Archive

Discussions

Start a Conversation

Thread Info

Difference in result with timechart span=1d dc(ip) vs timechart span=1h dc(ip)

I am using distinct count with time chart for the whole day (yesterday). The result is varying if the span is changed...

by New Member in

Palo Alto Syslog being Indexed, but not parsed

I saw the other forum posts, and they are not the same Issue i am having. I have configured the PA to directly send s...

by New Member in

Dedup search results not showing for a user

I have a user that is a doing a search that has | dedup in it. While I can see the results when I run the search (I'm...

by New Member in

Can you help me with with Module 9, Task 6 in Splunk training and certification Fundamentals 1 course?

For some reason the Parenthesis on avg(Duration) won't work. I have entered the answer "index=main sourcetype=db_...

by New Member in

Is it possible to position radio buttons horizontally

PUTTING RADIO BUTTON IN HORIZOTALLY WAY IN SPLUNK POSSIBLE OR NOT?

by Engager in

Splunk Enterprise Upgrade

Hi All, With regards to Splunk Enterprise I have the below query: I have a existing Splunk infra that has Splunk E...

by Explorer in

how to display a 0 result instead an empty result

hi I use the search below and I would like to have a 0 results displayed when there is no events corresponding cou...

by Builder in

Kafka Splunk Sink connector: All channels have back pressure

Hi, I have a Kafka cluster running, and periodically, the active controller fails. This causes issues with the Spl...

by New Member in

Search to find indexes with events and display index size, total events , earliest and latest events per index

Hi, what would be the best way to find indexes with events and display its size, total events , earliest and lates...

by Builder in

Compare current and last one hour event value in same search.

Hi All, I have to monitor the queues. And for that I have made the basic dashboard where it shows the details. Det...

by New Member in

How we can access splunk dashboard within network or outside network?

I have created one dashboard which I want access from another system .I have tried this http://192.168.27.45:8000/en-...

by Explorer in

using splunk machine learning toolkit

to use splunk machine learning toolkit app , do I have to define our network related lookups and put them in showcase...

by Path Finder in

How to count files in which multiple fields meet certain conditions?

I have a few files. They all have the same columns and look like this: timestamp field1 field2 ... 15...

by Engager in

Splunk not symbolicating

Hi, This is the splunk that i try to symbolicate but it says "Symbolication Failed". The symbol file is even uploaded...

by New Member in

Unable to telnet to Splunk Server

Hi, I am using Splunk Enterprise. Server is running on port 8000. when i trying to telnet from another machine. It...

by New Member in

About specification of "initCrcLength" option and "crcSalt" option.

About initCrcLength I know that changing initCrcLength option cause reindex and ignoreOlderThan option is workarou...

by Builder in

Splunk not working after turning on SSL for forwarder and indexer communication

Hi Guys, We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Hea...

by New Member in

How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

I have specified the following variables to extract from my Symantec DLP system and send them to Splunk. Message ...

by Engager in

Is Splunk 7.x Fundamentals Part 1 (eLearning) free?

I just finished all the modules and the final quiz, my question is Do I have to pay for the certification of "Splunk ...

by New Member in

How to use Splunk to create dashboard for elasticsearch

How to use Splunk to create dashboard for elasticsearch. I have all the data in elastic cluster however want to us...

by New Member in

Recommended naming convention for saved reports, searches, events, etc?

Is there an established naming convention for saved reports, searches, events and suchlike in Splunk? If not, does...

by Path Finder in

Scraping Start Times

I am trying to extract the time taken for a process to execute from my logs. This is they syntax of the log: Time ...

by New Member in

Find a host that is reporting to one index, but not another.

I am attempting the following: Find hosts that are logging to one index but not the other by the host field. Us...

by Path Finder in

Alert when a Splunk service is down

Hi, Suppose we have 10 heavy forwarders and want to get alerted if any one of them goes down. How do we form an ...

by Builder in

Why is index=_internal source=license_usage.log returning no data?

