Why does the regex work in search but not in props.conf?
I have a file that I am monitoring on a Heavy Forwarder(HF). The file is JSON logs. On the HF I have the following props.conf: [EC-json] KV_MODE=JSON TIME_PREFIX="timestamp":"...
View ArticleSplunk App for NetApp Data ONTAP: Can we use OnCommand?
I suspect the answer is no, but thought I'd ask the question anyway, we have around 150 NetApp appliances all managed by OnCommand, ideally we want to hit OnCommand rather than each NetApp...
View ArticleSplunk App for Windows Infrastructure: Does anyone know where could I get a...
I'm trying to generate data using eventgen for the APP for Windows Infrastructure but I can't find the eventgen.conf within the app directory. Does anyone know where could I get a eventgen.conf for the...
View ArticleHow to move an index from a standalone host to a new environment with 2...
Hello Need to migrate data from a standalone env to a small distributed env. Honestly I really only need one index. I tried exporting to CSV and importing but the fields/columns don't line up as the...
View ArticleHow can I fine tune the splunk queries which are very slow and return huge...
Hi, We have some queries which are very slow and return a huge amount of data which finally causes the search head to be very slow. Is there a general document or something which can help us fine tune...
View ArticleHow to create a search that will identify when a user has downloaded hacking...
I don't have proxy logs, but I do have ids/firewalls etc and I want to create a search that will identify when a user has downloaded tools such as nmap, kali etc. any ideas?
View ArticleBase64 custom command: How can you decode the logs in a search?
I have installed base64 splunk app for decoding base64 filed but didn't decode the logs, I have used |base64 field=myfiled action=decode mode=replace suppress_error=True Is there anyone who has used...
View ArticleSplunk App for Unix and Linux: How can I find my dashboard in the GUI?
I created some dashboards where can I find them? I would prefer to do this in the GUI.
View Articlejquery code to manipulate the initial value of a Dropdown token and displays...
The JavaScript Code is not working for me. I want the token **new_product_name** to display the initial content of the dropdown **product_name** each time the page loads as well as anytime the dropdown...
View ArticleHow to split Json array using Splunk Search commands??
My Query is : |inputlookup geo_jj | eval types = "{\"geom\": " + geom + "}" | spath input=types i got output in geom column is : geom...
View ArticleUse of F5 Network Analytics app for customers
Hi all, My company is building a new private cloud platform, and will be offering F5 virtual servers as a standard offering for each application that onboards to the platform. As part of this, using...
View ArticleIndex created on indexer not reflecting on search head or neither on...
Hi, deployed a medium solution with 1 search head , 1 indexer and 1 (Deployment server(DS) + License master). - Deployed an UF configs from Deployment server and created a new index via DS, but the...
View ArticleHow to convert decimal numbers to percentage?
Hi guys, With my below query, how can I convert the value of %Empty and %Occupied to Percentage instead of decimal? then add the % sign? Thanks a lot! | chart values(NOOFEMPTYLOCATIONS) AS EMPTY...
View ArticleWe have tried to extract index time field extarction
We have tried to extract index time field extraction, below are the details.. props.conf:- [sourcetype] TRANSFORMS-fieldname = fieldname Transforms.conf:- [fieldname] REGEX = regexquery FORMAT =...
View ArticleX-label -> only appear hour
I did this search on splunk: index=esi_svc svc_top=1 earliest=10/19/2017:0:0:0 latest=10/19/2017:23:59:0 |eval erro=if(NOT isnull(svc_exception),1,0) |bucket _time span=10M |eval...
View ArticleWindows Security events: XML vs. non-XML format
Hi, We are planning to collect WIndows security events with Splunk. As far as I know, there are two formats: standard and XML with renderXML=1 option. I've have found some (older) blog/answers...
View ArticleInstalled App v1.3 on Splunk 6.6.2 do not see any new data inputs
I do not see any new data inputs, I tried refreshing and restarting splunk. Is there a video showing the install and how to get data to be used by the application? Will there be something that allows...
View ArticleSeems like a silly question but I cannot find the download location for this...
Can someone help? I've looked in the latest app for infrastructure as other posts have said but It doesn't appear to be there anymore. Also does this work on Windows 2008 R2 DC's? Thanks Robert
View ArticleIncapsula log parsing
I've noticed that the add-on for imperva WAF, when parsing Incapsula logs, doesn't correctly parse event names with a space in them. For example 'Blocked country' or 'Blocked IP' are never parsed and...
View ArticleArchitect Certification lab
How do I set up architect lab for practice including deployment server without Splunk Enterprise license? (I believe the free or trial version does not allow to set up deployment server)
View Article