Splunk upgraded 7.0.0, Message still show new version available.
Hi, I have upgraded my splunk to 7.0.0 from linux teminal. Terminal shows version is not 7.0.0. Web interface->about also reflected 7.0.0 but there is still messages showing new version and new...
View ArticleNeed to make a new field with values of new made fields from two indexes
Hi, Maybe a simple question, but im struggling with it. I would like to make a new field with eval which consist of two previously made fields with contents out of two indexes. Here is my search query....
View ArticleLinear interpolation of a curve to compare with a reference curve
Hi everyone, I have a new problem, at each time-stamp, I am getting a curve of X and Y values. The number of X-Y pairs vary at each timestamp. I have a reference curve of Xref-Yref and now I want to...
View Articleindex override on HF data
Hi, There is situation where we have installed DB connect on HF and then the HF sends that data to 2 sets of different indexers and now we need to override the index name at one set of indexers . We...
View ArticleWhy Raw events table (populated using tokens) displays raw events for some...
Hi, Would really appreciate if someone could help me with this issue: 1. I have a Table that displays **Host** and **"Error Message"** and Count The "Error Message" field is a shortened version of an...
View Articlesplunk install app from an insecure URL
Hello, I'm trying to install an app via command line similar to this: splunk install app https://self_signed_cetificate_server.org/splunk-app-for-unix-and-linux_523.tgz -auth admin:StrongPassword Since...
View ArticleAlert fired but I don't know why
I had an alert that fired which shows a condition that the indexer hadn't received a specific kind of event within the last 5 minutes, but it had received it. I looked at the _indextime of these events...
View ArticleOne Distributed Search Head Constantly Returning No Results
I have two separate search heads, one for admins to use and another for regular users. The search head for admins once or twice a week will need to have splunk service restarted in order to read from...
View ArticleTstats command
Does anybody have a good documentation regarding on how to use tstats? I have mainly used "normal" searches but need to use tstats now. The splunk documentation I have already read and it's not good (i...
View ArticleSearch head app is not able to use newly created search peer bundle with...
While querying a search the search head app uses an old search peer bundle, which results in a throw error "cannot find App". App is getting deployed to to new bundle, which is not used by my app....
View ArticleREST API Query in Search Head Clustering
Hi All, We have 8 search heads made them as cluster (Search Head Cluster). Also, we have indexer cluster with more than 20 indexers which are managed by Cluster Master. We use load balancer for the...
View Articleusing sendemail in a dashboard
I have a dashboard that I want to send an e-mail when the search finishes. When I do the search in the search dashboard, all works fine. When I do the search in the dashboard, I get several copies of...
View ArticleEvent Tracking Two Processes Starting Within a Short Time
I'm working on an alert that will trigger if a user opens a Word Doc using the Dynamic Data Exchange exploit that launches from a command prompt. I've turned command line auditing on my workstation and...
View ArticleHTTP Event Collector
Hi All, Could you please me with the query regarding collecting data using the HTTP Event Collector? I am trying to collect logs from F5 appliances using HEC method. The basic architecture will look...
View ArticleWhat is a good search for auditing when someone has accessed or attempted to...
Greetings, I'm utilizing Splunk Enterprise, and I'm wanting to audit whenever someone attempts to access and/or accesses the /var/log/audit folder on a Redhat 6.3 OS. Is there an already established...
View ArticleCron for Interval not working in inputs.conf where a digit amount is
Hi all, I may be missing something here and I apologize but I have searched quite a bit. I want my inputs.conf to check for active sessions every 30 minutes. ideally on the hour and half hour. If I set...
View ArticleHeavy Forwarder send events to remote syslog
I am being asked to forward events from a Heavy Forwarder, to a remote ArcSight server as raw events. Our HF's receive events from UF's un-indexed, and they pass-through the HF's un-indexed. Is this...
View ArticleHow to regex events with "==========================" as event breaker?
How to break the events with using regex with "==========================" as event breaker? event: PS C:\tetst\tethttb> "ERROR: Parameter ""-ComputerName"" requires an argument." Copyright (C) 2013...
View ArticleSplunk App for Windows Infrastructure - lookup table does not exist
Hello all, We are trying to set up the Splunk App for Windows Infrastructure on one of our search heads. All the pre-reqs work and it is able to populate a lot of the dashboards. However after...
View ArticleWhat is the Java Access Bridge used for with Splunk?
Simple question. What is the Java Access Bridge used for with Splunk?
View Article