Breaking up syslog sourcetype
Good afternoon, I am working on trying to divide my network devices up so that I have different sourcetypes for each vendor, and then ultimately ship them off to different indexes as well. These...
View ArticleIs there an SPL command using REST to list the macros contained within a macro?
Hello, I see that we can use SPL to get a list of arguments, "args", of a macro using the "rest" command. | rest /services/configs/conf-macros It would be great to be able to list all the dependencies...
View ArticleRename Field From Input File And Perform Search
Hello! I am attempting to find events based on names in a CSV file (I am attempting to build a search to identify security group name changes). However, I appear to be missing something since I do not...
View ArticleWe are thinking of moving to Azure Kontainer Service (AKS), is there any...
We are thinking of moving to Azure K(C)ontainer Service (AKS), is there any splunk API plugin for fluentD to push data onto Splunk? We don't want to run a native splunk process that does so today.
View ArticleWindows: Unknown User Name or Bad Password
Hi. How can I distinguish events with Authentication when «Unknown User Name» and when «Bad Password»? (index="wineventlog" OR source=*WinEventLog*) Failure_Reason=* * ("Audit Failure") AND...
View ArticledbConnect 3.1.1 and Splunk Enterprise 7.0.1 - SQL Explorer - Error in...
I am running Splunk 7.0.0 with dbConnect 3.1.1 for access to a MySQL database. A few days ago I was able to retrieve data from the database with the SQL Explorer, but after coming back the following...
View ArticleSplunk Add-on for OSSEC: OSSEC & Splunk Integration?
Hi. I'm trying this: [Splunk Add-on for OSSEC][1] [Reporting and Management for OSSEC][2] Some logs not parsing property and the log structure itself that parsed have many duplicates information in...
View ArticleLookup: Replace / Create new field
Hi. For example: When I run search and see field Sub_Status - 0xC0000064 I wanna new field that will explain what the code is it. ![alt text][1] [1]: /storage/temp/225677-screenshot-1.png
View ArticleHow to display respective entries from two different logs based on a common...
Hi All, I have two different sources of log and want to display respective entries from each source based on a extracted field value from the first log. For e.g: **Log 1**: Jan 6 15:33:13 xxxxx :...
View ArticlePerformance impacts of Spectre/Meltdown mitigation
Does anyone have figures of performance impact of CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715 (Spectre/Meltdown) patches on Splunk?
View ArticlePerformance impacts of Spectre/Meltdown mitigation
Does anyone have figures of performance impact of CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715 (Spectre/Meltdown) patches on Splunk?
View ArticleJSON event breaks not working - sometimes
I have a log file of properly formatted JSON events, but the event break is not working properly. Sometimes it separates the JSON into separate events, sometimes it does not. There doesn't seem to be...
View ArticleCan we use Start/End times from a query to get duration to use it in another...
I am able to get the Start/End times of a load test execution from a search query (by getting End time from Timestamp (field) of the log data, and subtracting the duration (field) to get Start time....
View ArticleWhat are the basic and important cases to monitor for Windows and Linux?
Hi :sheepy: Did u know any cool blog aka cheat-sheets monitoring for Windows and Linux like [this][1]? Something _«i'm too lazy to understand what is critical and wanna read article where guru on the...
View ArticleCreating a comparison report
Hi, I'm trying to create report, where I am extracting data from two different sources. This data being extracted from both sources share the same item number value. So the structure is something like...
View ArticleAdd a independent trendline in splunk
I am having the chart with durations, I want to add a line over the chart with values as avg(duration). I used below query, it works perfectly. index=cloudfoundry sourcetype=cl**** "cf_foundation=px**"...
View ArticleAnybody seen search/indexer performance degradation after installing Meltdown...
Hello Has anybody seen any indexer/search performance degradation after installing the Meltdown patches on Linux? Anybody willing to share some performance before and after stats?
View ArticleCompare result count
HI All, I would like to compare the result count today with the count same date last month. Kindly let me know the best way to achieve this. Regards, BK
View ArticleWhat metrics to monitor for Meltdown and Spectre
I realize that these are both hardware vulnerabilities but wanted to know. out of the data we are able to collect with splunk, what specific metrics would be the best to monitor as they directly...
View ArticleSplunkforwarder playing too "nice"
I have some scripted inputs running on a few servers that will occasionally have very high system loads. The problem is I have holes in my scripted intervals during this time, when I need them the...
View Article