SHC cluster Label
I’m trying to setup our Splunk DMC . I’m going through the setup instructions on the Splunk web site. I noticed 2 confusing instructions....
View ArticleI need to write a query to to report on all last logon times for users that...
The query I wrote doesn't seem to work as expected. The time stamp is missing under the logon_time column next to the corresponding listed users and the users in the user column show many duplicate...
View ArticleHow to change what index SEP logs get set to?
By Default all the SEP logs are going to the main index, how do I change this so it would go to a custom "SEP" index?
View ArticleHow to query for a Week over Week count of hosts reporting to Splunk
Is there a better way to report the count of hosts reporting to Splunk week over week other than running the query using `index=*` I am not looking for the no of forwarders, I am looking distinct count...
View ArticleCan splunk parse .csv file attchements through IMAP app?
I have email in IMAP server with .csv attachment and i am trying to index the attachment. this csv file contains specific set of data. This works for .xml files attached. But not for .csv files...
View ArticleFiltering on UF for Specific Events then Delete the Rest (6.3.2)
Hello Splunkers, I've been working on filtering IIS events. What I need to keep is any event that contains auth.owa, then nullQueue the rest. I've been through the docs many times but something is...
View ArticleDetermine Source IP of log entry
I have log entries that are appearing in Splunk that are being labeled as coming from a specific host, but that host isn't even turned on. How can I view the origin IP of a log entry regardless of the...
View ArticleTrue-Client-IP=[12.34.56.78]
All, I have some header information coming through like so True-Client-IP=[12.34.56.78] I'd like to correct the data as it's ingested to be True-Client-IP=12.34.56.78 Dropping the "[]" from around the...
View ArticleUsing preloaded sourcetypes
I am having difficulty setting up my forwarder with a preloaded source type. I have identified the source type as "*access_combined*". *On my inputs.conf on the forwarder I have something like this:*...
View Articlehow to charge 44 results by time
Hi All, I have a search term that returns 44 lines every day, the search results looks similar like so: INFO [3/07/16 19:45:00.969] 1234/SC 03/08/2016 - job1 Finished batch process with return code:...
View ArticleTrying to connect to sybase db.
Hi, I'm trying to connect to a sybase data source but DBX v2 is saying it doesn't have the driver. A search says I need to download jconn(n).jar and install it but I can't find the file anywahere that...
View ArticleHow to make sure that the data forwarded is loading in the searchhead/indexer...
I have a forwarder installed on a server and I am extracting the data for indexes like Name,Class etc and while extracting I am also storing extraction information as shown below in...
View ArticleIs it possible to create a Splunk Search on the DashBoard equivalent to this...
SELECT [Market_Area], [RegionName], Morphology_Name,ALL_Sectors, Breaking_Sectors,SectorFixes,CAPTS, (x.SectorFixes * x.CAPTS) AS Spending FROM ( SELECT T.[Market_Area], T.[RegionName],...
View ArticleHow can I exclude a group of the mac address found at specific time?
I have a dataset with a lot of mac address captured. I would like to excluded all mac address that arrived between 0h until 6h. But these mac can still appear after 6h. For example: DATE TIME MAC...
View ArticleSplunk App for AWS - How do we send data from a heavy forwarder to an index...
Our environment includes both an index and a search head cluster. Following the distributed environment installation guide for the Splunk App for AWS we installed the Splunk App for AWS on the Splunk...
View ArticleCalculating _internal log volume for a particular host
Hello, I'm trying to determine how much traffic gb/mb/kb that a particular forwarder is sending in daily. I'm using the current command: index=_internal* host="somehost.mydomain.com" | timechart...
View Articlemvexpand truncate result because of exceed 500MB memory usage
Dears, i have splunk 6.3.3 and i am using query that have command mvexpand but mvexpand truncate result because of exceed 500MB memory usage i have found on splunk doc of version 5 that i can edit...
View ArticleBest Practices Deployment Server
We find that in many cases the Forwarder Management Interface is very slow. Some folks prefer to handle modifying serverclass.conf manually, others prefer the UI. Does this present a problem, as long...
View ArticleCombine two searches using Eval with Case statement.
I am trying to create an alert for Outbound and Inbound FTP outside USA. I have two separate searches but I need to make it one search for alert purpose. **Outbound FTP outside USA:**...
View ArticleCannot add Data input
Hi, I am currently trying to install splunk app for auth0. However, I am running into an issue on the second step of usage. It says "Add new data input for Auth0 app specifying name, domain, global...
View Article