search string query
Hi I can use the search string to get the statistics output index=data sourcetype="data1" host=HOSTA | stats count by NAME | sort -count | head 3 Name Count SRV1 800 SRV2 600 SRV6 700 Question is how I...
View Articlehow to monitor the last command in AIX?
I want to Shows last login time for users who have ever logged in AIX. And enable the lastlog stanza: [script://./bin/lastlog.sh] sourcetype = lastlog source = lastlog interval = 300 index = os...
View ArticleHow to calculate with multiple values in a table?
I have few results which look like below in a table ID Ask Bid 1 | 4 | 3 2 | 5 | 6 3 | 7 | 8 I want to create new field with newfield=(4*6-8)/8 so how i do it? All suggestions are welcome.
View Articleall json fields are alphanumeric
Hi, I'm ingesting data in pure json and all fields are being extracted. However, all fields are strings regardless of whether the field contains a float or an integer. Trying to convert the required...
View ArticleForward data to syslog-ng from splunk
Hi all, For some reason, I need forward "wineventlog" to syslog-ng from splunk enterprise. Since I have 2 source ip in wineventlog, I want to separate source ip by port. I don't know how to get this to...
View ArticleBest method of alerting on unusual web behavior ?
Hi Guys, I'm looking for some help / advise around unusual web based behavior, so we have out Post and Get logs for all users web activity going into Splunk, what I dont really know is how to alert on...
View Articleindexes.conf do not working。
hi everyone : i have set indexes.conf link this:> [qt]>coldToFrozenDir = /SplunkBack/splunk/qt>frozenTimePeriodInSecs = 20736000 20736000 = 240 days but i can still search last year's data。...
View ArticleThree water gauges in a dashboard get same height waves
Hello, splunkers. I have three water gauges in one dashboard. Each water gauge runs its own query with its own result. I'm getting troubles because each water gauge shows the correct numerical value...
View ArticleWhitelisting for universal forwarder not working in 6.6.3.0
I am using UF 6.6.3.0 on my domain controller and following is my inputs.conf. The whitelisting part is not working I am seeing all event codes. [WinEventLog://Security] disabled = 0 start_from =...
View ArticleMasK SSN on forwarder/Indexer ?
Tried this on both the Forwarder & indexer without success, what am i missing ? Log output SignUpState='3.30' SSN='176783140' desired output SSN='xxxxxxxxx'. Tried this on both the Forwarder &...
View ArticleCorrelation Search error messages in ES
Hi All I have configured a test Correlation search using Content Management tab. Now I am getting below message in splunk repeatedly:- <> I disabled the search and deleted the alert Rule that was...
View ArticleShould accelerated reports always be scheduled?
I have created an accelerated report with a summary range of 1 day. Should i also schedule this report with the cron schedule to run lets say hourly? If accelerated report is not scheduled, how splunk...
View Articlejavascript doesn't execute in dashboard
Hello, I created a dashboard using this xml file : ` FL ERRORS FL ERRSSelect a market:<br/>Here's the search: ` but, it doesn't execute the javascript file, and I have an empty dashboard. Is...
View ArticleGetting outer values in a transaction that has repeated startswith endswith...
Hi there, I've been trying to solve an issue I have when using transactions. Here's an example of the logs I am working with ~ ** ^0-15 only there for clarity\illustration not in actual logs 0 [9/26/15...
View ArticleHow many logs does an Index get in a 24hour Period?
Afternoon Splunk Guru's I wonder if you would be as kind to help \ point me in the right direction ? I'm new to Splunk and still getting used to extracting data, I'm looking to find out how to get the...
View ArticleHow to pull the details of triggered alert for last 7 days (when it was...
Hi, I have same issue as mentioned in this question...
View Articletimechart - show every week, even if there is no value
Hi, I am creating a timechart and in some of my weeks I have no value for a field ("Number Of Lines"). I need the timechart to present every week, and when there is no value for a week, fill it with...
View ArticleHow to generate token for netskope input
Following the instructions for the Netskope app there should be an option under Settings - Tools - REST API, but I am not seeing it. Is my app limited or is there another location where I can generate...
View Articlein Windows Security events. Why are some not logging in Splunk?
I have a UF setup on a windows 2012 server. I am logging Win sec logs but I see some in the event viewer that are not going into splunk.. How can I get all the logs to go into Splunk from the windows...
View Articlepermissions for scripts in TA-nmon
Hi, Do the Embedded Scripts in the TA-nmon require special permissions like root privileges/ACLs ? thanks, Shreedeep Mitra.
View Article