Splunk picking up blacklisted file and not the whitelist file and the two...
Hi Splunk Gurus, Splunk is picking up logs(.stats) but ignoring logs(.log) and these two logs are in the same path and permission. ([monitor:///home/mail.stats] but not [monitor:///home/mail.log Any...
View ArticleHow do you actually delete a user in the Splunk web UI?
When I go to Users in the Splunk web UI, there is no option/action available next to the user accounts. I have tried with the admin account as well as with power user accounts. Using Splunk 6.5.2.
View ArticleSite name from lookup table based on IP address
Hi splunk guru's. I'm trying to find a way (using SPL only - i am not an admin) to do the following: My vulnerability data feed has IP address of the vulnerable machine with description of the specific...
View ArticleSplunk_TA_vmware Warning Message
Hi, in my newly stood up Splunk Enterprise environment I'm getting the following message pop-up my search head: [Unable to initialize modular input "ta_vmware_collection_worker" defined inside the app...
View ArticleRequesting update for Add-on for Jira to support Pagination
Hi Add-on for Jira creators. In September Atlassian introduced a hard API limit to 100 on the issues endpoint for Jira Cloud. Can an app update be created to support pagination to get around the limit?...
View Article"Unable to parse message." for aws:config logs from SQS
Hi, We have configured a topic SNS for AWS Config changes, which is bridged to an SQS queue. We do multiple see "messages in flight" on the SQS via the SQS Console. But, the AWS TA input config keep...
View ArticleRun a script or search based on drilldown value?
Hello All, I have dash, with a table. When the user clicks the value in the table it links to either an internal or external site in a new window. Works great, but I need to to who and how often users...
View ArticleHow can I monitor the usage of hundreds of specific email addresses?
I want to upload hundreds of email addresses in some format, so as to track the activity of each of those email addresses in one of our Sources. How can I do this?
View ArticleSearch for all events for IP address within a CSV file
I would like to know how we can search for all events for a list of IP in a CSV file.
View ArticleWhy does rex/regex return different results than field-extraction?
Data: Nov 16 12:50:51 172.23.0.29 Nov 16 12:50:51 dc01 Microsoft_Windows_security_auditing.[1688]: Domain\user1: Security Microsoft Windows security auditing.: [Success Audit] A user account was...
View ArticleProblem with using stats for a count, and also to pull additional data
So, I am going through windows logs, and have output that works for me with something like: index=windows sourcetype="WinLog" EventCode=XXXX | stats values(Account) by host_machine But I only want to...
View ArticleIssue in Hot DB volume space after 1TB
Hi team, I have configured the below settings across the all the indexers (in cluster), yet the Hot DB mount space once reached to 1TB, the indexer stops indexing and the SH issues error. **Settings in...
View ArticleFind difference between time now and last event time
I am not sure why I am not getting results with this query, any suggestions? index= ______ | stats max(_time) as last_event | eval timenow=strftime(now(), "%Y-%m-%d %H:%M:%S.%3N") | eval...
View ArticleSingle value last time yes or no
I'm trying to show a simple Yes (green) / No (red) on a dashboard based on a host not reporting for longer than 5 minutes. Seems to be a bit harder than I expected. What I've got: index=index host=host...
View ArticleHow to only display unique values from a field?
I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. I find them by using rex and then display them in a table. (AA_12345 for example). "ns=myApplication" "trying to...
View ArticleIs it possible to define different source email addresses for different...
Looks like it is possible to set "Send email as" to a custom email address that would appear in the From field in scheduled alerts/reports. However, this would take effect across the board and we have...
View ArticlePalo Alto Networks Add-on for Splunk: Error with new User Behavior dashboard...
I'm unable to search a user as I get "Error in TsidsStates: WHERE clause is not an exact query". I have tried straight upgrading the app, upgrade via overwriting, upgrade via GUI via Splunkbase and via...
View ArticleCould not read event. Results may be incomplete
Hello, I am seeing the following error while running Splunk search. "idx=##INDEX NAME HERE## Could not read event: cd=0:33610. Results may be incomplete ! (logging only the first such error; enable...
View ArticlefrozenTimePeriodInSecs points to age of data only in cold bucket or summation...
My client requires 30 day "active" storage and 90 day "cold" storage standard. So, total data should be deleted after 120 days. below is my current retention setting for main index, maxHotSpanSecs =...
View ArticleIs there a way to use syslog to send over logs to Splunk indexer instead of...
Hi I am trying to send logs files from Linux system to Splunk Indexers, is there a way to configure the syslog to do this? If so, how to do it? Additionally, if older Linux uses Syslog, newer uses...
View Article