Running this search from a search head (also tried the indexer) and attempting to breakdown the daily license usage f...

by Path Finder in

Custom Alert Action ui validation for empty values

Hi all, I am trying to create a custom alert action, trying to add any validation to the ui fields doesnt work. I...

by Path Finder in

how to get total hit count value for traffic passing through ANY ANY rule on firewall:

I have a firewall which have a rule with any as source destination and ports, I need to monitor this traffic and chec...

by Engager in

breaking line between 2 panels

hi I try to add a white row between 2 panel because they are to close But I dont succeed Could you help me please?...

by Builder in

Is it possible to perform a tstats from an accelerated savedsearch?

I am asking because I attempted to use "savedsearch=" as a command after a | tstats much like calling a "datamodel=" ...

by Engager in

Upgrade Enterprise Security app to 5.2 - Any specific issues to note

Hi All, I am planning to upgrade the Enterprise Security app on our environment from 4.7.0 to 5.2.0. Splunk Enterp...

by Explorer in

Subtotals with Sum

Hi, I wonder whether someone can help me please. I've written the following query: `wso2_wmf(RequestCompleted)`...

by Motivator in

How to move the App a Dashboard (view) belongs to via REST API?

Hi all, Is it possible to move a dashboard (view) from belonging to one app to another via the REST API? I have an...

by Path Finder in

email from specific domain

I want to exlude specific domains from both sender and receipient. for example I have abc.com domain and have one lo...

by Communicator in

Dependency on Azure Services status

we need to send out notification when ever a global outage was happening with Azure using the RSS feed, is the any qu...

by Engager in

Nested JSON field

Hi I'm trying to do a count within my JSON logs. It's about the following data. I want to do a count for the extensio...

by New Member in

Does splunk central-system v7.1.3 compatible with splunk universal forwarder v7.2.4?

I would like to ask you between Splunk Universal Forwarder version 7.2.4 and our Central System version is 7.1.3 -doe...

by New Member in

appPool name not showing if it has a space in it

Hi, I am new to Splunk and I am setting up a dashboard to show when an application pool was last recycled and why. Mo...

by Explorer in

how we can ingest data from url ?

How we can get the data into splunk through URL how to pull data from sharepoint site into Splunk

by Engager in

ERROR SearchResultsCSVSerializer - Failed to open file for writing

Seeing tons of these errors in splunkd logs of indexers. What could be the reason? We are also experiencing search pe...

by Communicator in

Unexpected Results

I'm testing a modified Security Essentials Basic Brute Force Detection search. When I run the search portion, I get p...

by Explorer in

How to set up a NEAR real time search in Splunk 6.6.3

I have a client that wants to set up a "near" real time search in Splunk. Can this be done (it needs to be continuous...

by Path Finder in

Unable to search using REST API

Hi I have a cloud instance version 7.0.2.1 https://prd-p-df4vmzb62ds7.cloud.splunk.com. I am trying to use REST API t...

by New Member in

Can you use Splunk to ingest Red Hat Satellite logs?

Can you use Splunk to ingest Red Hat Satellite logs? There is a Red Hat Storage App and a Splunk app for RedHat Cloud...

by Splunk Employee in

Drilldown to Urls from a lookup table

So I have a lookup table that consists of some URLS to other dashboards as well as other environment pages (the compl...

by New Member in

timechart not giving expected result

hey guys, i m planning to draw a trend using timechart command , for some reason the timechart command showing no ...

by Explorer in

splunk won't find fields with hyphens

I'm trying to search for data in splunk if i do a search like: index="blabla-bla3" container_name="foo-foo2-sd4ofk4po...

by Engager in

Calculate on one field in multiple events

Hi, I collect json data like this: {"timestamp":"2019.02.19-10:20:30","label":"xxx","size":"100"} {"timestamp":...

