Kubernetes Logging to Splunk through Fluentd
We’re looking to get our Kubernetes logs into Splunk and it appears the best (most cloud native) way to do that is to forward the logs from Fluentd to Splunk HEC (HTTP Event Collector). With that being...
View ArticleSearch backwards matching on value in current search result
Hello - I have a logging event like this one. We are searching on "Threshold Exceeded" AND "225" 9/26/17 13:45:18:690 EDT] 000215d9 SystemOut O 4580330012 [SIBJMSRAThreadPool **: 764**] ERROR...
View ArticlePassing the argument to the shell script on custom alert action.
Hey there, I've created a custom alert action on splunk. This is my directory structure: /apps /bin [shell script] /default app.conf alert_actions.conf data/ ui/ alerts/ [html file] /appserver /static...
View ArticleHow can I extract fields as an array?
Dear friends, I have one event in my log file that my user want to extract fields as an array. The event is: RequestTime="14 Sep 2017 23:59:47.819" RequesterIP="10.108.18.9"...
View ArticleBest Methods to Improve Performance of Dashboard
I have a dashboard with ~38 panels with 2 joins per panel. I'm curious what is the most costly for Splunk performance of a dashboard- is it the large number of panels I have or is it the number of...
View ArticleDiscussion: Practical cases of going against Splunk Best Practices
Hello all, Potentially a bit of a sensitive topic, but I wanted to see what others thought. Splunk Best Practice are *great* and really help installations to go smoothly and work optimally, but I can...
View ArticleHow to resolve error message after indexer went down: "too many tsidx files...
One indexer just went down. As it came up we see the following message for a couple of the indexers - throttled: idx= Throttling indexer, too many tsidx files in...
View ArticleEmpty result subsearch in eval/case
I am trying to eval a new field based on matching several sub searches. The issue is that these sub searches can potentially return an empty result which breaks the syntax of the eval command. Example:...
View ArticleWhat's the Splunk-wmi.path script that points to splunk-wmi.exe? Is this custom?
I'm trying to account for a number of Splunk configurations on a domain controller and I was trying to figure out what the splunk-wmi.path script was that points to splunk-wmi.exe. I wasn't sure if...
View ArticleAre any Fluentd apps Splunk vetted/supported? Or is there a preferred...
We’re looking to get our Kubernetes logs into Splunk and it appears the best (most cloud native) way to do that is to forward the logs from Fluentd to Splunk HEC (HTTP Event Collector). With that being...
View ArticleApplying Field Extractions across similarly named servers
Hey Gang, Here are the basics: We are running Splunk Enterprise 6.5.1. I have a distributed architecture that has two separate search heads, 4 indexers with AutoLB (but no clustering) and a deployment...
View ArticleHow to Compare Relative Times
Hello, I received help in building a search of mine, and I cannot figure out the syntax of comparing the time. I need help with this part of the search below (test the date for if this event is in...
View ArticleCreate a new row to the table which is the sum of existing rows
How to have an additional row on the top which basically adds up the sum of below rows of the table The consuming_app value as "ALL" and the remaining fileds as the sum of below rows.
View ArticleHow to set user permission for "view source"?
The splunk administrator in my organization removed some permission for my role, the consequence is that I don't have permission to run "View Source" action. Please advise, what is the configuration...
View ArticleCan I use strftime to compare relative times?
Hello, I received help in building a search of mine, and I cannot figure out the syntax of comparing the time. I need help with this part of the search below (test the date for if this event is in...
View ArticleIs there any reason I shouldn't edit an add-on's bin directory files?
I want to add a few things to an app that sends off API commands when saved searches trigger. Basically a new field for the API, so a new GUI element to fill out during the alert trigger config, and...
View ArticleWhy is my search showing the total column value per user rather than...
I want to create a report that alerts of 7 or more failed TACACS+ authentication attempts in the past 10 minutes. I almost got it working, except the "Total" column adds up every user that failed and...
View ArticleHow to monitor USB Registry with more information?
I have issues displaying the picture A's information into Splunk, only the vague ones are forwarded shown in picture B. I want every parameter in picture A to be forwarded to Splunk, how do I do it? My...
View ArticleCan't get tag to work
I have a dashboard with several prebuilt panels and several non-prebuilt panels. At the top of the form I have: Refresh1 minute5 minutes10 minutes15 minutesNeverNever For the value attribute I have...
View ArticleRedrawing chart changes y axis maximum
I have a table which drills down to change a chart:Exchanges`MS_DDI_Microservices` metric_name="Rate:Exchange:*" | rex field=metric_name ".*:(?<Exchange>[^:]*):(?<direction>[^:]*)$$" |...
View Article