Search Head Cluster - Scheduled Search Running only in one instance
Hi All, We have a search head cluster with 3 search heads along with a deployer. We have a scheduled search which runs a query every 8 hours and pushes the data to the "summary indexes". Though the...
View ArticleExchange CAS IIS Time Translation Issue?
I'm working with Exchange IIS data from our CAS servers and am having trouble with Splunk translating the time from UTC to EST at indexing time. Looking into this, Splunk is supposed to translate the...
View ArticleUpgraded from MS Exchange 2010 to 2013 and now I no longer get any data from...
All of the other data from all previous eventtypes is coming through just fine, except the msexchnage-admin-audit. We have 10 Exchange Servers all on MS Exchange 2013 - and after we migrated from...
View ArticleTwo results in One Visualization
I have two separate queries, Query1: host="A" OR "B" consumed | eval consume = case (.............) | stats count by consumed Query2: host="A" OR "B" produced | eval produce = case (.............) |...
View ArticleLicensing Pattern for Splunk Enterprise?
I Have some questions regarding Splunk Enterprise License Q1. If we purchase license for windows based application, do same license compatible for Linux version too? Q2. If license is not inter...
View ArticleForce forwarder to run script
I'm using the Splunk for Windows addon on many computers. It has a scripted input for installed apps that runs once a day. Normally, this is what I want (only to collect the data once a day). However,...
View ArticleExcluding a field name from fields command exclusions
The `fields -` command expects a list of field names to exclude, and one can use wildcards in that list. But what I need to exclude a long list of fields that match a wildcard expression except for...
View ArticleHow to get disk size from remote machine windows
Hi, i have a windows environment and universal forwarder installed on the servers and forwarding different type of logs. i want to monitor the disk size for the server as its drives sometimes fills up...
View ArticleCan I search for a specific address on a cluster map (similar to Google Maps...
Hi everyone. I'm plotting a lot of points in cluster Map and using this url http://mt.google.com/vt/lyrs=m&x={x}&y={y}&z={z}. I would know if I can search for a specific address as google...
View ArticleIs there an easy way to monitor disk size from a remote Windows machine?
Hi, i have a windows environment and universal forwarder installed on the servers and forwarding different type of logs. i want to monitor the disk size for the server as its drives sometimes fills up...
View ArticleFeasibility of using Splunk REST calls -- from an Angular application running...
We have a partner who wants an extremely light interface to send data into a Splunk instance. They prefer to make a simple REST call directly from the browser to load a JSON payload into Splunk. The...
View ArticleWhy are all of the role settings defaulting to the first view for an...
I have created a single application that has multiple views setup. I have three users who need to access different portions of the app. I have setup the **view permissions** for each user's required...
View ArticleUse regex on a known date field
First, new to regex, so don't really know where to start. I've done some Google searching and up and down Splunk Answers. I am creating a POC to search data and it has a known date field. The date...
View ArticleGetting all IP addresses from guests in VMware vCenter
Hey folks, I am using a VMware DCN (data collection node) to index all of my performance, event, and inventory data from our VMware environment. This is a standalone Splunk Enterprise instance running...
View ArticleField-extraction on a JSON message with multiple delimiters?
{"date": null, "facility": -1, "host": null, "level": -1, "message": "2017-11-13T03:45:00+0000 monStatsLog, applianceName=xxxxx, tenantName=xxxx, mstatsTimeBlock=1510544700, tenantId=1, vsnId=0,...
View ArticleI need help with a regex for line_breaker in props.conf
Hi Team, Need help with regex for LINE_**BREAKER** attribute in props.conf. I have below log pattern delimited by | , however looks like this is one big event type which does not have newline or...
View ArticleHow to calculate the average of a field value for n number of days?
I have the below query index=abc sourcetype=xy.. |timechart span=1d count as events by host | addtotals time h1 h2 h3 h4 h5 h6 h7 total 2017-11-24 2334 68125 86384 120811 0 28020 0 305674 2017-11-25...
View ArticleFeasibility of using Splunk REST calls from an Angular application running...
We have a partner who wants an extremely light interface to send data into a Splunk instance. They prefer to make a simple REST call directly from the browser to load a JSON payload into Splunk. The...
View ArticleHow do you write a correlation search with a data model?
Hello my little friends. I have logs from tomcat and they joined Web Data Model, so that means that I can write correlation search using a data model. For example, I have this search:...
View ArticleHow do I write my search to give fast results when setting Time picker for...
When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time ?Is there a way that I can modify my search to get results in...
View Article