Lost date_* field from my data after porting my environment to production
I developed my Splunk environment in a lab complete with reports to find NON-Business hour logins. IT was working fine. I ported my environment to production and blew away the data in my indexes to...
View ArticleForwarder management: deployment server vs Chef
I have very little experience with chef. I have a client with very high security requirements. I was wondering if anyone in the community can explain the costs and benefits of using the deployment...
View ArticleHelp with extraction of field created at index time?
All, Testing an index'd time field extraction in a test environment. It SEEMS to have worked, but randomly the field I am extracting ( pool ) just disappears from search results. That is if I just...
View ArticleSplunk App for Unix and Linux: Help creating a dashboard that shows servers...
All, I have 400+ servers with Splunk for Nix installed and collecting metrics to index=os. What I'd like to do is create a dashboard which determines which servers are showing 20% more CPU than they...
View ArticleHow do I configure firewall when forwarding from on-premise to Cloud?
I am building firewall policies to implement an on-premise Splunk Enterprise system and need to forward some data to a Splunk Cloud instance. What communication ports are used?
View ArticleTrying to sum values of fields with similar names
All, I have dates where the field names are: 20A1,20A2,20A3,20B1,20B2,20B3,20C1,20C2,20C3 1,3,4,5,5,5,6,6,6 I am trying the sum fields: 20A1,20A2,20A3 to get the value 8 as 20A, 20B1,20B2,20B3 to get...
View ArticleSplunk Add-on for Oracle Database: What role/permissions are required from...
When creating an Identity in Splunk DB Connect to be used with the Splunk Add-on for Oracle database, what role/permissions within Oracle are required for the Oracle user provided? I need to let my...
View ArticleIs my configuration wrong? Values are no longer showing up for this field.
I've been struggling with this all day. index=blah sourcetype=blah | rex max_match=0 Recipient:\s(?\S+) | eval receipient_count = mvcount(orig_recipient) yielded multiple values of orig_recipient if...
View ArticleLogs from rsyslog server stopped indexing
My setup is FW, WAF and Web-proxy logs being pushed to my Rsyslog Fwd which has a UF installed to push to my indexers. So my logs that were coming from the Rsyslog server stopped mysteriously around...
View ArticleHow to figure out which lookup .csv file a certain index is using?
In Splunk, how do I figure out which lookup .csv file a certain index is using? In other words, how to find which index is using a certain lookup file in Splunk?
View ArticleHow to subset top N records from the number generated from eventstats
Hi Splunk friends, I am new to Splunk community and currently facing a question. I have below table which was generated by some raw log-line data . stats2 is actually the aggregated sum of stats1 group...
View ArticleIs there a rest call to get license pools and members of those pools?
Hi, Is there a rest/search call that will show me the pool names and members (real names, not GID) of those pools?
View ArticleSplunk search result to csv format
Hello, We have requirement to have Splunk search/dashboard result data in csv format to be fed into another tool. There should not be any manual process- search should run at scheduled time provide...
View ArticleIs there any workaround in Splunk to make a star to be considered as constant...
I have some fields as follows sql="Select * from & ABC" sql="Select * from xyz.ABC" sql="Select * from gh2_ABC" sql="Select * from 34,rABC" sql="Select * from xyz.gfr" Now I am trying to work on an...
View ArticleHow to display total count of ssh login failures in dashboard?
I have this search currently that searches in real-time the ssh login failures. How can i display the total count of multiple user logon failure in a single metric visualization in the dashboard?...
View ArticleHow to show connectivity status icons, right below App's navigation menu bar?
I have a requirement where I need to show multiple DB connectivity statuses right below the apps navigation bar. These statuses are returned from simple search query(inputlookup). Also, I need this to...
View ArticleMay I know how Splunk calculate license usage for Packet collections
Hi All I want to know how Splunk will calculate license usages for packets collection? Currently what we are doing is setup monitor sessions on Cisco switches, and then monitor interested vlans'...
View Articlehow can i pass the field values from one search to my subsearch or to another...
index=xx sourcetype=yy |eval ..|table aa [| search index=xx1 sourcetype=yy1 yy=aa values |table yy zz ff ] in a single search ..
View ArticleSplunk Query optimization for drop and Spike
Hello Everyone, How can optimize this query because this query is taking too much of time. I am creating 4 windows in a day and getting the Average number of Event for 14 day for that particular...
View ArticleUnable to read the windows msi Staus from the log file in splunk
Hi, We are trying to create a dashboard in splunk to get the status of a msi instllation. We have configured the log file in the splunk. How ever except below two lines ever thing is being displayed in...
View Article