why is /opt/splunk/var/run/splunk/cluster/search-buckets filling up my disk?
Splunk 6.6.3, clustered env. One of our indexers reporting high disk usage. Traced it down to ```/opt/splunk/var/run/splunk/cluster/search-buckets``` containing many `search_sitedefault_gen*.csv.gz`...
View ArticleConfigure Splunk Add-on for Salesforce to forward to index cluster
I've been using Splunk as standalone for quite awhile, but I'm pretty new to Splunk Clustering. In my config, I have a 3 node cluster (2 peers, and 3rd node is both Cluster Master & Search Head)....
View ArticleData Model vs. Datasets - when to use?
Trying to understand the difference between Data Models and Datasets and when to use one vs. the other?
View ArticleRun Alert Every Few Hours Between Specific Hours/Days
I have some events that only happen every few hours between the hours of 8AM and 6PM, M-F. So, I want to set up a loss of feeds alert to look for events every three hours between the hours of 8AM and...
View ArticleGrowing rate
Hello, is it possible to make a Dashboard with the growing rate of a field? for Example: 01.01.18, 500GB;02.01.18,525GB:03.01.18,550GB; Now I want to make a Dahboard with a timepicker which is telling...
View ArticleHow to get the status of splunkd service through python-sdk??
I need to make sure that splunkd is running before executing any search jobs through splunk-python-sdk.
View ArticleHow to compute mean and standard deviation over each day of the week to find...
Hello, I am trying to create a search that detects when the total volume of events (the sum) from specific devices has a significant decrease or increase on a particular day. The average number of...
View ArticleUsing transactions with IronPort's potentially infinite MID rewrites
I've seen quite a few posts about IronPort/Cisco ESA mail logs and how folks have put them together with transaction. However I see one flaw, they don't have a way to include a rewritten MID's...
View ArticleCan monitoring Console Dashboard be sent as PDF via email?
I know dashboards can be sent as PDF, but can monitoring console overview pdf can be sent via email? as no options can be seen for this. P.S: I have monitoring console where overall splunk's instances...
View ArticleRex extraction
I have a field called "user", i'm trying to extract the username from the string and create a new field called extracted_user that I will later run against an LDAP filter to look up additional AD info....
View ArticleError messages using Google Cloud Platform Add-on
I have configured the add-on for Google Cloud Platform and verified that pub/sub messages are being written to the pub/sub topic from GCP and that messages are successfully being pulled from the Splunk...
View ArticleHow to remove decimal places without rounding
Hello, I have the following field values returned from a base search Field Name 14.2 19.95 InvalidCompositeMsmtA 0 5.6 CompositeIndexInitializing I need to remove the decimal places without rounding,...
View Articlecalendar heatmap viz force value=0 different color?
Is there a way to force one of the color bins to be for 0 value? Or some other splunk ninja magic to gray out those days on the calendar heatmap? The data has high spikes and many 0s. | timechart...
View ArticleHow to print unicode as unicode?
I have a JSON data source with data like this: {"download.doc_title": "GCP-7 R\u00f3znorodnosc, R\u00f3wne Szanse Oraz Szacunek W Miejscu Pracy.pdf"} If I look at the event syntax highlighted, it...
View ArticleConvert multi-value expression to field names and values
I have a string,> "one:isone,two:istwo,three:isthree" The goal is to convert these to fields and values, without knowing what will be in the string. Basically the following, but automagic. | eval...
View ArticleSummary Indexing vs. Data Model Acceleration - which is more performant?
I am trying to optimize searches that have large time spans (6+ months) with 10,000,000's of events. Which is more performant? Summary indexing or Data Model Acceleration? Conceptually I believe they...
View ArticleReplacement of Django framework & Code changes
Hi there, Currently I am using an existing Splunk App (from Splunkbase) that was developed using Django web framework. Since Splunk is no longer investing in Django Bindings, and they are recommending...
View ArticleHow to use AND operation with multivalue fields?
I have a two multivalued fields 1)segment_status -with values SUCCEEDED-100 FAILED-100 2)segment_provider_id-with values abc.com-10 ddd.com-20 ccc.com-30 I am trying to find the following counts 1)...
View ArticleDoes anyone use the Mimecast Splunk App and any documentation on best practices?
We just added the Mimecast app for Splunk and I am trying to configure reports and alerts. Is there any good documentation out there on how to use this app efficiently?
View ArticleHow can I generate all_account_ids.csv with the Splunk Add-on for Amazon Web...
We have the Splunk Add-on for Amazon Web Services running on a cluster of heavy forwarders pulling most data in from S3 inputs. The only exception is the description/metadata input which is configured...
View Article