Archive

Start a Conversation

Discussions

Start a Conversation

Thread Info

web.conf not working for dhfile in 2048 encryption

Setup the web.conf using dhFile at 2048 encryption web.conf dhFile = $SPLUNK_HOME\etc\auth\splunkweb\DH2048.pem ...

by Splunk Employee in

Splunk 7.0.0 and OSX High Sierra APFS

Splunk 7.0 doesn't start in new MACOS X with the APFS (Encrypted) filesystem. Is APFS not supported?

by Motivator in

Properties/Arguments in Endpoint URL for REST Modular Input

Hi Splunkers. I'm trying to set up a REST input to bring back output from an API. These are the parameters used to...

by Path Finder in

sorting date/time

Hi, I have example of date/time as below Mon 28 Dec 2015 06:26:19 PM ICT Mon 26 May 2014 04:52:02 PM ICT Fri 17 Fe...

by New Member in

Are baseline configurations posted online?

We had Splunk professional services or a few weeks ago to assist with standing up a new deployment. At the start of t...

by Path Finder in

Getting data from Mainframe system??

Hi all, How to get data from Mainframe systems onto Splunk??

by Path Finder in

Search for URL not in Alexa Top 1m

Hi everyone, I have a log with a field that contains a URL. I would like to perform a Splunk search and find all logs...

by Explorer in

How to retrieve data from query string from URL in splunk cloud ?

I want to fetch data from base url of splunk cloud. I want to redirect from one dashboard to another. For that , I ha...

by Explorer in

Why are some undefined field searches faster than searches where you define the field and value you are looking for?

So I noticed that when I run two searches like the following and I am looking for a value, in this case some computer...

by Contributor in

After license agree show error

Hi, What can i do wrong or why show me this errors? Software License Agreement 05022017 1 Do you agree wi...

by New Member in

Time_format_change_procedure

Hi Guys, I am trying to create a use-case as " date when any single user was created in AD" it's done but I need to c...

by Engager in

Web Page Input Splunk for Json feeds from Hybrid-Analysis.com

Hi, I added the following web-page config on Search Head. URL - https://www.hybrid-analysis.com/feed?json Se...

by Path Finder in

search string query

Hi I can use the search string to get the statistics output index=data sourcetype="data1" host=HOSTA | stats coun...

by New Member in

Fresh install of Splunk 6.3.2 wrong value of SPLUNK_OS_USER in splunk-launch.conf

Hello all, Installed splunk-6.3.2-aaff59bb082c-linux-2.6-x86_64.rpm today on RHEL 7.2 and could not get it to star...

by Engager in

About log rotation best practices

Now I am planning to rotate the logs being monitored by Splunk. I will also use the compress option to rotate. ...

by Builder in

missing users.ini file

I have been getting a message that says that a file has been improperly modified or missing. The result of the integr...

by Communicator in

Tricky regex

Hi, I have this data 10.210.192.5 - - [26/Sep/2017:19:59:59 -0400] "POST /rest/icontrol/sites/266646/decreaseWa...

by Motivator in

How can I find out how much volume hosts are sending to my "main" index?

I need to find how much volume hosts are sending to my "main" index. The search below queries the internal index, and...

by Explorer in

PRTG connector

Hi *, Somebody out there already found a way to connect to PRTG (Paessler) ? Grtz - Will

by Engager in

Are function names case-sensitive?

The following query did not return any results: ... | stats count(EVAL(error_code=2000)) ... I had to use lowe...

by Path Finder in

Forward to other index

Dear all, may I ask a noob-question to the experts? Currently I am forwarding Data from several forwarders (F...

by New Member in

HTTPS collector not receiving items from scrape?

Using Splunk enterprise. https://45.55.161.5:8000/en-US/app/launcher/home A HTTPS event collector is listening on ...

by New Member in

When I try to start Splunk after untarring, I get the error "Couldn't determine $SPLUNK_HOME or $SPLUNK_ETC"

After untarring a download of Splunk in tar.gz format, I get the following error: ERROR: Couldn't determine $SPLUN...

by Champion in

Contingency Total Rows

Hi I wonder whether someone may be able to help me please. Using an adapted solution from @woodcock I'm using the ...

by Motivator in

Does Splunk have end of life support dates for Splunk 5.x and 6.x?