by Path Finder in

parallelIngestionPipelines for forwarder question

We have a forwarder which has 12cpu's and 12 GB memory. we have not yet set the parallelingeationpipelines. we have a...

by Builder in

do we need to automate KV store look ups?/

I am currently using CSV but due to the frequent activity of CSV which is there in my Search head, there is a bundle ...

by Explorer in

CSV file Indexing issue

Hi, Below is my content of my csv file Splunk_Backup_Success_Rate "A table showing the master server, number o...

by Path Finder in

Remove segmenters in search (lispy) for Norwegian characters

Hi folks. Whenever you do a search in Splunk you can review the lispy in search.log. For example, if I search for my ...

by Builder in

Listonly desired accounts

Splunk Enterprise 7.1.3, SCCM Current Branch with univesal forwarder configured to forward event logs and WMI. I h...

by New Member in

help to remove an empty line

hI I use the request below sometimes I have only value for Free_Space and sometimes only value for TotalSpace inst...

by Builder in

Splunk App setup.xml

Hi All, I have built an app and want to configure the setup page for the same. The setup page should take a .csv file...

by Communicator in

Getting ERROR: Couldn't read "/opt/splunk/etc/splunk-launch.conf"

I have installed splunk in docker container by pulling image from docker.io/splunk/splunk and running it. Later I ins...

by Path Finder in

X-Frame-Options - remove deny, set sameorigin

Hi, my problem is explained in the heading. I need to remove X-Frame-Options: deny from the HTTP header and change it...

by Explorer in

Splunk Challenge - Dropdown option for each feed

We have built social media sentiment analysis app in splunk, now we need to train our machine learning dataset for pr...

by Explorer in

Joining two searches on different indexes based on lookup values and return calculated values from both searches

Hi folks, This is a complex question, so bear with me. We have 2 heavy searches that return calculated and lookup val...

by Explorer in

Splunk Alert

Hello Splunkers, I'm having an alert with last 3 days as the time range and that alert is triggered everyday at a ...

by New Member in

How can we decide the threshold value which is the best value ?

Hello everyone. Want to display the output only for the time which crosses 18 months (earliest time)

by New Member in

HI NOT "/healthCheck"

NOT "/healthCheck" , what the point of using this n search ? I want to know is it searching for string health chec...

by Explorer in

Splunk Search: Lateral Movement

Hello! I am wanting to build a search that can help detect lateral movement. I want to see when the same user is logg...

by Explorer in

Maintenance page

Hi, is there a way to show an maintenance Page during "Restart Splunk", "SW Update",... --> not the "not available pa...

by Explorer in

=SUM(COUNTIFS(F38:F800,"<"&[@Week],$D38:$D800,"<>Status1",D38:D800,"<>Status2",D38:D800,"<>Status3",D38:D800,"<>Status4"))

Could you please help me to convert above excel formula into query ?? Thanks in advance. Need to filter one date and ...

by New Member in

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

I've read other questions on this topic and I am afraid I'm just stuck. I have a csv named "subnets_cidrmatch" wit...

by New Member in

universal forwarder is installed in a QA server and configured to splunk still logs are not showing up in splunk what are the possible connections to be checked?

what are the possible connections to be checked after installing Universal forwarder to extract logs in to Splunk Ind...

by Explorer in

Transaction - evicted event because of large timespan?

Given the data: {"Properties":{"CorrelationId":"00921908290","PublicationType":"Tv","Source":"ChangeHandlers.WhatsOnO...

by Explorer in

How do you Insert Hour, Mins & Seconds in an extracted time?

