extract LAT and LONG from a string field
Hi all. I have a field with: Address=DG 14 KR 36 A 90 LAT:14.752811 LON:-79.543 I need to create three fields from here: Address=DG 14 KR 36 A 90 LAT=14.752811 LON=-79.543 I know the regexes for LAT...
View ArticleHow to search for any source IP addresses that have more than one result and...
I'm trying to run a search on search results. The first search would bring back various logs and sourcetypes. I want to take the finished search, look at any source IP addresses that have more than 1...
View ArticleHow to remove and prevent error "minimum free disk space (5000MB) reached for...
I keep getting the "minimum free disk space (5000MB) reached for /var/run/splunk/dispatch" on one of my heavy forwarders. There are no jobs that I can see in the job manager. Not sure where to go from...
View ArticleAfter upgrading search heads from Splunk 6.2.x to 6.3.x, why am I having...
I've had Splunk 6.2.1 running for a while and Search Heads were accessible from Apache proxy and this is how it is configured. ProxyPass /splunk http://FQDN:8000 ProxyPassReverse /splunk...
View ArticleHow to write a search and alert if any indexers are down?
Hi, We have 4 indexers and we need to write a search and set up an alert if any of the indexers is down. Can some one please advise on this type of search? Thanks,
View ArticleWhy am I getting error "Could not find writer for:...
When I open the dashboard and go to Edit -> Edit Permissions, then change the "Display For" entry from Owner to App, and give read access to any option, I get the following error: In handler...
View ArticleIs it possible to automate the export of dashboards as PDFs when these...
I have a large number of reports to produce according to a data hierarchy. These are to be provided to the client as PDFs. Currently I have some of these representing the top level of the hierarchy...
View ArticleParsing XML in SPLUNK
HI friends, I am trying to Index some XML (size ~ 2-3MB) using SPLUNK. I've setup a data input to continuously monitor the file location. However SPLUNK fails to index/parse any of the XML files....
View ArticleSame input within multiple apps = duplicate data?
If an input is specified identically in the inputs.conf file of multiple apps running on a Universal forwarder will the same data be gathered multiple times (and thus generate extra license usage) or...
View ArticleHow to shorten value in a table column?
I have a query that produces a table of results. Some of the text value for the first column is too long, it pushes everything over into overflow. How do I shorten or reformat the value of the table...
View ArticleTransaction+timechart from complex logs (john the ripper)
Few days ago, a developer has added to John the Ripper the ability to timestamp every line of logs, allowing me to feed them to splunk in order to derive statistics from these data. JtR's logs are...
View ArticleHow can I retain certain field values for all events with tstats when some...
I have an accelerated data model where *all* events contain a duration field (ReqTot). In addition, *some* events include a field indicating an experiment that was applied to the given transaction. I...
View ArticleCan a search macro have a default value for parameter?
The question statement says it all. I was wondering if I can create search macro where some of the fields are predefined. If the caller of my macro gives me one argument I use the default value for the...
View ArticleWhat does coalesce(randomField, 0) do?
I'm looking through some old searches and came across this line. From all the documentation I've found, coalesce returns the first non-null field. In this case, what is the '0' representing? If...
View ArticleHow to convert values in a table column to column headers?
I have a stats table like this Header1......Error....Count 0-24hr..........1a..........1 0-24hr..........2a..........2 0-24hr..........3a..........3 24-48hr........1a..........4...
View ArticleIs it possible to store a field as a boolean value?
Assuming I'm not completely incorrect, I don't believe there is a way to store a field as a boolean value. There are a few types built into the splunk parser, including string, number, and most...
View ArticleHow to get a multiselect form input to pass two types of values?
When creating a search using pivot/data model, I can add a filter that looks something like: FILTER Brand in (brand1,brand2,brand3) or FILTER Brand in (*) as default value When running a regular search...
View ArticleHow to capture the click event on a Splunk map?
Using the regular map in Splunk, I'm currently showing points on the map read from a CSV file. When I click on the point, it goes to another page showing content of the row. I stopped the drilldown. I...
View ArticleRunning SearchManager in a dashboard, I get 165 results, but why does...
Hi, After I run a SearchManager in dashboard, the number of result events I see is 165, however, when I use the following code to retrieve the results data: var myResults = initSearch.data("results");...
View ArticleHow to edit my search to alert when the count is greater than 10000 and send...
Can someone please help me finish an alert I am trying to do below? I would like to set the alert to notify me once the count reaches 10k and then send me a list of the top 10 SRC_IPs. However, when I...
View Article