How fast is merge logic python script vs a huge hash lookup?
We have certain complex logic for merging a certain datatype together, to produce a third merged datatype. There are a number of rules for handling merger, making the merge logic somewhat complex; more...
View ArticleHow to show the recipient or To field from Ironport logs in a Splunk search?
I can only view the recipient or To in the email from the Event Actions --> Show Source page. I want to show it in the main search.
View ArticleWhat is best way to use sourcetype with HTTP Event Collector to categorize data?
From the HTTP Event Collector setting page: Source type The source type is one of the default fields that Splunk assigns to all incoming data. It tells Splunk what kind of data you've got, so that...
View ArticleHow to configure permissions for 1000+ users to each access and report on...
Hi guys, I am working on a proof of concept for one of our potential clients. So this client has an MS SQL database with multi-tenancy ability. The client has more than 1000 customers and each customer...
View ArticleHow do I edit my rex statement to extract fields from a raw string of...
Used the following command `rex "(?\d+)\[(?\-?\d+\.?\d+)\]"| table ...`, but the entire string gets extracted into a single column. Raw String in the Log: Status{AdId='313131313', reason='ERROR_400',...
View ArticleWhat character is Splunk using for line breaks in a multiline event?
I have inputs configured to allow for multiline events, representing groups of log lines. I'm then using it to build a very simple search: eventtype=mlc sourcetype=log4j host=x | table _time message...
View Articlejoin question
here is my search - | dbquery "TQOMA" "SELECT "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'" basically, this returns a result for each system every sampling period. So, what I...
View Article6.0.3 search head pooling NSF error on "enable boot-start"
I am preparing to upgrade to 6.3 and am setting up a dev environment. I have three Search heads in a pool running 6.0.3 all attached to an NFS mount. When I issue the following commands I have no...
View ArticleDashboard description on dashboards home page
Hi Everyone, We have a lot of dashboards and the users are finding it difficult to understand what the dashboards do without clicking on the dashboards. Is there a way of providing a tool tip with...
View ArticleApply Palo-Alto app field extractions globally
I would like to Apply the Palo-Alto app's field extractions globally and lock it down to its index so we do not get false positive matches when looking at data in another index. The goal is to have a...
View ArticleWhy do I sometimes not get results running a search via CLI/REST API?
Hi all I'm seeing weird behavior in Splunk Enterprise. When I run a search like this: index=my_index sourcetype=my_st FIELD_A="foo" OR FIELD_B="bar" via the CLI or REST API, the result set is null...
View ArticleWhy am I unable to populate a token with the result of a search with my...
Hello there guys, I'm trying to populate a token with the result of a search so I'm able to use this value at various other points of the Dashboard. The search only has the field sourcetype at the end...
View ArticleHow to set alerts to use the batch mode search?
In need of search string examples for: **Desired outcome:** Alert that shows N events in M amount of time or the lack of N events in M amount of time. -For alert be to within parameters to qualify as...
View ArticleHow to write a search to calculate percentages for success and failure rates...
I am trying to write a search that reports the percentage of total users impacted from log data. // All users will have this line recorded initializing user blah blah // success user will have this...
View ArticleSplunk DB Connect 1: Can I run dbquery with a variable?
I need to schedule a report which runs dbquery, but I need that report to run with a variable in the query e.g. | eval myVar=stuff | dbquery source "select * from table where timestamp >=...
View ArticleHow to set x-axis time intervals for a line chart?
I've read over all of the other variations of this question, but I haven't been able to make this work. I have a search that runs for the Last 7 days that checks for events between 08:30 and 17:30 and...
View ArticleHow to get Splunk Webhook Alert actions to send entire search results as JSON...
Hi, I had a sample test on the Splunk Webhook Alert action and it seems the webbhook sends the first result from the search results. Is there a way to send the entire search results as JSON payload?...
View ArticleHow to troubleshoot why we are no longer receiving SourceFire eStreamer...
We are no longer receiving SourceFire eStreamer Events in Splunk. It was working fine until Feb 28.. estreamer.debug.log is not getting updating either /opt/splunkforwarder/etc/apps/eStreamer/bin...
View Articleis it possible to change the splunk logo and colours within the Splunk Mobile...
Hi is it possible to change the Splunk logo and the colours within the Splunk Mobile App? I couldn't find this in the docs. BR Henning
View ArticleSearching logs from 2 domain controllers to find locked out users, why do we...
This isn't so much of a Splunk question. More of an Active Directory question, but I'm trying to search through our `source="WMI:WinEventLog:Security"` logs from our domain controllers to find locked...
View Article