I have a table that populates something to the effect of: Name Start Time End Time ...

by Communicator in

Unable to load apps in Splunk - winsock error 10054

I browse to my splunk host from my local PC, log in, then click 'Splunk Apps'. I see 'Browse More Apps'. Under ...

by New Member in

access splunk from python using certificate

Hello, I need to access Splunk from python. At the moment my code looks as follows: # -*- coding: utf-8 -*- """...

by Contributor in

Issue on savedsearches access using custom role on a custom app

Hi, we have a Splunk Server Instance and we have developed several custom app. To limit access we are creating custom...

by Explorer in

Servers Patching and impact on Splunk

Hello Splunkers, My Infrastructure team is going to patch all the servers where Splunk is currently installed. Are...

by Explorer in

how to add new parameter on timechart graph

HI All, Below is the code for calculating disk utilization where "Name" is being passed as token for drive name be...

by Path Finder in

Intermediate throwaway index

In order to validate all the configurations prior to using the real index for a certain customer, we decided to use a...

by Ultra Champion in

Splunk alert Creation for Cron Jobs

I have one query that I am mentioning below if anyone can help on that it will be very helpful for me. I have requ...

by New Member in

Use the "restricted search terms" of a role to filter a saved search

Hello, I have a saved search, running each day with the following output Computer_Name | DPT | Install_st...

by New Member in

Mapping Splunk data models to Hive

Anyone know how to do this? I want to read Splunk data directly through hive, without archiving data to hadoop. Thank...

by New Member in

show send and receive from internet to my ftp server

i want to show the how much user send and receive from the internet to my ftp server,is my search command right? inde...

by Explorer in

Syslog Forward without indexing

How can I forward "windows security events" to a third party Syslog server without indexing it to the Splunk.

by Explorer in

Freeライセンスグループへの変更後のタイムゾーンについて

Splunk7.2.1を使用しています。 Trial ライセンスグループを利用していましたが、有効期限が切れたため、Freeライセンスグループへの変更しました。変更後にレポートからグラフ表示を行ったところ、時間軸に表示される時...

by New Member in

_meta fields: why am I unable to search for all of the events?

I am not able to search for all of the events from the fields. When i try field::value , I can see all of the events....

by Path Finder in

ldapsearch lastLogonTimestamp eval

I found this in a search: hxxps://www.splunk.com/blog/2014/02/10/which-servers-are-inactive.html It is old but ...

by Explorer in

Field missing in statistical table only, while present (with values) in search

Dear all, I have a dashboard table that does not display certain fields, which do have data - although not in ever...

by Contributor in

tuning machine learning toolkit

I installed mltk app and PSC add on but I dont know how can I tune it with my own data as it use itself lookups, how ...

by Path Finder in

Send only few events

Hello Splunk Support, we have the following problem: - We must send a log file to different receiver: -- a Splunk...

by New Member in

SQL Status

Good day, I am brand new to Splunk. I am constructing a dashboard to monitor the status of our SCCM environment. I...

by New Member in

issue in rex query

Hi Guys, I have a log as below; server1;443 status= running. server2;443 status= running. server3;443 status= runn...

by Explorer in

Restful API: cannot change the 'removable' attribute of savedchanges

Below is the Bash script to change the ACL of a saved search: URL="https://splunksearch3.shatin.link:8089/services...

by Communicator in

Using one instance of splunk to monitor aws and azure

Hi, Is it possible to use one instance of Splunk to monitor two cloud vendor environments? As in an AWS and an Azu...

by New Member in

how to ignore fields runtime which arent available from being considered in the calculation?

I am doing a calculation to add up all the time spent in each layer. But there are cases where few fields not existin...

by Communicator in

Splunk to search and analyse it in logs after one hour

I have a requirement to search and analyse result of searches in same log file after one hour. For example , Se...

by Path Finder in

SELECTED FIELDS

How to add fields to "selected fields" from the event. Some fields, such as name and sc_pl, are missing in the select...

by Explorer in

What regular interval of time new files will be indexed when we are monitoring a folder

I'm having a folder with five files trying to get monitored. We have given the folder path , source type to Automatic...

by New Member in

Can someone help me with an ADDON for extracting fields out of the syslog data of McAfee DAM (Database Activity Monitor)

We are using McAfee DATABASE ACTIVITY MONITOR solution and have integerated it with Splunk and do not get much fields...

by Communicator in

Map ZipCodes without lat long

My splunk event data has a mv list of zip codes that I'd like to put on a map but it looks like theres nothing out of...

by Communicator in

STATS COUNT on same field before and after WHERE / Condition?

