How do I lookup/return a field from one sourcetype to another sourcetype?
Hi All, Newbie here, would appreciate if anyone can help to answer this little question Feeds from Vulnerability Scanner having two sourcetypes - *sourcetype='A'*: We have *asset_id* and asset_name...
View Articlewhat format is the splunk certified user exam? just Q&A like the quizzes or...
what format is the splunk certified user exam? is it exactly like the quizzes from Fundamentals 1 course or a practicum?
View ArticleWeb CIM Data Model on Reverse Proxy data
Hi there, This is the second time I configure a Splunk Add-on for Reverse Proxy data. As fields are similar to Proxy / Web datamodel, I just went on applying that DM to the Add-on via eventtypes &...
View Articlecan we change index retention at any time?
Hello All, we have multisite cluster environment running our current retention is set to default, can we change our retention now, is it suggested to do? what will be the impact.
View ArticleSPLUNK Deployment
We are in the process of migrating to SPLINK from Nitro. We have requested a deployment server to be built since deploying packages ( UF for Windows) takes a while. Can I install deployment\license...
View ArticleThis saved search cannot perform summary indexing because it has a malformed...
I am trying to edit Summary Index for the scheduled search. I am getting the following error message: **This saved search cannot perform summary indexing because it has a malformed search.** There are...
View ArticleRegex to filter security events does'nt work, need help
Hi Guys, We have UFs on our DCs and 2 indexers and on both indexers, to drop the unwanted text from events I tried using the following regex in the...
View ArticleHost field
one of my data sources has host field in the raw packet. However when we search the events the host field is the name of the forwarder. Where do I rename that? I do use a transform, so can it be done...
View ArticleHow to list my splunk admin users list and last login details.
I have a about 250 Admin users and I would like to to know when was the last time each of them have logged in. Is there a query that I can use
View ArticleFree Splunk License - forward data from Splunk Forwarder
I installed the Free Version of Splunk and the Universal Forwarder. Under 'Add Data' i.e. Data Input there is an icon called forward (data from Splunk Forwarder). When I click on it, I get a message...
View ArticleHow to Move users and there account from one splunk instance to another one ?
How to import users and there account from one splunk instance to another one ? Any steps or documentation?
View ArticleIs splunk license based on size of data or is it based on number of events?
The reason i ask this is because i recently installed UFs on one of my DC and daily license has gone up by 15-20 gb but i dont see that much data coming into it. events ike 4624 have the line count as...
View ArticleGrouping by two fields, want to get distinct count of values in second field
Hi, I wrote the following Splunk query which returns a list of distinct USER_AGENTs for each SESSION_ID: index=abc | rex field=_raw "-S:(?\w+)-.+User agent: '(?.+)', Referrer" | stats count by...
View ArticleHow can I capture these failures as timechart count by type of error in a...
i have the following failures in the logs that i need to capture and show as timechart count by the type of errors , in a single dashboard . Need help with framing the Query UploadFile : Processing...
View ArticleCalculating bandwidth usage of Windows machines using WMI and Splunk
In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf: [perfmon://Network Interface] counters = Bytes Received/sec;Bytes Sent/sec instances = * interval = 10 object...
View ArticleHow is the Splunk license measured?
The reason i ask this is because i recently installed UFs on one of my DC and daily license has gone up by 15-20 gb but i dont see that much data coming into it. events ike 4624 have the line count as...
View ArticleAccessing bash variables via a universal forwarder scripted input
When using a shell script on my splunk server I am able to access variables with no problem ie #!/bin/bash java -jar custom.jar -val $(date +%Y%m%d_%H%M) However, when using the same script with the...
View ArticleSplunk alert for missing logs
Hi, Below is a snippet of log pattern generating tons of record. Intending to write a alert if any log are missing for given time time range. sourcetype source activity sourcetype1 myLog.log activity1...
View Articleconvert a string with percentage sign to number
Hello, I have this query to alert me when percentage_q_full reaches greater than certain number eval alert=case((PERCENT_Q_FULL>90), "Critical", (PERCENT_Q_FULL>80), "Warning", true(), "N/A") but...
View ArticleHow to use two time ranges in one search
Hi I am trying to search for two event types each in different time range. Here i am using time token. The eventtypes are "Password Change" and "Login". When i apply search for last 4 hrs, my query...
View Article