Count a field value for one field, but not for another in Stats
Hello All, I am running a report that uses multiple stats commands to achieve the final output, in this report I have two fields which depend on the number of machines I have. One is what we call...
View ArticleField extraction showing up for different sourcetype
Hello. I used the Splunk field extractor to get a field from **sourcetype=sourcetype_a** For some reason, when I search **sourcetype=sourcetype_b**, the field I extracted for **sourcetype_a** is...
View ArticleCisco Security Suite - cannot configure
I've just installed Cisco Security Suite (v 3.1.2) on Splunk (v 7.0.1). When I launch the app, it takes me to the 'App configuration' screen. I click on the 'Continue to app setup page' button and I...
View ArticleCount items satisfying a condition
I have a event created each time a user does an action in my system (e.g. login, open_page, close_page). I need to do statistics based on the user regularity: a regular user logins more than 5 times or...
View ArticleMultiple/Nested IF statement
My logic for my field "Action" is below, but because there is different else conditions I cannot write an eval do achieve the below. **if** (Location="Varonis" **AND** **** (like(Path,"%Hosting%")...
View ArticleCustom Python Script Not Executing
I have created a python script for reading log data from a custom application. The script is copied in below folder $SPLUNK_HOME\etc\apps\search\bin\splunk_script.py The configuration is done using the...
View ArticleSplunk Server Login Error
I am getting below error when we login to CLI for Splunk server(Shown in Screenshot) Any suggestion to remediate the same. Thanks for your help. ![alt text][1] [1]: /storage/temp/226668-splunk.jpg
View ArticleWhy are my json data extracted twice
My inputs.conf is: [monitor:///var/log/grains.log] sourcetype = grains_log disabled = 0 index = os My props.conf is as follows: [grains_log] INDEXED_EXTRACTIONS = json KV_MODE = none But I keep seeing...
View ArticleWhen will be new update available for "Splunk app for Microsoft Exchange" to...
Hello, We are using Splunk version 7.0 in our work environment . As mentioned in Splunkbase document "Splunk app for Microsoft Exchange" version (3.4.2) is compatible up to Splunk versions 6.6. Any...
View ArticleTime Input to Form Not Working
Maybe I've been overthinking this, but for the life of me I cannot get my Time Input to my form working! I'm using this documentation:...
View Articleport sweep 1 source to multiple destination to more than 4 dest_ports
This is the query which is for port sweep------- 1source->dest_ips>800->1dest_port | tstats `summariesonly` dc(All_Traffic.dest) AS count from datamodel=Network_Traffic by...
View ArticleSupress "Y" axis scale
I am using a stacked bar chart to display average responses to survey questions. Each block displays the average for that question. The charts have four to five questions. I would like to be able to...
View ArticleDrill Down on Stacked Bar chart
The chart shows number of incidents by vendor during a time period. I would like to be able to drill down on each bar for specific information about that vendor. I have 41 vendors that I monitor which...
View ArticleHow to get the forwarder IP address reproting to splunk
Hello, Can i please know how to get the all forwarders IP addresses that a reporting to splunk without use of internal index as some of the users don't have access to the internal data . Therefore,...
View ArticleThis Error.... No data collection for VNX is found in the inputs.conf. Do...
we keep getting “No data collection for VNX is found in the inputs.conf. Do nothing and Quit the TA.”. We have a inputs.conf /splunk/etc/apps/Splunk_TA_emc-vnx/local as I see it is documented. Not sure...
View Articlecpu and memory usage consumed by a splunk dashboard?
My splunk infrastructure is in Linux. Suddenly One of my Splunk dashboard consumes almost 20 mins. Earlier it used to consume around 2 mins. I haven't increased the time span recently or modified the...
View ArticleHow do I collect SharePoint audit data using DBConnect
Hi There, I am looking for a way to get SharePoint audit data into Splunk via DBConnect. Does anyone have a working script that I can use?
View ArticleI have a tstats search that works for me (admin) but not other users (who...
I have a user who is asking how to show earliest logs indexed by the indexer for a particular host. I tried this simple search using tstats, but when he runs it he gets no results back. Here is the...
View ArticleKV store issue for collection SavedSearchHistory
From time to time, I am getting below warning: WARN SavedSearchHistory - Can't persist saved-search history due to the KV-Store either being disabled or failing It doesn't appear all the time, just...
View ArticleSetting the timestamp when using the collect command
I am searching yesterday's data and trying to insert it into an index for reporting purposes. I need to take multiple indexed events with various date/time fields and override them with the current...
View Article