How can I search top 10 users of splunk ?
How can I search top 10 users of splunk ? Any query Help ?? Iam not sure below query is correct ? index=_audit action="success" info=succeeded | stats count by user | sort - count | head 10
View ArticleJSON input keeps erroring out, even though the JSON is clean
I'm attempting to parse Azure API Management Gateway logs, which come in JSON format. It starts out like this: { "records": [ { "time": "2017-10-11T13:04:54.8339905Z", "resourceId":...
View Articlestats sum command dosen't works
Hi guys, I already used the "stats sum" command several time but I just noticed that for one particular index, the command return no results even if I have several events available and the field where...
View ArticleHow do I use lookup to filter results? Needs to be "contains" rather than...
I am looking to filter events in splunk by values in a lookup table. I implemented the solution from this question, and it is partial working:...
View ArticleSource IPs Communicating with Far More Hosts Than Normal (Assistant: Detect...
Hello All I was wondering if someone could break down what the following search does and what the final outputted fields mean? This search was taken from the **Splunk Security Essentials app**... |...
View ArticleInfoblox Events
We are trying to forward Infoblox to our SPLUNK. I provided IP and Port to our Network Eng. folks to configure infoblox forwarding. They came back indicating this: data.destination.splunk > set mode...
View ArticleHow to properly use OR and WHERE in splunk
Hi, I'm new to splunk, my background is mainly in java and sql. I was just wondering, what does the operator "OR" mean in splunk, does it have a different meaning? for example, am i using it correct in...
View ArticleWhat version of TLS does the splunk python SDK use?
Hello! I've got a problem: My python script is not able to get a connection to our splunk server. This is my code: SPLUNKCONNECTION = client.connect( host=URL, # Server URL app=APP, # Name of the app...
View ArticleToo many open files, despite ulimit of 65536
My splunk indexer stopped with lots of ERROR messages which ended in "Too many open files". ulimit -n shows 65536 for the splunk user. I was able to just start splunk again, and it is running fine now...
View ArticleHow to regularly write the filtered events to the an index
if I have an index `test`, the index has too many events, I need to filter by keyword and write the result to the index `Useful_logs`. for example: Filter conditions: `index=test sourcetype=abc "login"...
View ArticleSSO on siteminder
Hi at all, I have the following problem: We configured SSO with Siteminder using SAML. The problem is that this Siteminder is used only for authentication and not also for profiling so we're not able...
View ArticleHow to get the response time value?
I want to get the response time in terms of value(a Number). How can I get it? Following script returns me the visual representation of response time not in number. I want to get the number. index=abc...
View Articleecho command in splunk
How can I print out any value or any result in splunk? Does splunk have any echo command system? eval didn't help me much.
View ArticleWhy are my accelerated reports not leaving the "Summarization not started"...
In my search head cluster, one of my accelerated searches does not seem to be able to run its summarization. It's summary status keeps flipping between: `Summarization not started` and `0% Complete` It...
View ArticleConverting alphanumeric field to numeric values
I've seen numerous questions out there that touch on this topic but haven't found an answer that actually meets my specific use case. I have data from several sources that report numeric data (such as...
View ArticleSSO on SiteMinder using SAML error message: "**Saml response does not contain...
Hi at all, I have the following problem: We configured SSO with Siteminder using SAML. The problem is that this Siteminder is used only for authentication and not also for profiling so we're not able...
View ArticleHow to alert when a deviation has been detected in volume between two time...
I currently use the following query to compare volume counts between current day and a week ago: sourcetype=abc index=xyz source=foo earliest=-0d@d latest=now | bucket _time span=30m | stats count by...
View ArticleConverting alphanumeric field to numeric values (39.6K:39600)
I've seen numerous questions out there that touch on this topic but haven't found an answer that actually meets my specific use case. I have data from several sources that report numeric data (such as...
View ArticleMonitor SQLite DB file with DC Connect
I read the following articles: https://www.splunk.com/blog/2016/09/13/using-db-connect-with-sqlite.html...
View ArticleMonitor SQLite database file with Splunk DB Connect
**Update** I realized I needed to create an identity, according to the first link. I created one to mirror the config with no password. Now it's saying it can't get schemas. I read the following...
View Article
