splunk-winevtlog - WinEventLogChannel::deleteCheckpointFile: Failed to delete...
error: splunk-winevtlog - WinEventLogChannel::deleteCheckpointFile: Failed to delete checkpoint file for Windows Event Log channel='security' I have installed UF on my PDC primary domain controller and...
View ArticleHow do I edit my rex field=UEI mode=sed syntax to 'district' my sample URIs?
As of now I am using: rex field=URI mode=sed "s/=[^?]+/=xxx/g" But its not working /v1/mb/members/15d628b4-0d113-09b8ec770efd/option /v1/mb/members/216570ce-c199-4ab9--c0cf3ddd404e/option...
View ArticleAre function names case-sensitive?
The following query did not return any results: ... | stats count(EVAL(error_code=2000)) ... I had to use **lower-case** `eval` to make it work. Is it a general rule or a specific case?
View ArticleWhy are we getting "failed to parse timestamp defaulting to file mtime error"...
Hi Folks, we have below format logs and there is no time stamp on first 5 lines and we are getting error "failed to parse timestamp defaulting to file mtime error" while indexing the data. We have e...
View ArticleI need a help,that I want write a IDP to connect Splunk's SAML implements SSO...
I need a help,that I want write a IDP to connect Splunk's SAML for SSO use Java, but I don't know what's Splunk's need.I mean,I need some documentation about this. could you help me. If that' all...
View ArticleHow can I use my billing info to create a prediction for the future?
I've asked about this before and now I've re-loaded the **raw** data without any modifications. It looks like this (without an actual timestamp): Month,Billing,MsgType,BillSize,Direction...
View ArticleHow can I see the difference in a count for two different type of events by day?
Hi, I would like to see the difference in a count for two different type of events per day. Currently I have it in total but not sure how to split it per day index="index1" ("first string" OR "second...
View ArticleHow can I filter events befoer they are indexed so they aren't indexed?
I tried this solution but no success. I am trying to filter data from being indexed.I need only the Error events In props conf: [source:://C:\\Windows\\System32\\winevt\\Logs] # Transforms must be...
View ArticleWhen I delete an old version of Splunk does it delete the old indexes and hosts?
Hi All, I've recently had to reinstall Splunk on my server. It was using an index called "index2", I've since removed that version of Splunk (which I thought would of deleted the index) and installed...
View ArticleMove license from cluster to standalone
Hi, **Splunk version: Splunk Enterprise 6.4.1** **OS: Linux CentOS 7** We have a standalone Splunk enterprise where the license will soon expire. As we also have a distributed Splunk implementation...
View ArticleProofpoint TAP Modular Input App: admin_all_objects error?
Seeing the following message after installing the Proofpoint TAP Modular Input and it is not working. Error from _internal splunkd proofpoint_tap_siem.py stream_events/Error encrypting and saving...
View ArticleHow to search for Matching fields using 2 different host with Same sourcetype
I'm looking to find matching field (lets call this field action) from 2 different host with the same sourcetype. example Sourcetype=pan host=1 and host=2 I'm looking to create a ta table that would...
View ArticleUnix Add-on Not Extracting Fields
I've got the Splunk Add-on for Unix and Linux installed on my index master and across my 3 indexers via a cluster bundle. In the App for Unix & Linux running on my search head, I can see results...
View ArticleDynamic Dashboard Title with hideTitle=true - Show Filters not displayed...
I have a multpurpose dashboard/form that I needed to label based on url params I am setting in Nav. Form labels do not pick up on token values. Based on another post I used hideTitle=true to hide the...
View ArticleHow to join 2 indexes by common field respective to time. Index 2 has...
Hello there, I have two sets of data under two different indexes. The fields for each index are respectively **[customer_id, datetime]** and **[customer_id, date_of_creation, motive]**. I would like to...
View ArticleAfter Splunk upgrade (6.4.2 to 6.6.2) we can't create dashboards
Hello Team, We did upgrade splunk from 6.4.2 to 6.6.2 on linux platform. could see we can neither open the previous dashboards created by users nor we can create a new dashboard. It is just displaying...
View ArticleHow do we find the first non-zero packet loss event?
example dated newest to oldest : { "ip_address": "255.255.255.255","loss_pct": 0, "device_id": "ABC"} { "ip_address": "255.255.255.255","loss_pct": 10, "device_id": "ABC"} { "ip_address":...
View ArticleJIRA Core compatible with Real-Time JIRA Service Desk Connector for Splunk?
I am interested in the ability to create issues in JIRA via Splunk Alerts, but we don't utilize Service Desk. We only use JIRA Core. Will this connector work?
View ArticleERROR extraction from log file
All, would like to extract the below information from the logs Caused by: org.apache.camel.TypeConversionException: Error during type conversion from type: java.lang.String to the required type: int...
View ArticleWhy am I getting these errors from extraction of Stacktrace?
Stacktrace --------------------------------------------------------------------------------------------------------------------------------------- org.springframework.jms.InvalidDestinationException:...
View Article