Multivalue field extraction
Hi, I'm struggling to get this extracted correctly so it's usable. The raw data is presented as: Privileges: SeSecurityPrivilege SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege...
View ArticleBest practice for representing bit flag fields in input data?
Suppose I have a field that consists of a byte value, where each bit can represent a "flag": a property whose value is either true or false. In the definition of the record layout, the "parent" field...
View ArticleCan the deployer for a SH cluster be part of Indexer Cluster as a searchhead ?
Hello all, I have a deployment server (license master) and an indexer cluster with 2 search heads. For now I have added deployment server also as a search head in the indexer cluster. I see no issues...
View ArticleData truncation in Splunk App for BlueCoat
Hi at all, I installed the Splunk App for BlueCoat on my Splunk Enterprise 6.3.3. I installed the App following the tips and it seems to see all the logs correctly. My problem is that all the charts in...
View ArticleSearches for hidden graphes are run
Hello, I have a dashboard where some graphes are hidden because they depend on a token that is not defined. However, it seems that the searches that populate those graphes are still run. I see this...
View ArticleHow to setup Splunk App for Stream in a Distributed environment?
We have a setup with multiple Search Heads, Indexers, Universal Forwarders, Heavy Forwarders. we are trying to setup Splunk-app-for-Stream to collect stream data from Universal Forwarders into Search...
View ArticleEmail Alert Subject Stuck - Splunk 6.3 - Splunk Alert: $searchname$
Regardless of what I put in the subject of an email alert, what comes back for subject is Splunk Alert: $searchname$. I have multiple use cases where it would help to have tokens in email subject....
View ArticleEnterprise Security and Hardware Recommendation
Hello, I have read through your hardware requirements for Splunk Enterprise. We will be purchasing the Enterprise Security (ES) app and have a dedicated Search server for ES. Question, are the hardware...
View Articlesourcetype isn't parsing DHCP data correctlyon indexer but does when I...
I am attempting to parse windows DHCP data, for those who aren't familiar with the format, the logs have a description which never changes from lines 1-32 of every file, on line 33 is the header and...
View ArticleREGEX to extract null/empty field as it has values
Hello folks, I was wondering if you could help me with an issue regarding to the field extraction technique. I have this multiline log (below). My problem is that when I trying to extract the empty...
View ArticleIgnore Unselected Dashboard Input
I have a received a request to add the ability for users to filter out very specific events from a dashboard with a large amount of data on it. The method of identifying and removing these events are...
View Articleuseother=f in tstats query? for piechart visualization
Hi, I have a tstats query and I want to display all "others" in piechart .below is my query: |tstats count AS "Count of Event Object" from datamodel=abcoper where (nodename = EventObject) groupby...
View ArticleInstallation Location for Health Check
Given that the app needs other instances to be peers for it to do a health check of them, is it fair to conclude that the DMC instance is a good candidate of where to deploy/install this app? Any other...
View ArticleUsing the KV store, Is it possible to have a write lock on a particular...
I will be using the API to work with a KV store collection. It's possible that two users will both perform an action at the same time that would cause a single document to be updated. Is it possible to...
View ArticleList times inbetween events when using timechart
Using timechart, I have a a table with a list of dates and a value. However, the dates are non-consecutive (although ordered). I want to add in the missing dates inbetween the current values and...
View ArticleGet specific values by providing key
I have a lot of lines in the following format: CPU: 2.7GHz, 2, 'Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz', OS: 'Microsoft Windows 7 Professional x64 Edition Service Pack 1 (Build 7601)', SYS: 'HP...
View ArticleIs it possible to delete an index from an indexer cluster without restarting...
I would like to delete all the data in an index from an indexer cluster without restarting the indexers. Replication factor= 2 and search factor = 2. Restarting the indexers causes the cluster master...
View ArticleIs there a way to stop primary bucket re-assignement when the cluster peers...
When the cluster peers are restarted, primary buckets are be re-assigned by the cluster master. Is there any way to stop the re-assignment from occurring for a planned peer restart? Replication Factor...
View ArticleHTTP Event Collect and log4j - cannot get it to work
Hello I'm new to splunk and also to Java (sorry). I'm trying to write simple app to log events to Splunk using HTTP Event collector. However, I have managet to get Log4j 2 working to log to files, I...
View ArticleGo through Pasringqueue twice to break files via \n
Hello, I have a file that doesnt seems to be breakable via the standard line breaker since it's a full text file with no \n or \r whatsoever. Using delimiters for lines didnt work so I want to use...
View Article