How to rename index in data sent from another splunk instance?
We are receiving data from an external splunk instance. They have indexes A,B,C. When our indexers receive there data it cannot be indexed because we have indexes D,E,F. How can I rename the index for...
View ArticleWhy am I getting an error when creating Apps with App builder when testing...
this alert action gave me an error when testing the python. 2018-03-07 18:34:42,033 ERROR pid=24690 tid=MainThread file=cim_actions.py:message:271 | sendmodaction - signature="Error: 'module' object...
View ArticleLookup with IP range
Hi there, what's the best way to append a search with a lookup with ip subnet ranges and some extra information for those IP's? **iprange.csv** clientip, zone, areacode 127.0.0.1/24, home, 255 I've...
View ArticleHow do I string certain searches together to get a list of user IP addresses...
I have connection logs for a database. I need to identify users making certain queries. I'd like to: 1. Search for a string identifying the query 2. Check that whole transaction for the original "open...
View ArticleAdding a column from a subsearch
I have this query that i've lightly changed from the winfra app, but i want to add a PID into it, that would be in the second query. I'm having trouble figuring out how to get this done....
View ArticleField Extractor Utility: Why am I getting error "The extraction failed. If...
Splunk version 6.2.3 hi all, i know there are alot of questions/answers like thi![alt text][1]t and neither one of them tells you what the issue is and just give you the resolution.so i thought maybe...
View ArticleSplunk Threat_intel lookup not loading up into threat Activity dashboard
What are some troubleshooting steps I can take, if i don't see any of my custom lookup load in Splunk Threat Activity dashboard. For example I created a lookup up stored in threat_intel directory. The...
View ArticleCorrelation search email response action, edited message not being sent.
I found that someone else had asked this, but as it was asked in 2015, I thought I would ask as well. Correlation searches contain many different "Adaptive Response Actions", one such action is the...
View ArticleWhere is frozen data is stored ?
Hi there, Below is sample index configuration: [apache_web] homePath =/splunk/hot/apache_web coldPath = /splunk/cold/apache_web thawedPath = /splunk/thawed/apache_web frozenTimePeriodInSecs = 7776000...
View ArticleWhere is the frozen data stored ?
Hi there, Below is sample index configuration: [apache_web] homePath =/splunk/hot/apache_web coldPath = /splunk/cold/apache_web thawedPath = /splunk/thawed/apache_web frozenTimePeriodInSecs = 7776000...
View ArticleHow can I evenly balance between two sets of indexers?
all, I have set of indexers. One set is index clustered, modern hardware and super fancy. ANd I have my old stuff. For the time being I need to evenly balance between them. How could I configure my...
View ArticleHow to add Currency Symbol ($ dollar sign) to a column with numbers?
Hi all, I have a column in splunk that I want to use to show totals. I would like for the dollar sign ($) to appear before the numbers in the totals column. Here's my query: index=prd_aws_billing...
View ArticleHow do I create an alert to trigger at discrete intervals?
I would like to configure an alert that triggers every X increase in a count field Y. To the user this would look like > "count is now at 1000!" _[15 mins goes by]_ > "count is now at 2000!" _[5...
View ArticleFind total MB in use based on '% Committed in Bytes' and 'Committed Bytes'
Hi all, My fields looks like this: CommittedBytes=1610014720 PagesPersec=0 PercentCommittedBytesInUse=27 wmi_type=Memory I can see my total CommittedBytes and my PercentCommittedBytesInUse. But what I...
View Articleiis server on board into splunk
Hello Professionals, we set up Splunk about 6 months ago, now we would like to onboard iis server to Splunk.May I know what exact procedure we have to follow in order to achieve this task Thank you all
View ArticleWhy can't the forwarder index and populate data?
We're unable to get the forwarder to index/re-index and populate data - any make out what is happening here? Thanks 03-06-2018 22:08:21.280 +0000 INFO TailReader - Ignoring file...
View ArticleSearch affinity and data replication in multisite clustering results in...
Take the following simple architecture. 2 indexer sites. 1 peer per site. Indexer A and Indexer B 2 search head sites. 1 sh per site. 1 sh has site affinity search head "fred" the other does not,...
View ArticleWaiting for web server to be available for over 30 minutes
I was having problems with one of my heavy forwarders (splunk 6.6.3) running on Windows 2008, so I noted what inputs I had, uninstalled and then installed version 7.0.1. After adding my configurations...
View Articlewhy are we constantly getting this "Unspecified upload error. Refresh and try...
Me and my other colleagues having problem regarding adding data , We are uploading a csv file (10kb) but it doesn't allow us to add new data. We do have a legit license and we are not having warning...
View ArticlebytesSent & bytesReceived in Cisco CMX Logs
Hi, Currently I am using Cisco CMX App for Splunk to onboard Cisco CMX logs into the Splunk environment, and the logs are sent to Splunk in JSON format. I am trying to understand two of the fields in...
View Article