How to Build an If Statement based on if a field contains a string
For every record where the field Test contains the word "Please" - I want to replace the string with "This is a test", below is the logic I am applying and it is not working- I tried using case, like,...
View ArticleSecurity Key in server.conf
what is the diff between the security key in the clustering stanza and the key in the general stanza in server.conf ? Should the same key be used for both the shcluster and the indexer cluster ?
View ArticleSubsearch for multiple sourcetypes and fieldnames
I need to do a search in two different sourcetypes and use the result to do additional searches in these queries. But I have the problem that, while both sourcetypes have similar values, they use...
View ArticleAdding a new indexer to the indexer cluster
Can I please know the process of adding a new indexer to the indexer cluster ? Should the cluster be kept in maintenance mode while adding the new indexer ? Should the secret key be added in general...
View ArticleHelp with the query that works with splunk server groups
Hi, Below is the query i am using to get the hostname , IP addresses and last reported to splunk . | metadata type=hosts index=apache_web splunk_server_group=abc | search [ | makeresults | eval host=...
View ArticleIs there a way to clone already existing fields from one app to another
Hi, I have two apps one is normal one another one is machine learning app. I wanted clone all extracted fields from normal app to machine learning app. Is there any way. I have gone through machine...
View ArticleData stopped coming into Splunk for Splunk add-on for Microsoft Cloud Services,
We are running Splunk Enterprise 7.0.1 On our Splunk Heavy forwarder we installed and configured "Splunk add-on for Microsoft Cloudservices "(current version 2.0.3) We stopped receiving any data in...
View ArticleExtracting field value gets encoded. Why?
I have extracted value from the message log. So I have custom field with its value. In the log, it displays "* myName=J&K *" The extract field is myName, and it's value is now "J\u0026K". Even when...
View ArticleCan we find the events which are not matched by Lookup table?
I have a lookup table with which I am categorizing the Error Messages received from a particulat Sourcetype "error". Below is the SPL query that I have used to categorize the Error Messages:...
View ArticleWhere to Location Custom Reports and Alerts in ES CLI
Good day. My work team is in the process of migrating our instance of ES to a new server and I am trying to locate my custom reports and alerts in the CLI so that I can extract them and migrate them to...
View ArticleHow can I give access to only a single index to a custom Role that I've created?
I am trying to create a role that has access to only a single index and can only view the 'search' app. The way I created the role was by copying all the capabilities and other settings from the 'user'...
View ArticleREGEX filter in transforms.conf file setting question
We're forwarding events to a 3rd party. In our transforms.conf file, the filter looks like the following **REGEX = .** For some reason, this filter capture names without any hyphens. Here's what I'm...
View Articlequery to grab the metadata of the host entered by the user
Hello, Can someone please help me to build a query that will display hostname , IP address , last reported by the forwarder. If i use the index= star host= star , that will be too much load on the...
View ArticleNotable Event Urgency issues
I have setup a few correlated events which currently are showing up in the incident review console as urgency (unknown) if you "Uncheck" all the Urgency levels. I have checked the searches and it has...
View ArticleHow to count daily events with specific time?
Hi guys, I need to count number of events daily starting from 9 am to 12 midnight. Currently I have "earliest=@d+9h latest=now" on my search. This works well if I select "Today" on the timepckr....
View ArticleHow to make search faster
Hello, below is my search . Since i am using join , search is slow . Can i please know if there is a way to increase the speed of the search rather than absolutely specifying the index. | tstats...
View ArticleREST API to check persistent queue file size
Hi all, As per the title, may I know if there is any REST API to get the persistent queue size in Heavy Forwarder? I have set up persistent queues in my Forwarders. I would like to monitor the queue...
View Articlegetting Winsock error 10061
We are forwarding logs to a UF->HF-> INDEXER setup for splunk but the logs are not getting thru. We checked the splunkd log of HF and it has the error below: 01-08-2018 20:30:15.311 -0600 ERROR...
View Articletooltip without javascript in splunk panel title
Hi, I have a requirement wherein I need to add a tooltip or mouse-hover capability to an image in the title. We have added an image to the title with url option in background option of the panel in...
View ArticleLocation and site definition in Indexer Cluster
Hi, I am trying to setup new Indexer Clusters which must comply to different regulators. There are three different locations (EMEA, ASIA, US). Each location has two sites. What I would like to do is...
View Article