Does Splunk have end of life support dates for Splunk 5.x and 6.x? Thank you,

by Path Finder in

New Errors that did not exist last week

Say I did a bunch of changes over the weekend and wanted to see a list of any new errors. Is there a way I can sh...

by Contributor in

REST modular input JSON custom handler for AWS Pricing Data

Having a bit of a struggle. AWS has a pricing API available at: AWS JSON Pricing API URL Because of how the JSO...

by Splunk Employee in

Next steps after finishing the Splunk Fundamentals Part 1 (eLearning) course?

I have completed the – Final Quiz for Splunk Fundamentals Part 1 (eLearning) and the reference snapshot is attached h...

by New Member in

How can I search to show which browser and browser version users are using?

Hi, I would like to extract and show the browser and version from the user-agent string, so as to segregate the di...

by Engager in

Regarding implementation of Calendar visualization

I have a requirement where I have four fields : 1. AverageValue (of a month for some parameter A) 2. ActualValue (on ...

by New Member in

My case statement is putting events in the "other" category -- why?

Hi guys, So i have a useragent and a url field for an elb log file. I am checking the user agent field for the values...

by New Member in

Splunk search help -- output data should match 2 or more of the keywords

Hi, Fellow Splunkers, Noob question. I would like to seek for help in my search, this is the case: The client gave...

by Communicator in

How do I make my search command to summarize network throughput data?

Aplogies, I'm not a Splunk administrator, I'm a capacity tool person that needs to extract some metrics from Splunk. ...

by Explorer in

How to make Splunk read the file when only date stamp of the file changes.

I have a system where I use SSH to pull out status data from a remote system This is then stored to a file that Splun...

by Builder in

Transformation fields using Splunk UI

Team, I need help in defining 3 new fields using Splunk User interface. Decision=Agree , Field Name should be...

by New Member in

How do I get an older version of Splunk DB Connect 1, particularly version 1.1.7?

Hi, I am unable to get DB Connect 1, version 1.2 to work, and I'd like to try 1.1.7, but I can't find it. How do I...

by Champion in

Is anyone ingesting Ganglia data into Splunk?

I'm looking for anyone who is ingesting Ganglia data into Splunk. I have a customer interested in doing this but were...

by Splunk Employee in

Arduino with Splunk

hello, we are trying to use splunk with arduino by wifi (esp8266). We utilized the port 8088 and this code but don´t ...

by New Member in

package deployment-app via CLI or rest

Is there a way to package an app in /etc/deployment-apps or /etc/master-apps analog to apps in /etc/apps ? For apps i...

by Motivator in

Questions on best practices for a new Splunk environment

Sorry for too many questions This is our environment 6 Splunk servers 1) splunk01 – Ad HOC Search head used...

by Communicator in

Show all values 0 to 100 with precision up to 2 decimal points

I am working on a single value dashboard panel where I am showing output in percentage with precision up to 2 decimal...

by New Member in

Machine learning toolkit Assistant - Detect numerical outliers - Timechart value by field

I am trying to use the machine learning toolkit assistant for detecting numerical outliers in transaction response ti...

by New Member in

Error when pushing bundle to shcluster. Error = "No target specified"

We are using a stand-alone deployer to deploy apps to a cluster of 5 search heads. Currently, when trying to push a s...

by New Member in

Can Monitor Path include spaces?

I am trying to get this to work [monitor://\Corp\hdq\nba\nba releases\Utilities\SuitReviewWorkbench\suiteviewworkbenc...

by Explorer in

Combine the two queries and calculate count

Hello experts. I tried to execute the query, as described here https://answers.splunk.com/answers/106906/how-to-p...

by Explorer in

getting this error while applying distribution bundle

I have some apps that I deleted in slave-apps directory on our indexers and now our master apps on cluster master has...

by Communicator in

Cluster has only 0 peers (waiting for 2 peers to join the cluster)

Receiving as we had to redistribute the configuration to peers and took restart i think both peers took restart when ...

by Communicator in

Need a new Splunk Enterprise trial license for fundamentals training

I have installed Splunk Enterprise trial version in the past to learn how to use Splunk. Now, I have been invited ...

by New Member in

Question about pipeline parallelization

How can I achieve pipeline parallelization in standalone Splunk indexer to optimize my CPU usage? In Splunk 2016 .con...

by Engager in

Search from host 'A' (based on multiple values of a field of another search from host 'B')

Hi, I have a question for searching. I want to search from host 'A' (based on multiple values of a field of ano...

by New Member in

Splunk 6.X Fundamentals Part 1 Questions

Hello, I have taken Splunk 6.X Fundamentals Part 1 e-Learnig course and i have completed i. but i want to access t...

by New Member in

Advanced Dashboard using external picture

Hi folks, I need show the status of some places that have some servers and IT objects in one picture attached. I h...

by Contributor in

How can I avoid that every slash '/' in a URL is converting to '%2af'?

