How do I capture both IP (ip_address) and hostname (host) information in my...
Hello all. I am trying to capture **BOTH** IP address info **AND** hostname in my logs. This data needs to be part of the actual logged data, not an added lookup field. I have found this line in the...
View ArticleWhy am I unable to set new fields in a custom search streaming command?
I'm writing a custom search command to convert all the full path xml names to just local names. I'm also making the field names all lower case for consistency. My code is below: def stream(self,...
View ArticleHow to install Splunk forwarders on AWS EC2 instances?
I have Splunk Enterprise on an AWS EC2 Server, and need to install forwarders on two other EC2 Instances. Can someone direct me to documentation on how to do this? Not finding this case in the...
View ArticleHow do I find which specific Data Sources are lighting up the different...
Is there any easy way to see which Data Source lights up specific Dashboards? I am creating documentation, and would like to include the data sources lighting up the different Dashboards.
View ArticleAdding plus/minus one hour to time tokens
Hi folks, I'm running the transaction command, in a drilldown panel that passes the times picked on the timechart down to the next panel as tokens. The problem I run into is where the transactions...
View ArticleHow to base con_replication_max_pull_count value for search head cluster...
WARN ConfMetrics - single_action=PULL_FROM took wallclock_ms=4610! Consider a lower value of conf_replication_max_pull_count in server.conf on all members What should I base the value for...
View ArticleHow to edit my search to get the count for the Top 5 and Others?
Can anyone help me get the count for Top 5 plus an Others count for the following please? Thank you sourcetype="cisco:asa" action=blocked | stats count by src_ip, dest_ip, dest_port | sort - by count |...
View ArticleHow do you group field values based upon user, and then filter users that...
Each user can have two values of **type**: movement and check-in. There are some users that only have movement and never check-in. I've tried grouping these **type** values and then filtering those...
View ArticleI need help with a range of numbers in REGEX
I have the following REGEX to pickup the bytes out, `^(?:[^,\n]*,){31}(?P\d+)`. I need to know the REGEX to filter out a range of numbers as bytes out from 0-1400.
View ArticleAre there any other online collections of Splunk search examples?
Beyond what's in the [Search Reference][1] and the [Search Manual][2], are there other sites that have SPL examples available to the community? [1]:...
View ArticleHow to pass credentials within custom search command using Python SDK 1.5
I'm building a custom search command (in Python with the SDK 1.5). From within the script (search command), I need to connect to the Splunk instance to execute some extra searches and retrieve some kv...
View ArticleHunk 6.3.0 doesn’t seem to work with Hive (version 0.13) with Char(N)...
We realized recently that our Hunk 6.3.0 doesn’t seem to work with Hive (version 0.13) with Char(N) definitions.
View Articlei would like to have setup with only one indexer and one search head
Dears, may i know please if it's possible to have setup in which i will have only two machine one of them will act as Indexer and the other to act as Search Head and if it's possible how can i achieve...
View ArticleIs it possible to access properties from a custom config file (props.conf) in...
I would like to access properties from a custom config file in a Simple XML extension - is this possible? For now, I am just trying to access the props.conf from the default search app using the...
View ArticleDoes an intermediate forwarder need to be a heavy forwarder, or can a...
I am interested in forwarding syslog and Windows events from a DMZ to Indexers which reside inside our network. We are planning to install universal forwarders both on the syslog and Windows servers,...
View ArticleGoogle Maps Add-on for Splunk Enterprise: Why am I unable to find location...
In the map result, I could see lat, log and it's working find when I am searching in maps.google.com, however, the same is not working with the Google Maps Add-on for Splunk Enterprise. Please assist....
View ArticleHow to get stats with a percentage change for a certain field?
In stats, I want something equal to (latest - earliest) / earliest for certain field. How I can achieve that?
View ArticleUsing the Splunk Enterprise Trial, why is localhost:8000 not getting loaded?
I am using a Splunk Enterprise Trial and Splunk Web http://localhost:8000/en-US/app/launcher/home is not getting loaded.
View ArticleHow to extract and label data from Linux DNS named logs?
So, I have all the syslogs from my DNS named servers going into Splunk and I'm able to parse them. I'm not a DNS server admin, so I don't know the proper terms for each field so I can properly label...
View ArticleGoogle Maps Add-on for Splunk Enterprise: Why is geoip not plotting...
Hi, I've been trying to use the geoip command in the Google Maps add-on for Splunk Enterprise to geolocate ip addresses and I'm seeing events appear, but nothing is being plotted on the map and there...
View Article