Unknown search command 'ldaptestconnection' testing Splunk Support for AD
Configuring the Splunk Support Addon for AD but keep getting this error when testing the connection Search | ldaptestconnection domain="test.lab" Result distinguishedName: DC=test,DC=lab Error...
View ArticleHow can I sort time inside list(time)?
So, I regex time from my splunk logs in form of (HH:MM:SS), and I am trying to build the report like **index: _something_ | regex Time | regex Date | regex User | stats list( (regex)Time) by...
View ArticleIs there a way to turn XML attribute/values into Splunk extracted fields?
Hi guys; Tricky problem here. I have XML coming in via REST that contains performance data for an appliance. I have to find a way to take the data and build some nice dashboards off of it. Here is an...
View Articlestats value(_time) delimiter
When I use stats values(_time) group by the list of values in my table is delimitated by comma's. ex: 10/25/2017 16:48:34,10/25/2017 17:17:11,10/25/2017 17:17:15,10/25/2017 17:17:17,10/25/2017...
View ArticleSplunk throttling issues to overcome false positive alerts in correlation search
Hi Splunkers, We do have a correlation rule for distinct malware infected on a system ( two ore more different malware on the system). The problem we are facing is that the splunk is triggering false...
View ArticleFor multisite cluster indexer environment, Can site1 indexer on 6.5 work with...
I am planing an splunk upgrade, master and SHc are on 7.0 but next step is to upgrade Multisite Indexers cluster, since We are critical on downtime, All Indexers are at same 6.4.* Can site1 indexer on...
View ArticleDifferent format of URLs is not getting extracted SQUID Proxy logs
Hi Team, I have onboarded Squid Proxy logs on my Splunk instance. The problem is log contains various formats of URL so URL's are not getting extracted properly. Below are some of the types of URLs...
View ArticleHow to extract field names from Arris_log? I need help extracting alert...
I need help extracting alert numbers from these different raw logs. I have tried using Field extractor and not having any luck aggregating them into a list or count 1: Oct 26 11:14:51 192.168.69.50...
View ArticleApplication install from Splunk Server to forwarder
Hello Splunk Experts, I'm working on networking device integration with Splunk. Considering to use onbox universal forwarder to receive the application deployment from Splunk server. Here the steps in...
View ArticleVersion control of saved searches and alerts?
We got a request from one of our groups to be notified if any of their searches / alerts were modified, by who and if it is possible to revert back the changes. I assume we can use results of...
View ArticleSearch.log indicates search is attempting to extract data from sourcetypes...
Looking to speed up search queries. Upon looking at search.log, it is apparent that Splunk is attempting to extract or pull data from other source types from the one specified within the search. For...
View ArticleSetting a max index size for frozen data?
I am running into a scenario where a high volume index is quickly rolling over from hot/warm to cold and then to frozen. Our current requirements are to keep data for 18 months, or until it hits max...
View ArticleAdd Dynamic Title to my Dashboard Panel Based on MultiSelect Input
Hello I am trying to make my dashboard panel title dynamic and display the Region and Country. Example the user selects North America and United States- I want the title to be that. Below is my code-...
View ArticleHow to extract data from Event 4656?
I'm reviewing Microsoft Event Code 4656 (Failed Object Access) but when I try to audit Accesses or Access Reasons, Splunk will only return the first event in that field (In this situation it's DELETE)....
View ArticleQuestions about various steps for network device integration with Splunk
Hello Splunk Experts, I'm working on networking device integration with Splunk. I'm considering using OneBox universal forwarder to receive the application deployment from Splunk server. Here are the...
View ArticleHow to extract data from Microsoft Event Code 4656 (Failed Object Access) ?
I'm reviewing Microsoft Event Code 4656 (Failed Object Access) but when I try to audit Accesses or Access Reasons, Splunk will only return the first event in that field (In this situation it's DELETE)....
View ArticleIs it possible to combine these two search results to create 1 alert?
I have two very different search queries that I am having a hard time combining into one search. Search 1 yields results if the indexer hasn't received any data from the server's universal forwarder in...
View ArticleChart over multiple variables
day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="mssql-db" bandwidth_consumption="161" day_receive_time="Wed, Oct 25, 2017" device_name="apple" app="ldap" bandwidth_consumption="146"...
View ArticleCisco eStreamer App for Splunk: How can I change the location where perl...
Hi at all, I installed Cisco eStreamer App and it runs good. I have only a problem: perl script put its logs in $SPLUNK_HOME/etc/apps/estreamer/logs and it's saturing my filesystem: is it possible to...
View ArticleWhen clicking on table header want to sort by case insensitive
We have table with a list of users. Some user names are all lower case, some all upper case, some mixed case. We can do the initial sort fine using a macro: [CaseInsensitiveSort(1)] args = fieldname...
View Article