In one table column I have a URL as a Link. Working format: www.google.de Not working format: https://www.google....

by New Member in

PCI compliance and Splunk

Hi folks, My company got Enterprise Splunk and we want to integrate Splunk and PCI compliance. I am New to it so can ...

by New Member in

How to select 2 different lookup table based on different cloud name

Hi Team, I would like to call different lookup table based on the cloudname in my search query. For ex: if c...

by Explorer in

Premium apps について

Premium appsとは、有償apps のことを意味しているのでしょうか。有償以外でも Splunk Supported であれば Premium apps とされるのでしょうか。

by Communicator in

Routinely (24 times per day = 1 get per hour) parse section of HTML page (i.e.: specific table) to output.txt. I need syntax/regex to parse specific section, NOT all source code.

Hello, I need to parse a specific web page's table (I'm using PowerShell/WMI ($wc.downloadstring) to download sou...

by Communicator in

Splunk counting duplicate events for failed logon

When the below search is ran, it'll count duplicate failed logons for all users. How do I exclude duplicates in a cou...

by Path Finder in

How to discover which user disabled and enabled the default demo lookup files in Splunk ES?

I want to see who has disabled and enabled the default demo lookup files under Splunk ES->Data Enrichment->Identity M...

by New Member in

Mainframe Syslogs Plugin for Splunk

Is there a Splunk plugin available that would map/tag most of the recognized fields in the z/OS System Log?? Trying t...

by New Member in

Splunk for monitoring Mainframe logs

Hi, I am exploring how we can use splunk to monitor mainframe logs. I have no idea about the same. can anyone answ...

by Engager in

indexer cluster topology across two datacenters

Hello, I am implementing Splunk. 1 Search Head An indexer cluster with 2 peers 1 Master Node X Heavy Forwarders...

by Communicator in

Why is accelerated data in data-model WEB deleted?

When I restart Splunk, accelerated data in data-model WEB is deleted. I update the WEB, then the model gets the data ...

by New Member in

File indexed only occasionally

My input.conf file: [monitor:///var/log/openvpn/hostname_vpnStatus.log] disabled = 0 crcSalt = SOURCE index = iss-nip...

by New Member in

How do I go about sending multi-lined string variables to Splunk?

splunk.intersplunk.outputResults output multiline strings in a field I have multi-line results which I would like ...

by Motivator in

How to append field value to events based on its category

I have all events logged under one index. The events arent categorzied. Below is the query index=main host="prod" ...

by Communicator in

When Was The User Account Created

Hi, I wonder whether someone may be able to help me please. I'm using the query below to list the current user acc...

by Motivator in

How can I see the invalid password attempts from Cisco ASA events?

Hi, I'm trying to see the Invalid password from cisco asa events. message_id=113005 | stats count by user | whe...

by New Member in

Unable to forward syslog to third-party syslog server

I have an all-in-one environment, which indexed VPN logs. I also want to forward the vpn raw logs to the third party ...

by New Member in

How can we clean messages about unconfigured/disabled/deleted indexes?

We have some messages saying - Search peer <host> has the following message: Received event for unconfigured/disa...

by Ultra Champion in

What is the manifest file and is there an issue if it is missing?

Sounds like I have a manifest file/hashing issue that appears whenever I restart splunkd on an endpoint, like the fol...

by Path Finder in

How are concurrent searches counted and how can we simulate 100 concurrent searches?

I would like to check if there is any possibility to simulate 100 concurrent search. Also if I were to login 5 dif...

by Engager in

Splunk and ServiceNow event management options and a few questions

HI , Could someone please help me know how I can integrate Splunk and ServiceNow for Events? I followed few articl...

by Engager in

Where can I find the internal logs in the Splunk 5.0.1 file directory?

Hi, I'm trying to find the var/log/splunk/ folder logs to check the errors and warning but in the older versions s...

by New Member in

Absolute paths

I know this question has probably been asked before but I've tried it a LOT of ways. Splunk 5.0.4 build 172409 on ...

by New Member in

Configuring Forwarders with Deployment server

All, I have a successfully deployed app based on the Splunk documentation on how to create "sendtoindexer" app. Th...

by Explorer in

How do I use the username in events returned in a search of Index "A" to look up the user in index "B" and only return the events where the user in event from index "A" exists in index "B"

This part of my query gets me on the street I want to be on for this report index="A" | rex mode=sed field=UserFu...

by New Member in

Tried to add a search peer: Error while sending public key to search peer: No route to host

(attempting 1 Indexer, +1 SH setup) For some reason I am not able to add a search peer. I tried two approaches as ...

by Path Finder in

Virustotal Checker: Why are we receiving "Socket Timeout. Check Your Internet Connection" error in the vtc_message field?