Hi All, What I want is : Total no. of queues and total no. of queues with pending messages. Something like this...

by New Member in

Integration with IntSights Threat Intel Platform

How can I integrate IntSights Threat Intel Platform (TIP) with Splunk?

by New Member in

[CLOSED] Uncheck Radio Button

Hello, How can I uncheck a radio button? I have this piece of code: -input- type="radio" token="operator"- -lab...

by New Member in

Splunk and Service Now tool integration

Is it possible to integrate service now and splunk in such a way that whenever an incident comes in on service now, b...

by Path Finder in

How to troubleshoot why a Universal Forwarder is not sending data to the Deployment Server?

Hi all, I did read and try numerous if not all the subject similar to mine. I installed a Deployment Server on my Spl...

by Explorer in

integration of onpremise data with splunk on azure cloud environment

How can I integrate on-premise Splunk data with splunk on azure cloud.I just wanted High level view like if I can get...

by Builder in

have to less 10 minutes from a timestamp when another field value is null

Hi Team, I have two fields named as file arrival time , Sla time . I have to list the no files that are going to v...

by Explorer in

Can you help me with a stats count with different field names?

hello, I use the two query below index="x" sourcetype="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Op...

by Builder in

Is it possible to display the annotation by default on line chart without placing cursor on the annotation label?

Hi team, We had a chart in splunk with few annotation labels which shows Build information. At present when we place ...

by Engager in

you are using hostname:8000, which is connected to splunkd @000 at https://127.0.0.1:8089

500 Internal Server Error You are using {myhostname}:8000, which is connected to splunkd @000 at https://127.0.0.1...

by Engager in

EventCode 4725 and 4726 not visible on search results

Hello, We have Splunk Add-on for Microsoft Windows (Splunk_TA_windows) deployed in our environment. There are 2 look...

by New Member in

Want to extract FOID= into two field, Pls help

05:45:25.985 [http-nio-8080-exec-137] INFO c.b.h.i.s.i.OrderDecompositionServiceImpl - POID=20275475 FOID=TRAFFIC_MGM...

by New Member in

Referencing global settings inside SimpleXML?

Hi, I am looking for a way to access one of the global settings parameters directly from the simplexml and to be r...

by New Member in

Splunk scheduled report 'Email when done' option sends me a link with a private IP that I cannot open.

Hello, I created a scheduled report in Splunk to send me an email with a link to the report and its results. Howe...

by Path Finder in

Smtp email to send alerts

Hi, Can you please how to to create a alert and send email using smtp server. We have two seperate host s for indexer...

by New Member in

Retrieving Summary Index Data

Hi I am trying to retrieve data from summary index and it is taking 300secs to retrieve 140000 events from 4 sear...

by Explorer in

what are all the difference betweed windows logs, unix logs, system logs and application logs

I am new to Splunk bit confused with these logs

by Explorer in

Can you help me write the time prefix?

Hello All, i have log events, in which my time stamp looks like superuser:02/13/2019 04:08:24:367 PM UTC suppor...

by Path Finder in

Authenticating User's using business web login.

