
View ArticleHelp with search head cluster master error -- error accessing URI
We ran into the following error after creating two saved searches. We have 3 searchheads and 2 indexers. searchhead's splunkd.log: 09-06-2017 10:48:42.891 -0400 ERROR SHCMaster - error accessing...
View Articleearliest_time not working in REST post data, but working in search
I am sending a POST request to Splunk REST 'services/search/jobs' endpoint. If I submit with 'earliest_time' parameter as a relative string like -2d, it works fine. But if I use an absolute date-time...
View ArticleHow can I put results of Windows updates results per host on a map by location?
I have a query for Windows updates per host. But I NEED to put those on a map. Is it via ''geostats''???? index=* host=* sourcetype="WinEventLog:System" eventtype=windows_system_update | timechart...
View ArticleHow can we figure out the size of KVStores and Lookups?
In our enterprise sometimes kvstores and lookup files can get really large and we're looking for a way to monitor this. I don't see anything in _internal that would show me the size of each kvstore....
View ArticleHelp with inputs.conf to move Mongo and Apache to a new index?
Hi, for our inputs.conf. I need to move mongo, apache and others to a new index called common and mongo. Does the following looks good ?. Can I do any more optimizations?. Thanks for all the support....
View ArticleHow to view static pcap file on "Splunk for PCAP Files"?
Hi, I am trying to analyze a static PCAP file. I have point splunk to the pcap file using "Data inputs ยป PCAP File Location". But when I view the Top Talker Overview, with "Selcet tcpdump file" as...
View ArticleIndex a specific table (forum) of a webpage - allowing me to kick off reports...
Hello! Here is what I'm trying to do: Index a particular section of a web page. This particular section is a forum that is updated constantly, and there is only 1 main column that I'm interested in,...
View ArticleXMLWinEventLog How to add new field extraction and do proper line breaking?
An example of my raw text is attached. How do I do the field extraction and also proper line breaking in event logs like this? I've changed renderXml to true so as to reduce the resource intensity....
View ArticleHow to tune the query to get faster result ?
The below query is used to return the Error distribution in 3 layers - Application, Dataservice & Queue for a time range two months. Currently the query takes more than 5 mins to return the result....
View ArticleIs it possible in Splunk to know who has disabled a savedsearch and when?
Hi! I would like to know is there a way to find out **when** a savedsearch has been disabled and **who** has disabled the same. I want to know the details as I have multiple users having admin...
View Article