We just upgraded to the VirusTotal Checker 1.3 version and now we get a "Socket Timeout. Please Check Your Internet C...

by Communicator in

Typo in the free course

There is a typo in the free course. Module 4 quiz question 3. Shouldn't it read "will be used as the source of your d...

by New Member in

Are search terms case sensitive?

What are the proper names for search terms and/or what does "search term" refer to? Is that case sensitive/insensitiv...

by New Member in

How can I use a combination of an IF statement along with AND?

Hi, How can I use a combination of an IF statement along with AND. I'm looking to run a count whereby IF the _h...

by Path Finder in

Migrating Splunk Enterprise from one machine to other

Hi, I need to migrate Splunk Enterprise from one machine to other machine. Currently I am running Splunk 6.4 and w...

by Path Finder in

Can Splunk search DB2 LUW active logs and archive logs looking for DML activity against sensitive data tables?

Can I use Splunk to search DB2 LUW active logs and archive logs looking for DML activity against database tables? We ...

by New Member in

Can I rename a field conditionally?

I have a field named severity. It has three possible values, 1,2, or 3. I want to rename this field to red if the fie...

by Explorer in

How can you specify additional characters to the indexing tokenizer?

We have messages that have tabs replaced with #011 along with other control characters (See rsyslog EscapeControlChar...

by New Member in

Eval and multiple logic operators

Hi, Can anyone explain why the following dosent work? .... | eval suppress=if((hour >=10 AND hour <=12, "yes","...

by Path Finder in

Trouble getting syslog_ng to work on a standalone Splunk instance

Ive install syslog-ng on a standalone splunk instance but cannot get it running - ive looked at the following guide :...

by Path Finder in

Connection Timed out and An existing connection was forcibly closed by the remote host

Hi Guys, I am just a newbie in Splunk and this will be my first time to perform troubleshooting. I'm having a conn...

by New Member in

Query using inputlookup as primary, with nested query

I have an inputlookup table that has a list of details, specifically IP's. The user wanted a list of all IP's that ex...

by Communicator in

Is geom mapping bugged for choropleth map when zooming where multiple colors exist?

Greetings, I am running into an issue where if I zoom on a choropleth map and multiple colors exist in the legend,...

by Contributor in

-0500 ERROR TcpOutputFd - Read error. Connection reset by peer. not not able to forward data into index

$ tail -f splunkd.log 06-19-2017 06:08:12.823 -0500 ERROR TcpOutputFd - Read error. Connection reset by peer 06-19-20...

by Engager in

FREE Splunk that permits up to 500MB volume per day. How do I obtain this?

Hello! How do I obtain a free version of Splunk that permits up to 500MB volume per day maximum? Is this something...

by Communicator in

Why is some of my log file data indexed multiple times in Splunk?

I have a file, service.log, that is configured to be monitored and indexed in Splunk. When checking in Splunk, some o...

by Path Finder in

How many times can I take the final exam for the Splunk Fundamentals 1 course?

How many attempts are there for the above course? what is the duration of the certification course? How many ...

by Engager in

How do you set a default maximum data transfer rate?

Dear Splunkers, is there a maximum KB/s of traffic a forwarder sends to the indexer? I mean is there a limit you c...

by Path Finder in

How to Compare 2 fields from 2 sourcetypes and remove events that are the same and only in the second sourcetype

I have 2 Sourcetypes A and B with 2 important Fields SSN and Number. I want to compare all of the SSN and number's fr...

by Explorer in

How to get earliest datetime

I have a field which contains firstfounddate and due to some reason it keeps on changing for some of the assets. E...

by Explorer in

Is there a forensic-type report that handles AD user account properties for PCI and SSAE compliance?

Hello, I'm looking for a way to track total property changes within an AD user's account. As an example, per PCI and...

by Path Finder in

Search help -- my search is inaccurately showing if hosts have been online in the past 24 hours.