Can we authenticate users by redirecting to business web login ? I want to autheticate clients based on rest api call...

by New Member in

Create a Legend based upon another table

Hello gurus. I have a panel with a STATS COUNT chart where the y-axis is numeric value. What we would like is a legen...

by Explorer in

Issue While Onboarding the Data into Splunk Cloud

I am new to Splunk Cloud. Recently we have purchased Splunk Cloud for our organization and I have got the Splunk Clou...

by Path Finder in

How to extract field using rex command

Hi, I have this sample log and I want to extract the request ID value after the period. Each of those numbers are...

by New Member in

Funnel Report based on URL sessions

I am creating a funnel report based on total customer sessions on each url by taling sessionid www.abc.com www.abc...

by New Member in

COALESCE command

hi when I execute the query below index="x" sourcetype="WinEventLog:Microsoft-Windows-Diagnostics-Performance/Oper...

by Builder in

fields in different languags

Hi when I execute the query below, I have the fields in bold in different languages following the Windows OS langu...

by Builder in

Access to directories

I have a directory accessible through UNC path. As a normal domain user, I have read access to that directory and I c...

by New Member in

parameterize search from various source types simultaneously in a fixed time frame.

I have multiple sourcetypes in my index. Lets call them st1, st2, st3, st4 & st5. I have a query that end with | tabl...

by Contributor in

what does it mean status =0xc000006d and sub status=0x0?

could any one suggest me how can I take this problem. Actually I have been working on PCI in Splunk tool. so recently...

by Engager in

Splunk App for VMware - Licence

Hi, I have installed this app and configured it using the addon. I was able to see the data, however, I am exceeding ...

by New Member in

How to export real raw events from Splunk?

Other answers imply that | table _raw | outputcsv is the method to export raw events from Splunk. However a csv file ...

by Communicator in

Portion of customers meeting threshold

Hi Splunk Experts, I am very new to Splunk and need some help to resolve my problem. I have a dataset that com...

by Explorer in

line of threshold in timechart graph

My request is simple sourcetype="mysourcetype" login OK | timechart count by host I want to visualize the thre...

by Path Finder in

Is it possible to get job parameter in dashboard

Hi, splunk comunity! I have a job which starts every 5 minutes, so i have Corn Expression in the shedule of my job. I...

by Explorer in

Whats the difference between dc (distinct count) and estdc (estimated distinct count)

I have a search that returns unique visitors query over 30 days' worth of logs : Using dc() it was a lot slower. H...

by Splunk Employee in

Pass the output of one query to another query

Hi, My 1st query returns 3 fields output.Out of which one filed has to be given as input to the second query which fe...

by Explorer in

Adjusting the x-axis on chart count

I'm using | chart count over severity by technique to display events by level of severity Currently I am not getting...

by Explorer in

How to display trend for 3 months?

Hi, How can i display last 3 months data monthly wise count as trend dashboard.To check whether monthly increasing...

by New Member in

Splunk server OS patching

Hi , I wish to patch the Linux OS for all the Splunk servers (including search heads, indexers etc). There are a l...

by Builder in

can i use "like" in search criteria

if one of my fields is host, I want to do host like "startswith*" what is the syntax to do that? thanks,

by Path Finder in

Palo Alto App - Aperture not pulling logs from API

Hi, has anyone encountered issue with Palo Alto Aperture not pulling logs from Aperture API? It looks like I can succ...

by Path Finder in

In a search head cluster, how to find what host sent email?

All, I have production environment with Alarm email notification. Sometimes it works, sometime it does not. Since ...

by Path Finder in

Universal forwarder consume

Hello everyone, please could you tell me how universal forwarder consume? (disk, ram, cpu) Thank you in advance an...

by Explorer in

Splunk TA for Windows src field

I've installed Splunk Security Essentials App and Splunk TA for Windows. However, when I run the Data Source Check I ...

by Explorer in

infblox DHCP src and dest flipping

Hello Splunkers, Has any one worked on infoblox DHCP and DNS data sourctypes , i see the src , srcport, dstport, ...

by Path Finder in

_meta not getting expected logs to splunk

Hello, we have index "text-index" and region is passed as meta _meta = region::east sourcetype = testlogs when...

by Engager in

How to make use of makeresults statement based on conditions ?

