Does anyone know where a heavy forwarder stores events to be sent to a splunk...
We are using Splunk 6.2.6. I am using heavy forwarder at remote sites to forward data to a central indexer. To make sure data is received we are using the useACK=true attribute. On one of our sites,...
View ArticleDisplaying average from a timechart
I've read many posts on the subject of displaying an average line across a chart. But I can't find a solution that doesn't require performing the search twice, as in a join. This seems like a real...
View Articlescheduled reports in order
Hi, I need to create a some searches, one of them dependant than the other, and save the result in csv file. The idea is: 1. Make a search for the last 24 h and save it to a document. 2. Append the...
View ArticleSupport for the 'Authentication' and 'Network Session' data models on the...
Are there plans to add support for the 'Network Sessions' and 'Authentication' CIM data models from the Splunk_TA_paloalto Add-on for globalprotect events?
View Articlehow can we pull the dashboards with index asshowrunner?
hi I just want to duplicate the dashboards and run modify the index to asshowrunner2. And the goal is that data should be similar
View ArticleonChartSelection event not firing on Chrome, and only sometimes on firefox
I am seeing **intermittent** results in **firefox's** latest browser(Mar/2016), on an **opensuse 13.2** OS, and **non-existent** firing using **google-chrome** for the same OS. **The problem:** A...
View ArticleTrendmicro Regex Help
Hi Community, I'm trying to figure out how to get the signature and signature id to their own fields. This has been a tricky one for me. Here is part of the _raw event: |Trend Micro|Deep Security...
View ArticleNo new input type as "Google Spreadsheet" after install Google Import/Export
I am not getting input type as "Google Spreadsheet" after install Google Import/Export and having the below message on Splunk manager. Anyone see this error before? Unable to initialize modular input...
View ArticleCan anyone help to get this data into Splunk properly?
I have tried to index this file without much success. It's driving me nuts how the fields are never separated correctly no matter what setting I change. I'd be grateful if anyone can try to index this...
View ArticleIs this a scheduled real-time search?
Hi, Are processes that contain "rt_scheduler" real-time scheduled searches? Example: splunk 15005 75443 0 10:20 ? 00:00:00 [splunkd pid=75442] search...
View ArticleSplunk webservice won't start due to Python error?
I recently installed Splunk on my Windows machine and the process completed. However, when I try to go to the splunk web interface, I am unable to connect. Searching the webservice log provides the...
View ArticleDoes this app work with teh cartdb on premise version,Does this work with the...
I have cartoDB installed locally and I need to know if this app will work with my local cartoDB instance or is this only for the cloud edition?
View Articleremoval of special character < question
Hello Everyone, I am trying to format some syslog data for a dashboard output. I have no idea how to remove the < character within a search template. when I use replace in a search it works fine,...
View Articlescripted inputs best practices?
Are there any best practices regarding *where* a scripted input should run? Is there a benefit in using an intermediate forwarder to run really intensive scripted inputs?
View ArticleSearch Head Pooling v. Search Head Clustering
If i am running Splunnk 6.2.x and ES 3.x using search head pooling, and I upgrade to Splunk 6.3.1 and ES 4.0.1 using search head pooling; * is this supported * will this cause problems? performance...
View ArticleIndexing some and forwarding some on a full Splunk instance
Hello, I have a Splunk instance that is a search head and an indexer. I would like this Splunk instance to index everything exception data of sourcetype=otherDepartmentData. For sourcetype of...
View ArticleLicense server work principles
Hello! I am planning the following setup: 3 single-site indexing clusters in 3 separate locations and Deployment/License server and the Search Head at one of 3 sites. And I have a couple of questions...
View ArticleHi, i have the below query that works but takes atleast 5 minutes to complete...
index=INDEX1 source=*sva* | rename server_group_name AS LOB "scan.findings{}.cve_entries{}.cve_entry" AS CVE | fields - _raw | rename "scan.findings{}.id" AS Scan_FindingsID | rename "scan.server_id"...
View ArticleHow can I add empty time buckets to my table?
I have a dataset which I cannot use timechart because i'm splitting by two fields. Not all of the values of message have events in all time buckets. Is there a way to add 0 time buckets for each of...
View ArticleSplitting fields with slashes
Anyone else having trouble or have guidance to split fields backslashes such as with file paths? The field value is displayed as: folder1\folder2\file.txt And the raw value is:...
View Article