Splunk skipping some messages to read from file
I have a log files updated in realtime. From past two years these files are ingested to splunk without issues. Suddenly I found a weird issue, where splunk skipping some messages in a file to ingest...
View ArticleSplunk Alert Cookbook
Hello, I'm new to Splunk and want to create some alerts with security context. Does a "cookbook" or something exist showing lists of a bunch of different types of alerts with the queries\syntax? For...
View ArticleHow do I conditionally format single value visualization for a dynamic...
I am pulling control limits from one index and an actual measurement from another index and want to conditionally format it on the dashboard to be red if the measurement is out of spec and green if it...
View ArticleWhy forwarder is not sending logs to specific index
I deployed Splunk Forwarder in my kubernetes cluster using this blog http://jasonpoon.ca/2017/04/03/kubernetes-logging-with-splunk/ I have 4 files at > /opt/splunk/etc/apps/splunkclouduf/default 1....
View Articleuse field from query to search lookup table
1) I have got a query whose output are events that contains a field called CV4_TExCd. The base query looks like this: index=ivr sourcetype=ivr_SEF applicationName=TestApp CV4_TExCd!=000000 2) I have a...
View ArticleTime field always gives nanoseconds without format variable
`xd_index`_alerts SiteName="*" ServerType="Member"| eval _time=_time-(strptime(strftime(_time,"%Y-%m-%dT%H:%M:%S")." GMT+8","%Y-%m-%dT%H:%M:%S%Z")-_time) | stats latest(_time) AS latest_alert_time...
View ArticleDelete manually frozen buckets while indexer cluster is up and running?
Is it safe to delete all frozen buckets from coldToFrozenDir manually from the indexers, while the cluster is up and running? We have one big ColdToFrozenDir, to which all frozen buckets are copied...
View ArticleCombine two source types using data models and join
Hi everyone! In Enterprise Security I am trying to combine results from two different source types by using "join" but facing problem with subsearch limits. My goal is to make a statistic table where...
View Articlesyslog -> SUF -> Splunk
Hi all, I've been reading quite a bit on syslog collection via a Splunk Universal Forwarder. In particular answer #28680. I understand the reasons behind using SUF or another syslog collector as...
View ArticleHow to find top CPU % utilization and top memroy % utilization on different...
I have an inputlookup file (.csv file). It has column A with list of host names and column B with list of domain names; One domain might contain (map to) several hosts. And different hosts map to...
View ArticleSplunk Add-on for ServiceNow and Jakarta Support
When can we anticipate support for the ServiceNow Jakarta release? Do we anticipate any issues with the Add-on prior to official Jakarta support?
View ArticleUse other events fields as a field for your search
Hi, I need to use events on a data source as a reference for other events Example: ID . | Name . |Type . | IDCategory 0|Category1|Category|null 1|Categoryt2|Category|null 3|Item1|Item|0 4|Item2|Item|1...
View Articlecheck if value is in subsearch table result
Hi, I need a way to check if a value is in a sub search table result. for example I use the code that doesent work: index=testeda_p groupID=sloc_data | search project=Periph core=ipa core_ver=*...
View ArticleAccessing an accelerated table datamodel without access to the related index
Hello, I am confused about delegation for accelerated data models. I built an accelerated table data model, and granted access to users, and also granted access to any required knowledge object. User...
View ArticlePerformance / Design recommendations for dimensions in Metrics Index
Does Splunk have any guidelines or limitations on the number of dimensions (i.e., cardinality) that the new Metrics Index supports? Are there specific limitations in terms of the number of dimensions...
View ArticleOracle xml audit log
i'm try to collect oracle 12c audit log in XML format on windows server. i have created this monitor in oracle server and (for test in splunk server and another w12 server)...
View ArticleWhat is the most convenient and rapid way to extract data from Splunk using...
What is the most convenient and rapid way to extract data from Splunk using Python 3?
View ArticleCan I graph data in text over time?
I have data that is in text value that I want to graph over time. index=pcrf sourcetype=rac* ha_state=* | table _time ha_state host Where I want to visualize the text(ha_state) by host, it will be one...
View ArticleHow can I get the matching events count into an alert message?
Hello, I created an alert, if a search brings up less than 1,000 results. How can I add the exact number of results to the alert message? Currently the trigger is "Number of results" "is less than"...
View ArticleFinding users currently logged in to my app
For some reason I am having a real hard time wrapping my head around something..... We have an application where we need to track who is currently logged in. The application writes a log entry when...
View Article