How do I edit my inputlookup search to alert on missing data sources?
I've constructed a lookup table containing some key data sources that I expect to see events from on a daily basis. The lookup table, expected_datasources.csv looks like this: sourcetype,source...
View ArticleAfter changing maxWarmDBCount from 300 to 299, why did the cold bucket...
So, I decided to move cold bucket data to NAS storage. All went well, except for one index in which I changed the maxWarmDBCount to 299 instead of the default 300 in the stanza, and when I started...
View ArticleIf I have multiple applications sending logs to Splunk, what is the best...
If I'm running multiple applications, say we have a mobile application, a web application, and some back end services applications and they all send their logs to the same Splunk server, what is the...
View ArticleHow can we disable the default dashboard from displaying on the Splunk home...
Hi , Can someone please advise on how to disable the default dashboard from displaying on the Splunk home page? is there a way to do this? Thanks
View ArticleWhat is the best practice for indexing real-time data from IBM Toshiba 4690...
What is the best practice for capturing real-time data from IBM Toshiba 4690 POS systems in Splunk?
View ArticleIs the Code42 App for Splunk supported for Splunk version 6.0 and later?
I see on the website that this app is supported for versions 5.0 and later. Does that include version 6.0 and later of Core Enterprise as well?
View ArticleHow to transfer cluster peers from one indexer cluster to another, and manage...
Greetings, This question refers to Splunk Enterprise version 6.3.x and has 2 parts. My task is to move my (indexer) cluster master from one machine to another without data loss and with as little...
View ArticleSplunkbase Preview application shows wrong TIME_FORMAT
I think I found a bug in the Preview app. I paste in the following data into the application: 3/1/16 16:08:51:477 PST This is a testddd 3/1/16 16:09:51:477 PST This is a test 3/1/16 16:10:51:477 PST...
View ArticleHow to display labels for Force Directed graphs?
Hi, I'm fairly new to Splunk (and a JavaScript newbie) - I've managed to produce a Force Directed graph from my data, however, I'd like to display text for each of the nodes - a bit like as done here:...
View ArticleHow to monitor a directory without indexing file contents and alert when...
I want to monitor only files that are 3 hours old in a particular directory and DON'T want to index content of the files. Also, monitor the size of the files. I want to set up alert for files in a...
View ArticleREST API Modular Input: When I specify my OAUTH2 Access Token, why do I get...
I have an OAUTH2 Access Token that I renew via a script once per day. We're switching to using a renewal token with ID/secret but for now I have to work with what I am given. I see a field where I can...
View ArticleSplunk App for Dropbox for Business on Windows: Getting error "Cannot create...
Hi, We have a Splunk Enterprise install on Windows. After installing and configuring the app, when I run the data input, I get an error pointing back to line 147 of dfb.py every time the input runs. I...
View ArticleHow to share the URL for a new pivot page without having to create and share...
The scenario is as follows: I do a search , then go to the visualization tab, then pivot. From here I set up my graph. Now, is there any reliable way to send this page to somebody? (without having to...
View ArticleHow to edit my Simple XML to create a drilldown for clicking on any row of a...
I am creating a drilldown where I click on any row of a table and it activates a new dashboard, but I cannot get this code to run.| inputlookup locations.csv | search * state="$get_locations$" | table...
View ArticleDuplicate traffic and re-write index.
Hi there, We have a legacy Splunk install and a new one. During migration we'd like traffic sent to both sets of indexers, there's a HF in the middle. Trouble is that the index names are different in...
View ArticleSplunk stop indexing data from my modular input
I wrote my own modular data input for getting data from my pbx. The imput seems working ok, but sometimes without reason it stops indexing data. I added some lines in my script to try to log some...
View ArticleSplunk DB Connect: where exactly does the indexed data get stored
I would like to use Splunk DB Connect to get MySQL data into Splunk. i want the data to go into indexes on our indexers. So I install the drivers and DB Connect add on on our search head. The part I am...
View ArticleIs there an equivalent of HP Arcsight's "Active Lists" in Splunk for...
We're going to be deploying Splunk as an SIEM shortly. In past engagements, I've used HP Arcsight, and used their "Active Lists" extensively. These are small tables (from a handful to a tens of...
View ArticleHow do I handle checksum errors on a file being written to by multiple...
I've got a Universal Forwarder running on a RedHat Linux VM that is monitoring a particular type of error log file. In some cases, there are multiple processes that can write to the same error log file...
View ArticleHow to index data in Splunk from a Sharepoint 2010 List that is updated every...
My organization has a Sharepoint 2010 list that is updated every week. How can I pull all data from this Sharepoint into Splunk? Nothing I have tried has worked.
View Article