Piping to delete in a search head clustered environment
Hello We have a large search head cluster that we saw the count of data spike on. turns out theres an issue with timestamps going BACKWARDS in time. I've been creating props for these to clear up the...
View ArticleAWS Cloudwatchlogs (WARN DateParserVerbose...)
Hi We are having an issue with AWS App regards not displaying Cloudtrail info e.g. (VPC Flow Logs - Security) The AWS-Add-on is receiving data from AWS i.e. if i search index=aws-cloudwatchlogs I get...
View ArticleNot able to see the data forwarded from forwarder. However I am able to see...
I am forwarding the data from forwarder to indexer. I am able to see the default log files that forwarder forwards to indexer, but not able to see the monitored file in indexer and no error is being...
View ArticleClustered Indexer crashed and won't restart with Bad Decrypt error
I, I have inherited a clustered splunk setup and I noticed that 1 of my 2 indexers had crashed a couple of days ago. Trying to restart it yields a splunk timed out waiting to start error. Looking at...
View ArticleCreating evaluated rows in a time series table
I have a set of time series data that looks like this: Date Type Data ================== 12 A 1 12 B 2 12 C 3 13 A 1 13 B 2 13 C 3 I need to insert for example 2 calculated fields based on a formula...
View ArticleIt's not work: "fullEvent=true" stanza
I need to monitor file changes and i want to know wich one changes was made. inputs.conf [fschange:///etc/passwd] disabled = 0 fullEvent = true sendEventMaxSize = -1 pollPeriod = 10 hashMaxSize = -1...
View ArticlePivot finalises before end of search
We have created a data model and we use this to create pivots. Since yesterday, we observed that the results of the pivots are incomplete. When we open the pivot in search (or use pivot command and run...
View ArticleLosing data when time frame is 30+ days
If I'm looking at Last 30 Days of data for one event and doing a timechart, a couple of days come up with 0s as results. When I adjust my timeframe to look at those days (and surrounding days) to see...
View ArticleSSO custom error message in 6.3.2
In the 6.3.2 version of Splunk, a user who doesn't have access to Splunk gets a XML page as in the attachment.[link text][1] Where can we find this file in Splunk? i would like to edit this and show a...
View ArticleField Extraction help!!
Hi , We have sample data like below and need to extract fields from below fields From data below We need to extract Fields **"GB*2" with field value as "NC-MEDICAL" and "GI*" as "NC-Medical"****...
View ArticleDoes write access imply read access to an app?
Say for some app "foo" the default.meta file would look like this: // Application-level permissions: [] access = read : [ ], write : [ super_manager ] Is an user with role "super_manager" able to see...
View ArticleRouting locally ingested events (from the persepective of an indexer) to a...
All -- I'm seeking any advice i can get at this point. A little background. I manage two different user communities (A and B). Community A consists of a universal forwarder aggregator machine, as well...
View ArticleDBConnect2 Error with DBLookups
I am running DBconnect2 on the only search head in a clustered Environment, I have a Connection to a MS SQL Server Using MS generic driver with windows authentication , I also have an Identity up and...
View Articlessl for universal forwarder but not for local
Hi, Can I enable the SSL for the universal forwarder that will access it through the public ip but not the forwarder that access the splunk from its private ip. is it possible? Thanks,
View ArticleSplunk conditional search on one field
I have events in which Field1 contains multiple values but I only need to look for two values (foo AND bar) and tie them to Field2. What's the most efficient way to craft this search? I'm basically...
View ArticleHTTP Event Collector URI
I am trying to leverage Powershell to POST the event in form of JSON. The Invoke-WebRequest does not work well. Is these a way to validate the URI for HEC so as to rule out possibility of Wrong URI ?...
View ArticleClustered search heads not seeing data from clustered indexers
We are building a single-site pilot environment with the following layout: 1 x Deployment and License Manager 3 x Search heads (configured in a SH cluster) 3 x Indexers 1 x Indexer Cluster Master We...
View ArticleWhy am I getting incorrect results from btool during diagnostics for a Splunk...
When running the btool on the inputs.conf files on a Windows universal forwarder (v6.3.1), the results appear to be incorrect and this is making it difficult to find the root of my original issue. The...
View ArticleFormatted Paragraphs in Dashpanel Description
I am trying to add a formatted paragraph to a dashboard description and not having the best of luck. **What I'm trying to do is have the text show up like so:** *Resource: website link* *Reference...
View ArticleQuestion relating to Loadjob and REST API
Hi, I have a savedsearch set up within Splunk that uses the "$args$". I have one arg as "filter" and another as "deepFilter". So saved search query looks something like this (name is my_saved_search):...
View Article