What port number do deployment servers use to communicate with the forwarder?
Hi, I can ping Telnet 8089 from forwarder to deployment server, but when I push the app from deployment server, it is not reflected in the forwarder (serverclass is correctly configured). Can I please...
View ArticleHow to fix a timestamp issue for Symantec logs?
Hi All, Currently we are facing an problem in time stamp for a Symantec log data. Problem: When we search with the below query, we could see that the splunk _time field is different from the event's...
View ArticleCan multiple IF statements be used
I am creating a report off of logs files. In this report I am looking to list out the number of times particular actions were took. The two IF statements below produce data as expected when ran alone,...
View ArticleSplunk Enterprise Security: Alert when a user attempts to assign an event to...
I've been searching and haven't found an answer to the following scenario, so I'm hoping someone else knows: In Enterprise Security, if 2 users click on a new notable event from the Security Posture...
View ArticleHow can we execute a script that uses fields from a message?
Hello, We usually get hundreds of logs and we want to execute scripts based on those logs. The key takeaway here is when Splunk scans a log file based on a message like "THIS JOB XXYYZZ" IS DOWN on...
View ArticleCan I perform a correlation search on two macros?
Hello everyone, I am trying to perform a correlated search using 2 macros. The idea is to create thes macros that will search for a specfic piece of data between 2 different source types. The over all...
View Articlex64 ODBC driver, Connection issue "(40) Error with HTTP API, error code: SSL...
Good day to all of your fine folks! I've been playing with the [Splunk ODBC Driver][1] but have been having connection issues. The error I get is `(40) Error with HTTP API, error code: SSL connect...
View ArticleHow to count good work quotas vs. bad work quotas?
I am a Newb at Splunk, so please bear with me if this is straight forward or has been answered previously. I have successfully used your Splunk>Answers on a number of occasions, but I am struggling...
View ArticleEncrypted information from deployer to search head
We want to use splunk deployer to push our addon to the search headers, but have questions about the encrypted information. First of all, if I understand it right, the addon has to be setup from the...
View ArticleGroup results by rows and columns
I need some help grouping and transposing some data. The search below gives me the data but now I want to group it and transpose one of the fields with it's data. .... | stats count by Stage,...
View ArticleDashboards not working or have random gaps in information
Since the upgrade to 6.0, including 6.0.1, the dashboards are more often not working than working for me. In particular, the All Incidents dashboard seems to randomly stop being populated with data....
View ArticleRapid7 Nexpose Technology Add-On for Splunk: Why did all of my indexes stop...
can someone confirm if this module is even working properly ? when I install it, all of my indexes won't work anymore, and once I disable it and reboot splunk, everything is back to normal. appreciate...
View ArticleWhat are best practices and uses for data models?
Sometimes in my Splunk Education I need repeating some things for myself. Today it's Data Model. I have used Data Model and so-so understand how it works, but I realized today that Data Model for me is...
View ArticleIs it possible/practical to use adaptive response to send data to non-Splunk...
Is it possible/practical to use the adaptive response actions to send notable events from splunk ES to another application's REST API?
View ArticleDuo Splunk Connector: How do I resolve this setup error message?
After entering all of the Duo Admin API info (integration key, secret key, host) I get the following error message when I hit Next and cannot proceed. Encountered the following error while trying to...
View ArticleSplunk Dashboard Examples: How can I implement the table row expansion?
Trying to adopt the example table row expansion from Dashboard examples app. In the example a chartview is used which I've replaced with a tableview. The row expansion only seems to work correctly the...
View ArticleGroup events by a field and fetch those ones where a second field does not...
I have these events with CID which normally come as a pair of TranType Request and Response. 2017-12-04 09:45:01 CID=111 TranType=Response 2017-12-04 09:44:01 CID=111 TranType=Request 2017-12-04...
View ArticleSplunk Universal Forwarder missing events
Hi all, Have you ever seen a UF missing events? I’ve observed some of our UF’s missing ~8 seconds of events and then picking up halfway through the event they reach. The gaps are creating some muddy...
View ArticleAdd-on for Microsoft Forefront Threat Management Gateway: TMG logs not parsed...
I have installed universal forwarder on TMG server to monitor tmg specific log files. Added the following to inputs.conf under /etc/system/local [monitor://C:\ISALOG\*] disabled = false sourcetype =...
View ArticleHelp! How to create a drilldown table.
Hi All, Could you help me on creating a drilldown table that will list all the ticket number based on the value of the resolution profile in another table. Please see below my search query. serach...
View Article