Splunk 7 powershell input not emitting
I can't for the life of me get powershell input to work correctly. I realize this is asked a lot but I'm not able to find a working answer for Splunk 7 after quite a lot of searching. I have the...
View ArticleCan't unset drilldown token in viz
Hi, First time poster here been lurking for too long and I just can't seem to understand where I am going wrong here... I have created a cluster map that displays the frequency of observed comms with...
View ArticleAlert Manager functionality not working in search head clsuter environment
We have implemented Alert manager in our prod environment. The problem we are facing is that when we try to assign the alerts to a user in Splunk it is not working whereas when we try to do the same...
View ArticleDashboards not show data and many other questions D:
Screenshot - http://prntscr.com/hb80wm 1. Dashboards not show all data 2. Dat red exclamation mark show this error: command="predict", LLT instance has no attribute 'epsilon' What i did. I installed...
View ArticleCannot search for value in extracted field
I have a field extraction that gets the message number from the raw message string **.{22}\s[0-9](?\d{2})** The message string is in the format of 2017-11-15T13:32:53,915 4790018...
View ArticleRegex Help: Parse CSV with whatever it has got rather than failing on entire...
Hi We have a regex/requirement to extract col1,col2,col3,col4 everytime. But the data may not contain col3 onwards everytime. How to write regex , so it will be forgiving and extract what it has got,...
View Articlemultiline log: break on return char, not timestamp
Sorry new to Splunk...I've a single logfile with entries that look like this: "15/11/2017 20:20:59","0","1803.xml","Copied to Amazon S3",5,"O" "15/11/2017 20:21:00","0","1260.xml","Copied to Amazon...
View ArticleContinuous Evaluate File
Can I set csv file as input in local monitor as continuous monitor. I tried to set a file but it seems it is not working.
View ArticleOPSEC LEA R80 logging behind
Ever since the upgrade to R80 the logs from OPSEC LEA app have been behind by about an hour (ranging from 30m to 90m through out the day), what can be the cause of this? Before they were always...
View ArticlePie chart round default percentage
I have the following search: index="monthlycdr" | eval "transporttype"=replace('Transport Type',"\"","") | eval "tt"=case( match(transporttype, "(?i)voice_sip"), "Sip_voice",match(transporttype,...
View ArticleFeature request: Source Code management and production migration support
Many companies are using Splunk for daily operations. Many are on the path to doing so. When we start to have internally developed code used in production operations, we begin to have requirements to...
View ArticleHow do you add JS in xml?
I am trying to have a dashboard coded in XML with JS included but I am not sure where the script tags go. When I run my dashboard its clear that the JS isnt being hit in the code. I want to have it all...
View ArticleCompare firewall action to track network flow changes
Hello guys, I'd like to check changes on the Checkpoint firewall logs but I haven't any result : *index=xxx host=yyy action=accept earliest=-24h@h latest=-20h@h sourcetype=*opsec* | eval src_acc=src |...
View ArticleAt Heavy Forwarder, route filtered Windows Events to remote syslog
This topic appears throughout "Answers", and have tried variations of all of the great examples, but cannot make this work. My HF's sit between the clustered indexers and remote UF's. At the HF's, I...
View ArticleNeed a help in setting alert,
I want to set alert with below query this should report if there is error from service now . i want this alert to be ignored any error logs that occurred before 10:52 EST on 11/16/2017 ....
View ArticleHow to add delay between two commands in search
Hi, How can I add delay between two commands in Splunk. I have a scenario, 1) where I will append the search results to existing lookup file, 2) in second step I need to retrieve complete results and...
View ArticleHow do I fix the message - ERROR: unable to connect to eAPI?
The devices connecting to splunk are arista devices. Also - what is the location of the splunk logs on the Arista switches?
View ArticleIn what order should we complete the SplunkWork+ Veterans Courses?
I am a veteran looking to obtain my Splunk Admin certification and I want to take your SplunkWork+ Veterans Courses to help do so, but I am not sure what order is best to accomplish the courses. Also,...
View ArticleCan not configure accounts in 6.0 add-on after upgrade?
The addon accounts configuration tab is blank and does not populate after upgrading to 6.0. Only "Loading" with a spinning wheel. Splunk 6.6.3 on Linux. The Palo app is the only app/addon installed.
View Articledistribute data from one host to different indexes - udp
hello, I need to split the OS logs from apache and tomcat logs. For this I need to send OS logs to a specific index. My issue is that my host is sending through udp the logs directly to splunk. I don't...
View Article