I have a query as follows | inputlookup ABCD | search Forward="Yes" | table Region,IPHost, ip_address | rename ...

by Builder in

Search that shows which extract ran successfully or failed

We have integrated Tableau with Splunk, I am setting up a Splunk dashboard which will give any user information on th...

by Explorer in

How to preserve order of json array in search results?

We are on Splunk 6.2.1 We have logging raw json including 'stack_trace' as a json array like this: {"exception_...

by Path Finder in

Search pattern from one file in another file in same time frame

Hello, I have a pattern in one file that I need to check if it has occurred in another file. The two files are like: ...

by Engager in

Reading 1000+ overwritten json files on time interval

I have 1000+ json files located in a directory and those files will be overwritten by every day. the file name starti...

by New Member in

How to dynamically increase the panel based on multiselect

I have a multiselect box which is getting populated with Release numbers <label>Release(s)</label> <search> ...

by Communicator in

How can I create the same fields with different values within the same event?

I need to extract cveid, cvss, vulnerability number, etc.. here is my log: ...... cveid="1234" cvss= "abcd" ......

by Explorer in

Is there any documentation for the Search ElasticSearch app?

I just downloaded the Search ElasticSearch app. Is there any doc or config settings that can be shared?

by Champion in

Indexer unable to contact licence master

Hi All, have 1 license master/search head and 3 indexers, as of about 2 weeks ago all 3 indexers lost contact to t...

by New Member in

[SPLUNK4JMX] add Customer MBeans

Hi, I have a customer, with some customer Java MBeans with a hierarchy in 3 levels. This looks like root-Level ...

by Communicator in

CHART OR TIMECHART OR TABLE

HOW TO OBTAIN A CHART LIKE IN ATTATCHED IMAGE THANKS IN ADVANCE

by New Member in

How can I get the percentage of requests taking less then 500ms?

I have a below query: index=idx1 | search 'apiname' = AccountSec | eval TotalTime=Start-End | stats count as "Tota...

by Explorer in

Splunk false alerts

Hi, Splunk started sending false alerts since today morning even though aler condition hasn't been triggsered. Onc...

by Champion in

Is Splunk NUMA aware ?

Hi guys Do any of you know if Splunk is NUMA aware ? I have not been able to find anything related to this. I am i...

by Path Finder in

print the error code count

I want to create the dashboard to show error count for specific execution group on specific broker, Below is the quer...

by New Member in

Results for each minute in an hour (even if there's no data)

Hello All, Suppose I want a search results for past 60minutes, how spunk works now is if there is any event in pas...

by Explorer in

Data upload to spool is truncated

I'm using powershell to get a web page in order to keep track my service status. I tested my script which can write t...

by Explorer in

Is it expected : Workflow action visible under action for notable events on incident review on enterprise security

I had a add-on created with prefix TA-XYZ(having Adaptive response action) and one app say "ABC", which has workflow ...

by New Member in

Search to display port scan attempts

I'm having a hard time developing the query to display this, but in short, I want to write a query that will display ...

by Engager in

How to get _time at median value?

Hello everyone, Now, I encountered hard problem that I can't solve for long times. I was also google on many hours...

by Explorer in

Exploratory analysis in Splunk - for Non Splunkers

Hi Folks, There is a group in my workplace that does all their DA in Python Pandas and Notebooks.. They are intete...

by Explorer in

Find inconsistencies in the IDs of results

Hello, I'm new to Splunk in general, and I was wondering is there was a way to highlight inconsistencies in the ID...

by New Member in

For the same type of event logs, why in uncommon cases, does Splunk not fully show all of the event log content?

I have set a search that looks through all logs in my nifi-app.log file where the header "Standard FlowFile Attribute...

by New Member in

Splunk search that finds when matches 2 events but does not match a third within a 5-second interval over the last 24 hours?

Need to find the solution for a Splunk search that finds when EventID=24 and EventID=40 but not Event_ID=23 within a ...

by New Member in

How can I get splunk to run "ps aux" and check for a specific process?

Hello all, I have a simple flask webhook running on my splunk server that is managed by supervisord. Since I'd lik...

by Builder in

Nested Join?

I have 3 different searches I need to combine, where the secondary and tertiary searches need to be joined, and then ...

by New Member in

How can we add token based condition to search query ?

below given is search query and I want to run this query only if token "$CheckStatus$" is set to some value. if token...

by Builder in

How to access a field name using variable ?

My Splunk results are returning multiple fields including fields Sunday, Monday, Tuesday .... Saturday. Now my req...

by Explorer in

Duplicate value conflict

Hey , get the duplicate conflict error. I already check few posts here and tried changing field by label and fiel...

by Explorer in

Why can't I delete my LDAP strategy?

