How can I count account access to devices by day?
context: I want to know how many accounts are on devices by day. In other words, if I can count dc(accountid) as accountid_per_device_count by deviceid, then I want to know how many of each...
View ArticleSplunk DB Connect 3: Error message -- Splunk DB Connect is not using the...
I made a query to use in the dbconnect 3 as a Rising Input Type. But, every time the job runs i got the same information. The "Checkpoint Value" has stopped and the dbconnect are not using the...
View Articlewhat should be added to my query to convert all the results to be lower case?
I have a splunk query as follows | inputlookup hosts.csv | rename Hostname as my_hostname |rex mode=sed field=my_hostname "s/\..*//g Now what should be added to my query to convert all the results to...
View ArticleMoving the license key from one license master to another -- Are there any...
Within the same environment, the license key is to be moved from one license master to another of the same Splunk version. If the license is removed from the old license master, the indexers are...
View ArticleHow can I count account access to devices (counts) by day?
I want to find/graph the count of (dc(X) as dc_X_count by Y) by day. In other words, I have some events in a basic search with two id's X and Y. There are 1 or more X values per Y. The max number of...
View ArticleQuestion about settings for kvstore -- sslVersions = tls1.1, tls1.2
How is kvstore configured to not accepted tls version 1.0? Currently, server.conf has (excerpt): [sslconfig] sslVersions = tls1.1, tls1.2 Are any other settings required? Are there any other reasons...
View ArticleLinechart with multiple lines of data on one chart?
Dummy question. I have a CSV file that contains three columns (fields), , 2017-01-01, 10, g1 2017-01-02, 11, g1 2017-01-03, 12, g1 2017-01-01, 20, g2 2017-01-02, 21, g2 2017-01-03, 22, g2 How can I...
View ArticleHow can I search for all domains for "All Time" and limit results by second...
Hey All, Sorry if this is a duplicate, or already been answered, but I've tried numerous ideas from posts, and the documentation, but haven't managed to get something to work, and was hoping someone...
View ArticleIs there any benefit to explicit field extraction vs letting splunk do it on...
All, I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf...
View ArticleWhat index should sysmon data go into and how /where to change the index?
I have successfully installed sysmon and verified the schemaversion matches the schemaversion in the config file (sysmonconfig-export.xml by SwiftonSecurity). I have confirmed that sysmon is running in...
View ArticleWhat should be added to my search to convert all the results to be lower case?
I have a Splunk query as follows | inputlookup hosts.csv | rename Hostname as my_hostname |rex mode=sed field=my_hostname "s/\..*//g Now what should be added to my query to convert all the results to...
View ArticleWhen I run a search the Time Range Picker stays on all time, it will not let...
The time range picker reverts back to ALL TIME when I run a simple search. It searches back to 2016 each time, which takes forever! If I select last 24 hours it goes back to all time. I am unable to...
View Articleadhoc_searchhead = 1 / adhoc_searchhead = true not being respected
Currently on 6.4.3 which the docs claim this setting should be available for. Simply put, I've tried setting it both to true and 1, restarted splunk on the searchhead afterward, under shclustering...
View Articlesplunk dashboard timechart x axis does not show hourly interval
I have got a query that I that I turned into a dashboard. It has two panels, one is a line chart and the other a statistics table. The query behind the chart looks like this: index=ivr...
View ArticleSplunk DB Connect dbx_settings.conf not picking up JRE Path
I am in a heavily locked down environment (I cannot change a user profile for example) and need to install DB_Connect. The idea I had was to: 1) Install a JDK to the /opt/jdk (owned by the Splunk user)...
View ArticleWhat are all those [] inside indexes.conf?
Hi, Is there a documentation that explains what are [_internal], [introspection] , [_splunklogger], etc? I'm trying to understand how frozenTimePeriodInSecs affects what. Now I just change all...
View ArticleAbout usage of {} in eval
I recently saw the manual of eval, and I found the following description. To specify a field name with multiple words, you can either concatenate the words, or use single quotation marks when you...
View Articlesumming epoch values within a json field
I have ingested a json file which shows me how long spent on an app on my phone and looks like (below) The fields have been extracted using KV_MODE = json which extracts the fields. The "tc" field...
View ArticleCombining Unique Field Values
I have the following problem I would like to solve Numbers1 Numbers 2 1 6 2 7 3 8 4 9 5 10 I want to concatenate so it will be like this Number_combined 1 2 3 4 5 6 7 8 9 10 I have tried field aliases,...
View ArticleHow to list ad-hoc/scheduled searches in order of CPU usage.
I saw some CPU usage spike on my all-in-one Splunk server 6.5.x and would like to figure out which individual ad-hoc/scheduled search, e.g. search name, causes it in last 24 hours. How to figure it...
View Article