If in case there are no results then dummy data should be added and returned from the subsearch ortherwise the actual...

by Explorer in

I have indexer 7.2.3 and I want to install a forwarder in w2003 server, which forwarder i have to install

I have indexer 7.2.3 and I want to install a forwarder in w2003 server, which splunk forwarder version I have to inst...

by Explorer in

clustered environment - SummarySizeManager - Cannot compute size on disk - no such file or directory

Hello. We have a clustered environment, several searcheads, several indexers, Splunk 6.4.0 I am running the follow...

by Engager in

ARM v7 support? (RPI3, etc)

The Splunk forwarder currently available (as of 6.6) is only packaged for ARM v6 only and not ARM v7 Any word on b...

by Path Finder in

How do you create 4000+ index without creating it manually?

I have a client that consists of 4000+ branches, and I want to create an index using a file consisting different name...

by Path Finder in

Consecutive events by field - only show points in time where number of such events equals 5

I'm trying to find points in time where a consecutive event happens 5 times in a row. I currently have this query: ...

by New Member in

Splunk Cisco Networks App not displaying results

I have installed the Cisco network app version 2.5.6 and the additional Cisco add-on in splunk, and it's failing to s...

by New Member in

Can you help me get a number value and average it?

I am trying to get a value, in this case it is the # of seconds to respond, so that I can graph it or set alerts to i...

by Explorer in

Use enforcement and no-enforcement in the same time.

I have 2 Splunk Enterprise License (1GB enforcement License and 1GB no-enforcement License). What happens if over the...

by Path Finder in

Supress "Y" axis scale

I am using a stacked bar chart to display average responses to survey questions. Each block displays the average for ...

by New Member in

Can you help me get fields in different languages to be displayed only in English?

Hi, I have to query the event viewer, but some fields that are in bold are in different languages. What do I have ...

by Builder in

hi...can anyone please advise where to include stop option(path in GUI) to proceed the splunk query from searching

can anyone please advise where to include stop option(path in GUI) to proceed the splunk query from searching, also s...

by New Member in

Can you help me in subtracting 2 times together?

I have a time where a ticket is created called: | eval start_time =strftime(start_time_epoch,"%Y-%m-%d %H:%M:%S") ...

by New Member in

Spunk indexes.conf by deployment server

I have installed search head cluster and want pushing configuration by deployment server . But unable to find how to ...

by Explorer in

Hw to group the data by month

Hi, I need help in group the data by month. I have find the total count of the hosts and objects for three months....

by Explorer in

Splunk Query Grammar

I have a system that receives data from other systems for auditing purposes. One of these systems uses Splunk and I h...

by Explorer in

Can you help me convert a time format to a human readable form?

Hi, I have the below time format, which I want to convert to a human readable form. A few options would be great. ...

by Contributor in

Value expiration in query

Hi all, I'm wondering if there is a way to make a query with values that expire. For example my query is: index...

by New Member in

Will Kafka be part of the Splunk product in the future?

I heard recently that Kafka will be part of the Splunk solution in the future. Is it right? What would be its role?

by Ultra Champion in

stats count which dont returns the same number of events between 2 different query

hi I use two request which normally have to count the same number of events the first is : | eventtype=Periph |...

by Builder in

How can i set the same color for two columns in column chart

Hi, splunkers I have four hosts and query: index=myIndex | timechart span=20m max(counterMetric.sampleCount) as Co...

by Explorer in

threshold line time chart graph.

I have a time chart graph for disk utilization. Requirement is to add a static red color line as a threshold limit at...

by Path Finder in

Performance implications of a two node index cluster with ReplicationFactor=2 and SearchFactor=2

We preparing to move from a single indexer to an index cluster. I'm trying to determine the performance implications ...

by Loves-to-Learn Lots in

Get entity list of just splunk infrastructure servers

I would like to know the query I can use to get JUST the splunk infra servers, and not the UF's. I want to use this i...

by Builder in

Radial Gauge coloring question

Suppose out of 100, 75 is compliant and 25 is not. so i like to dynamically show 75 as yellow and 25 as red if its 10...

by Builder in

I have a field in the field t or f is there I need t values only

I have a field like report In the field it's showing t or s Events like service name report One. T Two. ` F I need t ...

by New Member in

deployment server in distributed environment?

