How can I search for one eventtype for 4 hours and a second eventtype for 8...
I have to search for two logs from same index using different time range. For example one eventtype is "login" and the other eventtype is "breach". In a single search i need to search for both...
View ArticlePalo Alto Networks App for Splunk: How to regenerate the lookup table from disk?
We are getting the following error when we run queries: The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:newapps'. Looks like someone deleted the lookup...
View ArticleAfter upgrading Splunk DB Connect the date fields disappeared. How do I...
In DBConnect 2.0 when I created an input, it was created the fields like date_mday, date_month, date_week, etc.. Now I updated to the version 3.1.1 and it isn't creating this fields anymore. This a bug...
View ArticleHow can I create a table of my search results with a count of each matching...
I have this search of events: eventtype=cisco-firewall src_ip="*" (dest_ip="192.168.1.2" OR dest_ip="192.168.2.2" OR dest_ip="10.10.1.1" ) For each src_ip, I'd like to list the dest_ip and the count of...
View ArticleHow can I include the sequence sunburst chart in visualization picker of...
Hello , I am trying to add sequence sunburst chart in visualization picker of search app. Could anybody please help me with that?
View ArticleHas anyone used Palo Alto Networks MineMeld to send logs to Splunk? Can you...
Has anyone ever sent logs to Splunk using MineMeld? If so how? I currently have access to MineMeld, but I was looking for away to set up the config to send the logs to Splunk.
View ArticleProblem with command "map"
Hey guys! So, I am having issues with the command map and was hoping someone can help me with this.. I have a Choropleth Map that displays number of events per country according to a search string....
View ArticleWhy do our forwarders siappear from the dedicated '/opt/splunk' file system?
Occasionally, our forwarders disappear from the dedicated `/opt/splunk` file system. Where can we find out information about the handling of this file system? re-mounting, etc... How can we find out...
View ArticleHelp rebuilding subsearch that keeps timing out
So here's my issue. We are creating a chart that shows each user and which desktops they use. The desktops are divided into two categories. I need counts of users for category 2 that are NOT in...
View ArticleWhy do our forwarders "disappear" from the dedicated '/opt/splunk' file system?
Occasionally, our forwarders disappear from the dedicated `/opt/splunk` file system. Where can we find out information about the handling of this file system? re-mounting, etc... How can we find out...
View ArticleI am getting "failed to fetch data" error under Access Control when trying to...
Why am I getting "failed to fetch data" error under Access Control when trying to map a Splunk role to LDAP group?
View ArticleJSON Field Extraction names with curly brackets
Hello I'm currently searching over a collection of events that contains some JSON structure, when applying SPATH over the field contaning the JSON, the resulting fields for a specific node of the JSON...
View Articlestatistics table sorting
I have a search from which I get the below result one of the columns in the statistics table : Sat Oct 07 2017 07:30:00 GMT-0400 (EDT) Sat Oct 07 2017 12:00:00 GMT-0400 (EDT) Thu Oct 05 2017 08:00:00...
View ArticleFeature Suggestion: Panel-local variables for prebuilt panels
Prebuilt panels would be more useful if they allowed local variables. This would parallel the way macros allow arguments. Local variables at the panel (and possibly row) levels would allow multiple...
View ArticleHow can I sort by date? Example time format is: Sat Oct 07 2017 07:30:00...
I have a search from which I get the below result one of the columns in the statistics table : Sat Oct 07 2017 07:30:00 GMT-0400 (EDT) Sat Oct 07 2017 12:00:00 GMT-0400 (EDT) Thu Oct 05 2017 08:00:00...
View ArticleVPN user drop tracking for 5 minute window using delta function
Hi, Here is the query I have `index=vpn sourcetype=vpn_prod srauserid1=* earliest=-10m |timechart span=5m dc(srauserid1) AS all_user | delta all_user as diffuser | search diffuser < -20 | rename...
View ArticleHow can I make my search trigger if the user count drops by 20 in a 5-minute...
Hi, VPN user drop tracking for 5 minute window using delta function Here is the query I have `index=vpn sourcetype=vpn_prod srauserid1=* earliest=-10m |timechart span=5m dc(srauserid1) AS all_user |...
View ArticleSplunk DB Connect v2 with MongoDB error
Having a problem connecting DB Connect v2 with a MongoDB. Using the following stanza in db_connection_types.conf [mongo] displayName = Mongo serviceClass = com.splunk.dbx2.DefaultDBX2JDBC jdbcUrlFormat...
View ArticleHelp with the buckets and hot/cold data settings
Need 12 months hot data, 3 months cold, nothing else I put the following in /opt/splunk/etc/system/local/indexes.conf: [main] frozenTimePeriodInSecs = 39312000 That setting is supposed to remove...
View ArticleCan I reduce my common user role configuration stanzas?
I was wondering if there was a clean way that I could reduce my stanzas in authorize.conf? I was hoping that similar to indexes.conf I could really do some cleanup work by taking something like this:...
View Article