serverclass.conf repositoryLocation multiple apps
We would like to configure serverclass.conf with multiple repository locations for each serverclass. Can this be done? If so, what's the proper syntax? We're trying this, but it doesn't seem to be...
View ArticleEach extracted field multivalue with duplicate values for JSON events
Hi, I am using splunk version 6.3.3 for forwarder and indexers in a clustered environment. Issue is when the search query is executed,it returns multivalue fields with duplicate values. I have seen few...
View ArticleTransaction of two fields same data set
I have a search:some-search | transaction PP_Jobid | transaction JOBID This gives me what I want but I am forced to call transaction twice. Every record has "PP_Jobid" but only some records (with an...
View ArticleHow to find out if there are multiple hits to page in a single session
I am trying to find out the count of transactions when there are multiple hits to a particular uri with in a session. I am sure we can use transaction command but not exactly sure how to get this..Can...
View ArticleAutomatically add ORs between IPs for Dashboard
Hi Community, Suppose I get a list of IPs once a week and I want to search all the indexes for these IPs. Is it possible to take a list of IPs, paste them into a field on a dashboard, click Submit to...
View ArticleJMS Modular Input: session idleing timeout: REST API token is invalid or...
We are pulling from an HP NON-STOP Queue. We have increased the maxThreads, maxSessions,sessionTimeout = 30d in server.conf. The queue collects for 20 minutes then we see it grow....soon we get the...
View ArticleMacro Validation Expression Error?
I made a macro, we'll call it "test" defined as eval new_rate=$val$*$rate$ with the validation expression just checking rate to make sure it's a number isnum($rate$) When I call the macro.. I end up...
View ArticleTimechart intervals starting NOT on the top of the hour
If you have created a timechart mapping, say, the number of unique users over time, Single Value will display the most recent result with a trend showing the difference between the most recent result...
View ArticleTip for those using this app
So I've found that to get these dashboards to work in my environment, I had to make the following changes in all the searches: change *hg_event_description* to *cef_name* change *hg_event_type* to...
View Articleeventgen no producing data with current time stamps
Hi Splunk et al, I am working on using eventgen to use access and secure logs. My test/sample app works as I am seeing events in my data summary, but the timestamps are off. I am seeing the original...
View Articletimezone for _time is off by one hour and nothing makes sense as to why
I am using eventgen to send license_usage data to a test splunk server. I looked at what was being sent and the time is set to -0700 which is Mountain Daylight time. My server on my VM is Centos 6...
View ArticleAlternatives to using join command
Hello Splunkers, I would like to seek advice on how to the same goal without having to use the join command. This is the current search, with the use of the join command: index=myidx...
View ArticleShould setting a custom alert action in the default stanza of...
I have a working custom alert action that's basically a clone of the webhook action. It works when I set it on one alert specifically, but not if I try to set it via the default stanza in...
View ArticleNMON Performance Monitor for Unix and Linux Systems: Why is my filesystem...
Hello, My filesystem is filling up with core.### files in /opt/splunk/var/run/nmon/var/nmon_repository. What could be causing that and how can I make it quit? file core.44614 core.44614: ELF 64-bit LSB...
View ArticleWhy is LINE_BREAKER not always separating?
I have a log that starts each event by a new line starting with a timestamp followed by a space and pipe, like the following: 2016-04-01T02:55:24.030 | I have tried setting up props.conf with a new...
View ArticleHow to add a lookup table value to matching search results?
I'm not sure whether or not this is a unique problem, but I'm hoping someone can help even if I'm overlooking an obvious solution :-). I have a lookup table that is a domain whitelist that we allow...
View ArticleWhy am I getting "Error initializing SSL context - invalid sslCertPath for...
Hi Guys, I have configured SSL certificates and added it to my forwarder and indexer according to their recent documentation. My communication between the forwarder and indexer works well, until I...
View ArticleWhy is my search to compare data week over week using time modifiers showing...
I'm trying to apply the week over week design template from http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/ but my counts are being truncated for the last week. (truncated...
View ArticleInclude results of another search in the body of an alert?
I have an alert that fires when the hourly count is 50% greater hour over hour, this seems to be working fine: index=foo_web APPLICATION="foo_web" CODE="abc123" errorCode!="null" earliest=-1h@h...
View ArticleLogging Format: Should time be in its own KVP?
Were writing a small app and ensuring all logs are KVP and using CIM terminology. However, I just realized I was leaving time as the start of each line and writing a props.conf for it, which is fine I...
View Article