Hi all i have the following environment 1-universal forwarder 2- indexer cluster that have 3 indexers and one master-...

by Explorer in

How to extract the count and value of a particular field existance from main search and sub search as well?

Sample Events Looks like : {"title": "SavedSearch1", "action_email": "0", "action_summary_index": "0", "alert_expire...

by Explorer in

Search Head Cluster: Lookups definitions not replicated to indexers

I have a search head clusters with an indexer cluster, version 7.2.3. On a search head, using Web UI I created a ...

by Communicator in

Univarsal Forwarder to Heavy Forwarder then convert Binary data to CSV on Heavy Forwarder and then send data to indexer?

1.My universal forwarder sending Binary data to Heavy Forwarder in Index name as "Binary_index" . 2.On heavy Forwarde...

by Explorer in

Cleaning up orphaned searches and reports

We migrated search heads and there was content in user directories from users that have since quit, and therefore no ...

by Builder in

How to get upcoming friday date

I have a date field in my feed as "2/15/2019" , want to compare this with upcoming friday date value in search. pleas...

by New Member in

how to calculate the starttime and endtime between duration ?

actually iam new to splunk in my logs starttime and endtime is there need to calculate duration starttime endtime ...

by New Member in

how to calculate starttime and Endtime duration

how to calculate starttime and Endtime duration |08-feb-2019 01:30:18|08-feb-2019 01:30:28

by New Member in

explanation of the concurrency in the limits.conf needed

Hello, My alert gets sporadically skipped with the following log entry: 02-09-2019 08:48:53.968 +0100 INFO Sav...

by Contributor in

Nexpose Add-on skipping sites

Hi , I am trying to integrate nexpose with Splunk using the TA rapid 7 nexpos .I am able to fetch the reports from...

by Path Finder in

akamai CM not working

We have akamai Cloud Monitor App installed on the Splunk. IT used to work when we we were using the Splunk Trial vers...

by Path Finder in

Display the values on pie slice in pie chart

I wanted to show the field values in each slice of pie .Now I have value shown only by hovering on each slice

by New Member in

View the parameters, e.g. from limits.conf using the search

Hello, Is it possible to view the configuration files / parameters, e.g. limits.conf using the search? I do not ha...

by Contributor in

Getting server metrics from Splunk Infrastructure Servers

We are just beginning to use iTSI and I would like to create some KPI's that are splunk servers, cpu, memory and disk...

by Builder in

Systemd unit with pid tracking for Splunk

With a simple systemd unit file you can tell systemd how to start and stop a Splunk instance, but if the Splunk insta...

by Explorer in

Splunk Fundamentals 1 - Lab Module 5 Question

I am unable to generate any search results as per Task 1 Step 3 of Lab Module 5. I have completed the steps of th...

by New Member in

Splunk report not pulling exact count for event for last 7 days.

I have report scheduled to run at 12 AM EST to search for last 7 days and just provide stats count for user ID's like...

by Explorer in

It is possible if we can match every value in the table with all the values and then give the results

Hi, i have a query on which i am stuck now from multiple days. I have combined 2 queries , first one gives the total ...

by New Member in

Blocked Queue on Splunk HF

hi, I can see blocked=true in metrics.log of Splunk heavy forwarder. Blocked Queues are: typingqueue, aggqueue, parsi...

by Explorer in

I am cloning _json sourcetype on managed splunk cloud to new custom name , the logs are not coming from log4j configuration

I have cloned a _json sourcetype to a custom sourcetype name and gave the correct URI for managed splunk cloud , stil...

by New Member in