How do I set timezone properly in props.conf?
Our data source is generating syslog data using UTC. Time in the syslog header is formatted as `Oct 22 15:51:14`. We made the following changes to `$SPLUNK_HOME/etc/system/default/props.conf`: [host::]...
View ArticleCan you obfuscate data in journal.gz after deleting the events?
Let's say I have an index that contains events with cleartext passwords. I can delete those events and they are no longer searchable in the UI, but the raw data still exists in the **journal.gz** file....
View ArticleThe cluster master only performs remedial activities when it detects a peer...
I understand from Splunk documentation that because the master keeps track of which bucket copies are on each node and if they are primary or searchable copies, even if a peer goes down, the master can...
View ArticleWhat is the difference between indexed real-time vs scheduled search every...
I understand that indexed real-time searches are not up to the second and lag (default of 60 sec) behind a real-time search. With this being the case, what is the difference between these two searches?...
View Article"cannot touch `/var/lock/subsys/splunk': Permission denied" How can I...
Starting Splunk as the user splunk from /etc/rc3.d/S90splunk I get the following error message; touch: cannot touch `/var/lock/subsys/splunk': Permission denied I'd prefer to move the lock file to...
View ArticleWhy is Splunk not reading SOAP XML for CURL script with error "Premature end...
We use custom CURL scripts to update data on our dashboards. We have to add another custom script, but this one will need to use SOAP requests. We've created the scripts an the XML file with the SOAP...
View ArticleSplunk DB Connect 2: I've established connection to the database, but why am...
Hello, I have established 2 connections to 2 different databases using the same DB account. I have confirmed via the Splunk DB Connect 2 app that I am able to successfully connect to the DB. However,...
View ArticleTransform Action for two different Authentication events
I have 2 events from 2 different systems which are displaying slightly different authentication sucessful messages (due to running differenent version firmware) but need to catch 'success' in the...
View ArticleTime picker in datashboard default "all time"?
Every time when I open the dashboard, it's "all time" by default. Can we change that?
View ArticleTime format in email alert
Search AAA||rename _time as UpTime |fieldformat UpTime=strftime(UpTime, "%D %H:%M:%S") |Table UpTime Info It works well in browser. like: 10/23/15 08:06:49 Info1 10/23/15 10:02:20 Info2 However, when I...
View ArticleHow do I render a chart with an overlay using the "View as Axis" option using...
I'm trying to render a chart with an "View as Axis" overlay using the javascript splunk-sdk. Setting the following options does not achieve the expected result:...
View ArticleWhen creating a dashboard to create a list of windows log sources how do you...
When doing this via the search bar index=xxxx | chart count by source, when you select a source in search it automatically adds in the extra escape character `\` in front of the file locations `\`,...
View ArticleDuplicate data problem
Hi I have the following configuration in inputs.conf: [monitor:///] index=results crcSalt = sourcetype = results My intend was to input data based on the location of the data. But the following command...
View ArticleIs there a way to re-run scheduled searches for a certain period?
I need to re-run some of our scheduled searches that were scheduled for a certain period (these searches have email and script actions associated with them). Is there a way to do this? I know that for...
View ArticleFormUtils with version older than 6.1.1
As far as I understand it `splunkjs/mvc/simpleform/formutils` was introduced in version 6.1.1. I'm currently stuck with 6.0.8. So how does the following code work in that version which doesn't have...
View ArticleExport to cvs button in django
Hi, I have created an application using Django Binding and the table results I want to export to csv with a button , is possible?
View Articleforwarder used to forward multiple tcp ports
I have an indexer that is using two forwarders to get logs. These forwarders are forwarding other forwarders in their zone. One of these forwarders is also setup to forward syslogs from an appliance....
View ArticleHOW TO DIFFERENTIATE BETWEEN THE SOURCE TYPES AND INTEGRATE THEM AS ONE.
I AM WORKING IN A ENVIRONMENT WHICH HAS THREE (ALMOST SIMILAR) SOURCE TYPES, I WANT TO KNOW WHAT TYPE OF DATA IS GOING INTO THESE SOURCE TYPES, AND IF POSSIBLE I WANT TO DIFFERENTIATE THE DATA AND...
View ArticleSearch changes on Splunk objects by user
I want to search Splunk logs in order to see changes to Splunk Objects by user. An example would be to see an event which reads something like the following: date=1/1/2000, time=08:00:00.000,...
View Articlesplunk show shcluster-status winsock 10022 error server 2012r2
I try to run many of the splunk cli commands on my new splunk servers I am building and receive "Couldn't complete HTTP request: winsock error #10022". These are new windows server 2012 r2 builds, I am...
View Article