rex a process path from raw data
Would it be possible to search for certain events within the raw data? For example I need to find events with C:\Windows\explorer.exe I used | extract kvdelim=":\t" pairdelim="\n" on the raw events,...
View ArticleEdit hot/warm/cold data retentions
Hello I want to add below configuration to specific indexer Hot/Warm/Cold Data retention 6 months 1.75TB Frozen Data retention 6 months configuration is [myindex] coldPath = $path\colddb...
View Articlepdf issue in mobile dashboard
Hi all, when am downloading pdf it is downloaded with queries instead of values . please anyone help to this issue. thanks![alt text][1] [1]: /storage/temp/217867-asa.jpg
View ArticleSaved search parameters not passed to python script
Hi, I am trying to pass arguments from a savedsearch result to a python script, and it does not work. Code below. savedsearches.conf [test_search] action.log_message = 1 action.log_message.param.name =...
View ArticleRegex question
Hi! if I can make groups from `` with regex? Excel19.36.9N/A Excel19.36.9N/A Excel19.36.9N/A I want to separate them as events. Thank you!
View ArticleDiff in PROD and DEV with same data
We have export and import some data from our production to development environment with same fields. But we found that "index=*" must be added to query in development environment. Could we know what we...
View ArticleSplunk DB connect2: unable to restrict identities based on user role
There are two 2 DB connections (say A and B) in our Splunk , I wanted to restrict user access only to "B" database and should not have access to "A" I have created user role and granted read and write...
View ArticleDoes CLI authentication per LDAP work while web authentication per SAML is...
We switched our Splunk web authentication from LDAP to SAML. Now when I for example try to "apply cluster-bundle", I can't authenticate myself with my LDAP credentials anymore, only with the local...
View ArticleHow to index arbitrary number of fields and do tstats operations on them?
Hi, I've got these strange XML logs, where each log has (among other things) a username and an arbitrary number of hashes, each stored in its own XML field. A simplified version of the log is shown...
View ArticleIs the Newsletter app ready for Splunk 7.0 yet? Do you know when?
I put this on my Splunk 7.0 dev install and the Newsletter tab is essentially unreadable. I assume that's because it is only released for 6.3 as it says on Splunkbase.
View Articleindexes are not available to select from "Available search indexes" during...
Since upgrading to splunk 7.0 I am not able to select our indexes from our indexcluster from "Available search indexes" during user role creation in the splunk web gui. The indexes do exist and the...
View ArticleComputer Program for modeling time for a search to complete?
Hi Splunk, I work for a corporate partner and have a question. Been having issues with auto-finalization of sub-searches and understanding how to configure search/sub-search parameters. Wondering if...
View ArticleCan the TA for Unix show dropped packets?
I got an ask from one of my Splunk users wondering if we can expose the Dropped packet count from network interfaces. I took a look at the TA for nix, and it doesn't seem like it is doing that today....
View ArticleHow can I drilldown values from a hidden field?
Hey! I am building a dashboard and this problem is being a headache. I really need to find a way to drilldown values from hidden fields and/or panels, but not sure how to do so.. Can anyone help me,...
View ArticleEach row of a table as pie chart without drilldown
Hi I have a table result created as: Emp sold consumed wasted...... stolen ABC 8 12 5 12 XYZ 2 5 6 7 : : TUV 10 34 2 3 where Emp, sold,consumed, wasted , stolen etc. (can be more also), are table...
View ArticleSplunk DB Connect 2: Unable to restrict identities based on user role
There are two 2 DB connections (say A and B) in our Splunk , I wanted to restrict user access only to "B" database and should not have access to "A" I have created user role and granted read and write...
View ArticleSplunk for EMC ECS
Is there a Splunk add-on in the works for EMC's ECS product? Something similar to the Isilon package for file / object storage? - thanks
View ArticleSAML authentication with LDAP authorization
Ask the question of Splunk support and was told "not possible". I am counting on the fact that we are not the only organization running into this problem. Or organization is a heavy user of AD for our...
View ArticleWhy are the queues being filled up on one indexer?
In the last day or two all the queues of one indexer got filled up. We bounced it and now on another indexer all the queues are close to 100%. What can it be? ![alt text][1] [1]:...
View ArticleSplunk universal forwarder not reporting data from SQL server
Hi everyone , We have issue with Splunk universal forwarders , we installed recently on SQl servers , i have all inputs.conf and outputs.conf set correctly and there is no error in log data . but its...
View Article