Why are the field names different when using |from datamodel instead of...
When I do a search with |from datamodel, the search results are the same as when I do a search with |datamodel, but the field names are different: |from...
View Articledisplay cumulative total and specific group summations on chart
I have anti-virus data and I want to plot the the types of alerts on a chart over time. I want to plot the data such that I can graphically see all virus related alerts compared to all AV alerts (to...
View ArticleHow do I write my search to give fast results when setting the time range...
When Run below Search in a Fast mode for last 7 days it is taking Time more than 60 minutes which is giving results and still taking time? Is there a way that I can modify my search to get results in...
View ArticleHow to combine multiple reports into one report from same index?
Hey guys, Is it possible to combine 3 reports (bar charts) from the same index into one report (bar chart)? Thanks in advance!
View ArticleDo you receive results from cisco_wsa_squid and Cisco_firewall when you run...
When you create field aliases cs_username = user in sourcetype cisco_wsa_squid and Username = user in sourcetype cisco_firewall and perform a search like sourcetype=cisco* user=*, do you receive...
View ArticleHelp with regex to extract a string?
Need to fetch API name from URL. e.g. base_url/products_support/system_name/api-name?parameters Here I need to fetch "system_name/api-name" string between "product_support" and "?". Any inputs which...
View ArticleCan I use a wildcard in the field to create a table of hostnames that match...
Have seen a lot of Q&A about wildcards in the lookup table; this is the reverse. Here is the scenario. Lookup table **priority_cve**: CVE, Patch CVE-2014-2053, Patch A CVE-2015-1111, Patch B In the...
View ArticleUniversal Forwarder client showing up in wrong server class
Out of our deployement of about 1,000 UF clients, a handful of systems are reporting data to the wrong indexes -- even though they are clearly configured to point to the correct one. Here's the...
View ArticleRetrieve Credentials from Splunk for a Custom Alert Action - Client is not...
Currently using Splunk 6.2.3 I have a python script that is being executed as part of a Custom Alert Action. This script retrieves credentials (for our internal tickets system) that are stored in a...
View ArticleHow to calculate the cumulative count of events using relative timeframes?
Hi, I need to create a search that calculates the cumulative count of a specific event during the weekend. I have the following query, that will give me the count of distinct hosts that have EventID...
View ArticleWhy don't my dynamic titles for month names work?
I have tried to pass a token into a panel title from a search that creates month names for last month and the month before that. I have tried using CDATA and just $xxxx$ in the title. Hellllp!
View ArticleTimechart with no data gives "No results found"
I want to show the number of bad errors each minute over an hour time period to show as an embedded report. I am using: index=foo "Bad error" | timechart span=1m count as "Bad Error" I am hitting the...
View ArticleSplunk Agent logs do not have unique identifier to differentiate multiple...
1. Tomcat java web app talking to oracle database. 2. While inserting/updating the database as a part of same thread, there is no unique identifier to correlate the multiple entry/exit for the methods.
View ArticleAutomating the install of Splunk MC
We are a large distributed shop that has a requirement for all things automated. I have most of my deployment automated, with a few exceptions... One of these exceptions is the Splunk Management...
View ArticleSelf defined variable format in javascript search query
I found many token based variable search examples online but not on own created variable in customized Javascript. E.g: http://dev.splunk.com/view/webframework-developapps/SP-CAAAEWY May I know how to...
View Articlequestion on summary indexing
couple of questions i have: 1st question: i have a large amount of data which i run summary index everyday and collects 24 hour data.( -2d@d and -1d@d) As of now since it does not have much data it...
View Articlecompare data list
Assume i have two stores which must have the same items but one is missing. My search returns for example STORE=LONDON ITEM=ORANGE STORE=LONDON ITEM=APPLE STORE=PARIS ITEM=ORANGE STORE=PARIS ITEM=APPLE...
View Article95th Percentile for this Query
Hello: I am extremely new to Splunk and was given a task by my manager. He provided the query below and wanted to know the 95th percentile of the results. sourcetype=W3SVC_Log s_computername="*PRD*"...
View ArticleI tried to install Splunk in my personal laptop, is not running need help to...
Checking prerequisites... Checking http port [8000]: open Checking mgmt port [8089]: open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration......
View ArticleHow do I view events in an index?
Hi, I just installed Splunk and got my HEC working. I want to view the individual events that I have passed into the HEC. Is that possible? Thanks! -s.
View Article