What happens if I forward the exact same data to an index twice?
I have a complex distributed environment, I'll try to stick to the root of my concerns. Basically I have site 1 and site 2. Site 2 just forwards directly to site 1 now via a forwarder. However I would...
View ArticleHow can I use tokens in a stats function?
I want to use a dropdown to change the field that the stats command function uses in calcuation. my token is called my_token. example: index=myindex mysearch | stats dc($my_token$) by mylocation Is...
View ArticleReturn # of Errors from Splunk Search
Is there any way to get the number of errors that occurred during a Splunk search with the splunklib.results module?
View ArticleUpdating times.conf for an SH cluster
Is there a way to update times.conf for all search heads in an SH cluster using the deployer, or do I have to edit each search head individually?
View ArticleSearch to find missing data using lookup table with multiple fields
Hello, I am trying to find missing data in Splunk from a lookup table using inputlookup. My lookup table is: __netdevices_new__ netdevice,ip,type host1,10.10.10.1,router host2,10.10.10.2,router...
View ArticleHow to correlate a lookup table with two columns with a query?
I have a query that generates a lookup table (IP_and_Username.csv) which has two columns in it: src_ip and Username. I then have a second query that runs, looking for source IPs that match the ones...
View ArticleHow can I make a custom map that I drew myself on the Dashboard?
How can I make a custom map that I drew myself on the Dashboard? Is it available to link between custom map and analyzed data? If it is not possible, is there any way to make custom map using the other...
View ArticleField Extraction help!!!
Hi, I am newbie to splunk,We are looking to extract a field from below event format. "PDR Message Listener Completed Processing Message" From above , we need to extract a field after "PDR Message...
View ArticleSEP Dashboards?
Hello, I have Splunk 6.3.1 running on a single Linux instance. I have installed the Splunk Add-on for Symantec Endpoint Protection V2.1.0 , setup my SEP 12 server to dump logs, forward logs from sep...
View ArticleREST_TA custom authentication handler - configuration help
Hello, I am trying to configure the REST_TA add on to consume data from an API. In order for me to authenticate I first need to use a local cert to authenticate against an endpoint (URL_1) that returns...
View ArticleUnmatched parentheses error with replace
The following search is complaining about an unmatched parenthesis. Since the parentheses are inside of quotes, shouldn't the parser not care? Does anyone have a workaround? {baseSearch} | eval...
View ArticleSplunk Python SDK failing with BadStatusLine error
Hi all, I'm having an issue with the Python SDK. I'm running the latest version of the SDK (1.5.0) on python 2.7.10. Whever I try to connect to my instance I get the following error: Traceback (most...
View ArticleHow can I create extract the earliest and latest times for current search and...
I would like to display the original earliest and latest of a search as fields in my table results. My query below. index=myindex msg_severity=ERROR | timechart span=15m count by field_TEXT | untable...
View ArticleCan someone please see my example and help me to combine the two panels using...
Here is my current code below -Dashboard TitleTitle1Search1@dnow["host","source","sourcetype"]Title2Search2@dnownoneMINUTESsearch64
View ArticleRSS instead of email
I'm going crazy here, I could have swore Splunk had an "RSS" option for alerts actions? Do I need a third party App or something? Splunk 6.33 on Redhat 6.7
View ArticleQualys Bad Login / Password
Hello, We are experiencing credentialing issues with the Qualys TA, receiving Bad Login / Password as the error code. I have checked the URL (https://qualysapi.qg2.apps.qualys.com) and credentials and...
View ArticleIndex multiple files in a folder without monitoring the directory
Is this possible? I can't find any information online on this. I want to avoid indexing the files on-by-one, as there is too many and I would rather do them all in bulk. Thanks.
View ArticleBuild a table with information from various sourcetype
I have two different logsource, ProxyLogs: Contains "ipaddress" and "username" WebLogs: Conatains "IP_address" and whole other stuff like UserAgent, Time, Branch,HostName,loginname I have a query that...
View ArticleIs there a way to export a list of saved alerts from one environment to another
We have a test environment where we've spent time configuring the alerts. We would like to export these alerts with their search criteria and import them into our production environment. Is there a way...
View ArticleDisk is nearly full
Hi there! In the Splunk enterprise edition, the disk is getting almost full. However, it seems not to have enough data to fill a 200GB of disk space. How can I find out the details space usage as well...
View Article