My local Universal Forwarder to AWS Splunk Instance
I have a splunk instance running on Amazon AWS for testing. I'm trying to configure my home pc to forward (universal forwarder) to the AWS Splunk instance. So far I'm not seeing anything. My AWS...
View ArticleDeployment server for deployment server
Is there any option in splunk to use a deployment server to deploy apps in n number of deployment server. The deployed apps should reside on /deployed-apps folder of the client deployment server and...
View ArticleIssue with SAML configuration
Hi all, my issue is not properly related to SAML configuration. We have a search head cluster where we are trying to enable SAML authentication instead of LDAP simple authentication. I'm using a...
View ArticleHow do I use the latest value given to replace a field that is NULL but both...
As stated I want the latest value in "Hash Value" and "Type" column to be filled instead of being "NA" and "Unknown" which I hardcoded if NULL. I want the latest value to be carried over instead of...
View ArticlePassing token value from one dashboard to another in drilldown
Hi, I want to pass a value from one dashboard to another with drilldown click. I manage to pass it to an input in the second dashboard ($click.value$), but I don't want to show it to the user in the...
View ArticleNot getting Indexes list in Indexer cluster.
![alt text][1] [1]: /storage/temp/217796-splunk-cluster-master.png My cluster master is not listing the indexes that are being shared by the peers, if I run a search indexes=* | stats count by index I...
View ArticleHow can I break up one long line into multiple events?
I have a file that contains one really long line, see below Example: ["2017-10-09 13:05",976.0,"OK"],["2017-10-09 13:06",908.0,"OK"],["2017-10-09 13:07",1001.0,"OK"] ...... And so on.. How can I break...
View Article,number of days between two dates in same event
In an event i have two dates. G_S="2017-10-07 23:21:19.0" and A_Z="2017-10-07 00:00:00.0" I have mutiple examples but somehow i cannot get it working. IK would like to know how to extract the number of...
View ArticleType of data for Machine Learning App
Hi All, Will Machine learning app be useful for analysing server logs which contains the details of start and shut down of servers, exception details, server settings etc Thanks
View ArticleEscaping (*) in Fieldvalues while inputlookup
Hello everyone, I have the following problem. My Inputlookup (a whiltelist) has the following data structure: host,dest_host,Host_Application host1, dest_Host1,Host_Application1 host2,...
View ArticleHow to configure different timezones requirement for different apps , running...
Hi , We are working on a clustered environment, having multiple apps all running on default server timezone (Europe/London). Each app has respective user roles defined. And we fetch data from MQs and...
View ArticleLogging Azure using Eventhub vs. direct from BlobStore
We are embarking on an install of Splunk in Azure. We are looking at the various methods offered for gather azure stats. What experiences have any of you had in this same journy? What is most scalable?...
View ArticleHow to track the bundle size on indexers over time
Hi all, I wanted to set up an alert to monitor the bundle size if the size is about to reach the limit. I am able to get the "max_content_length" for all indexers from a rest call, but I am unable to...
View ArticleModifying the body of the email message for saved searches
I have a saved search which sends an email to the users when a condition is met. I need to include an image in the body of the email before it is sent. When I go to the saved search - Edit - Advanced...
View ArticleExtracting a field from an existing field
Hello: I have an existing field name "filename" (extracted from Splunk) in this format abcdefg.000000AB.DDD01A222222222222222222.xml. I want to create a new field that extracts the characters in the...
View ArticleHow can I show the percentage of events that match a criteria?
I have the following query which provides me results for every 1 hour and for each mne as single row index=N sourcetype=APP earliest=-24h (time>5 AND (id=111111 OR id=222222)) | rex field=_raw...
View ArticleWhy isnt't our firewall showing events? We're sending syslogs to a UDP port
Good afternoon, We have 3 firewalls that are sending their syslogs to a udp port. 2 are showing events, one is not. It's like the events aren't being indexed. I tried sending the 1 firewall we aren't...
View ArticleSankey Diagram: How can I change Sankey node to red according to column value?
Hi Splunk Community I know how to display Sankey diagram in Splunk with the help of apps like Custom-SimpleXml-extension, Sankey diagram gallery and Dashboard examples. But that is all. What I want to...
View ArticleHelp searching a CSV file with multiple conditions
Hi, I spent a lot of hours to find the request I need with no success so I ask your help. My goal is to build a request with multiple fields condition values extract from a CSV. I have a CSV file with...
View ArticleLists accounts in Splunk that have not been used (logon) for 90 days or more.?
Any query help Highly appreciated ? Thanks in advance ! lists accounts in Splunk that have not been used (logon) for 90 days or more.
View Article