Number of events found not matching number of events displayed
Our Splunk Enterprise deployment has started returning inconsistent results, and I've been unable to track the source of the issue. In one example, Splunk reports that it found 34 results matching the...
View ArticleSearch to group by time range and ID
I have logs like this: 10:40:00 AM: id=1,status=SUCCESS 10:45:17 AM: id=2,status=SUCCESS 11:00:23 AM: id=34,status=SUCCESS 11:15:49 AM: id=1,status=SUCCESS 11:20:59 AM: id=2,status=SUCCESS I want to...
View ArticleCan I use != in blacklist?
I only want to see cmd.exe and blacklist everything else for EventCode 4688. blacklist = EventCode="4688" Message="(?:New Process Name:).+(?:cmd.exe)" will remove cmd.exe but 'Message!=' doesn't do the...
View ArticleUse count from first search in the Where Clause of the subsearch
I want to use the count from the first search "FilesImported" as criteria in the where clause of the subsearch. FilesImported is 0 and "File Missed" needs to be 1, but "File Missed" is currently...
View ArticleHow to migrate a clustered indexer peer to a new hardware in a single-site...
Wondering if someone has gone through a hardware migration of a clustered indexers environment. Long story short, we want to move to a new platform and abandon the current hardware due to several...
View ArticleSplunk DB Connect: distribute events to different indexes
We have data in a database from which we get records with db connect. They contain, among others, a selection field. The events must be filled into different indexes based on the selector field:...
View ArticleIs this search accurate to measure how much data a search used the past week?
I have an event that is using X amount of space. The search is: index=network default send string I'd like to search how many gigs of license this event is using over the last week. Anyway to do that...
View ArticleHow to extract the fields from JSON output and display as table
{ "ERROR_CODE" : "XXX-XXX-00000", "ERROR_DESC" : "Success." }, "accountBalances" : { "accountNumber13" : "22222222222", "siteId" : "200001005", "siteCode" : "HRD", "customerName" : "LiXX XXXXXX",...
View ArticleHow to make search using Splunk Rest API
I have following search query that I run on the Splunk search UI & It works fine: index=cpaws source=PFT buildNumber=14 type=REQUEST | stats p98(wholeduration) as currentRunP98Duration| appendcols...
View ArticleCan I use a lookup table of IP ranges + location names to add a location...
I have a lookup table of IP ranges with location names. I'm trying to search network traffic and add a "location" field to the result based on what IP range the src_ip falls under. I do not have access...
View ArticleBucket rolling issue
Our indexers have two volumes configured: [volume:cold_vol] path = /opt/splunk/var/lib/splunk_cold/colddb maxVolumeDataSizeMB = 70000000 [volume:warm_vol] path = /opt/splunk/var/lib/splunk/warm_vol...
View ArticleSend data to heavy forwarder to filter events AND change sourcetype - help...
Hello, As the question states, i'm looking to send events from a universal forwarder to a heavy forwarder to have filtered. Once filtered, i'd like to change the sourcetype. I have not implemented this...
View Articlewhat range of udp/tcp ports can be used for various log sources ?
I have 3 different log sources sending logs to Splunk from a number of hosts on on udp 514. Breakdown : WLC (5-6 hosts), ESX(8) and Eqallogic (6). However, so far I am only getting data from WLC hosts....
View ArticleRows with same column value should be colored with same color
Lets say I have a table with fields A, B, C, D. I would like to color rows based on the values of column D. Basically rows with same value of column D, should be in the same color. Is there a way this...
View ArticleHow to retrieve search name by search id
my splunk server has high CPU usage and I saw a bunch of splunkd process like below search --id=admin__admin__search__search9_xxxxx.yyyyy --maxbuckets=0 --ttl=600 --maxout=500000 --maxtime=8640000...
View ArticleRex has exceeded configured match_limit, consider raising the value in...
I am trying to extract about 20 fields from a log file each lines have about 800 charachers, I can only extract to first 14 field the get error saying my rex has exceeded configured match_limit,...
View ArticleSetting the query start time and end time
I want to monitor my dashboard from today 7 Am to tomorrow 5 AM. I don't want to set the time manually. FYI, My dashboard contains list of jobs running from 7AM to next day 5AM. I need to monitor the...
View ArticleTimechart and overlay two columns?
I have a field outcomeIndicator in my data, that holds values 0,1,5,8. 0 and 1 mean a success of the event, and 5 and 8 mean failure. Now, I want to use timechart count to plot these values over a...
View Articlehost name not showing correctly
I have several VM servers from an image. The host names have been changed but somewhere the old host name is populating the messages file. when I monitor the messages file on all the hosts they all...
View ArticleCount combination of Multivalue Field
Hi, I wonder whether someone can help me please. I'm using the query below to extract the different actions performed for each submission by detail.Id `submissions_wmf(Submission)`...
View Article