How would I configure my regex to also include windows data
I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance. index="source" | rex field=source...
View ArticleHelp me with search for my use case
I need to setup a alert if my count is zero on that day. my query is index= abc | timechart span=1d count and I am running for last 7 days. if count=0 on that day I want trigger a alert. Please help me...
View ArticleWhy doesn't my REST query to /services/authentication/users work anymore all...
Hi, I use this query almost every day : | rest /services/authentication/users But today it doesn't work, I get this error message : Failed to parse XML Body:
View ArticleCisco eStreamer eNcore Add-on for Splunk: App is grouping events -- Is this...
Cisco eStreamer eNcore is grouping events as seen in the indexer when searched. The old eStreamer client did not do this. It this normal behavior for certain events grouped together. Any help would be...
View ArticleCreating dashboards based on field-names rather than field-values in nested-JSON
Hi Splunkers, I have events coming to Splunk Enterprise in the following JSON format: { ip : 1.1.1.1 mac : 010203040506 policies : { policy_name_1 : { rule_name_in_policy1 : { status : Unmatched...
View ArticleHow can we extract the data from a special format file?
We have the following - 2017-10-17 13:07:30,617 INFO [stdout] (ajp-/0.0.0.0:8009-81) ] 2017-10-17 13:07:31,694 INFO [stdout] (ajp-/0.0.0.0:8009-37) 2017-10-17 13:07:31,691 ERROR...
View ArticleHow would I configure my regex to also include Windows data?
I have a query that will identify all the logs in my instance for a certain index, it list everything running except for Windows. What am i missing? thanks in advance. index="source" | rex field=source...
View ArticleSaved searches not working in C# SDK 2.x example
Here's what I needed to do in order to get the saved searches to work in C# SDK 2.x. Edit the following Class: **splunk-sdk-csharp-pcl-2.2.6\src\Splunk.Client\Splunk\Client\AtomEntry.cs** **Replace the...
View ArticleDeploymet server only showing 1 client at a time
I have only a deployment server at the current time and to get ahead of the game we going to roll the UF to our windows servers as this can take months. My deployment server has no apps, so it is just...
View ArticleExtract Text from logs
Below is my log, CustomItemContainerGenerator.GenerateNextLocalContainer: Node is not the current one. in Xceed.Wpf.DataGrid.v4.5 Stack trace: at...
View ArticleHow to pass a different search query based on the token value from a text field
I have a text field with default/initial value set to "*". I wanted to use different search queries based on the values from the textfield which is mainly "*" or not "*". Any suggestion?...
View ArticleHas anyone seen this Error message: Monotonic time source didn't increase; is...
Since we've upgraded to 7.0 we're seeing this particular error show up in the logs: 10-17-2017 11:30:30.772 -0600 ERROR PipelineComponent - Monotonic time source didn't increase; is it stuck? We...
View ArticleMAC Spoofing / Search
I think I'm close. Just need a little help. here is my current search index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by...
View ArticleOverlapping datapoints
I have two different series on a single chart. Column chart for one series is overlaid by a line chart of the other series. But at some places, data values of column chart is same as data value of line...
View ArticleHow can I search for results that share the same Mac address?
I think I'm close. Just need a little help. here is my current search index=windows sourcetype=dhcpsrvlog | stats dc(raw_mac) as macCount values(raw_mac) as mac by dest_nt_host| eventstats count by...
View ArticleOverlapping datapoints on chart containing both a column chart and line chart
I have two different series on a single chart. Column chart for one series is overlaid by a line chart of the other series. But at some places, data values of column chart is same as data value of line...
View ArticleSophos Central app for Splunk: Data is not being pulled by the API
anyone with the same issue? Im not seeing anything being pulled by the API, I have put the API info into the splunk addon. ![alt text][1] [1]: /storage/temp/216829-sophos1.jpg
View ArticleDeployment server only showing 1 client at a time
I have only a deployment server at the current time and to get ahead of the game we going to roll the UF to our windows servers as this can take months. My deployment server has no apps, so it is just...
View ArticleIndexing stops before MaxSize for that index
Hi. I have single server Splunk architecture. I create a index let's call it "IT" and storage pointed to 500GB of separate High performance SSD (not a default drive). No other index is stored on this...
View ArticleReturn results from ALL sub-searches into a table
Each search below gathers data via SQL Queries from 3 different databases on 3 different servers. I have combined them into one with the hope to return the "totalerrors" and "ClientID" associated with...
View Article