Just wanted to run this one by the Splunk community to see if anyone else has experienced this before: -Earlier th...

by Path Finder in

How to clear dependent value when start new search

Hi guys, please help me, I have 2 tables, one of them is hidden and shows contents when I click on parameter "time" i...

by New Member in

Output for scheduled saved report

Hi, I am new to Splunk. Trying to understanding the scheduled saved reports. What will be the output of scheduled...

by Explorer in

many splunkd.exe btool server list processes running on windows server

Hi. I have a small sandbox server, where I installed Splunk 6.5.2, and a test installation of ITSI (4 vCPU). When ...

by Contributor in

Interesting Fields Missing in Search & Reporting of two different Search Heads

Hi Team, We have two search heads deployed in our environment for Enterprise Security Operations team. Let me dire...

by Path Finder in

Certificate generation failed : Splunkd port communication will not work

Hi, On start up I am getting this error: The certificate generation script did not generate the certificate fil...

by Influencer in

System requirements like RAM & cores etc if we use the departmental architecture.

Hi, What are the system requirements like RAM & cores etc. If we use the departmental architecture in Virtual mac...

by Path Finder in

Create search shows hosts status from Down to up

We need to send alert shows if hosts status change from down to up please help me how we can do this

by Explorer in

Results are missing from this search

Hi, I use the below search to get the row with max value; (index="indexa" OR index="indexb") sourcetype="sourceA" ...

by Explorer in

Why isn't my discard working?

I'm trying to discard entries from one of my data sources and it isn't working. Why? All the following are set on the...

by Path Finder in

SSL SSLHandshakeException for HEC for Splunk Cloud

I am using HEC to publish data to Splunk. I am getting following SSL error - SSLHandshakeException. org.springframe...

by New Member in

How is the Jenkins PlugIn integrated with the Jenkins App

The Jenkins PlugIn is a .hpi file which will not install from the Splunk Manage Apps console which will only install ...

by New Member in

Timerange picker: Change the value from _time to Reported date

Hi All, Thanks in advance. By default time range picker is using time. I want to change the value of time rang...

by Explorer in

Using multiple geospatial lookups

Thanks in advance for any help. I currently am using a geospatial file to show devices inside or outside of a geof...

by New Member in

Automating bundle pushes from shcluster and index cluster

Simple question, has anyone been able to successfully solve this? I can surely think of a bunch of easy ways to accom...

by Builder in

Replace a null value after search appending

Hello All, I have a search query as below: index="alpha_all_aal_event" type=twaReport|search callId=0 user...

by Explorer in

Splunk DB Connect 1: Why am I getting Oracle DB connection Error "ORA-01882: timezone region not found"?

After going through some of the posts here, I am still facing the same issue. Basically trying to connect to an Oracl...

by Communicator in

Error occured during do run "Custom search command example"

I do exercise example about "Custom search command" step by step , but the following error occurred. What's the pr...

by New Member in

How to change "No results found" in a dashboard to a custom message

Per some research it appears that there is an simpe XML solution for by using the job propperty = job.resultCount ...

by New Member in

Is it possible to mount HOT to a ram disk for performance?

All, Just day dreaming here a little as I read the indexes.conf file documentation a bit. I was thinking, assumin...

by Builder in

Keywords and Field name restrictions.

Can we search keywords in Splunk? Is field name restricted to 15 characters only? How can I name fields with more tha...

by New Member in

Deselect option in timeline.

What 'Deselect' option in the timeline will do? Will it run the new search or not?

by New Member in

How to choose one field value out of two ?

Hi All, If a field has two values but I want to pick only one. Could you please suggest me with the help of which ...

by New Member in

Splunk ODBC SSL connect error

I am trying to connect to Splunk Enterprise using Splunk ODBC app following the documentation http://docs.splunk.com/...

by Explorer in

Same query send to Splunk multiple times

Hello, I have an external script which sends queries to Splunk via API. My script sends 10 identical query same ti...

by New Member in

What causes the Login Screen to respond with "Warning: The time on the server differs significantly from this machine..."

I see that it is a response to a Cookie check (code here: http://answers.splunk.com/answers/46756/command-line-search...

by New Member in

How to change Custom Adaptive response action success status message?

As highlighted in above image, is it possible to change this success status message to show my own details for the cu...

by Explorer in

Departmental architecture setup for 100+ concurrent users or searches?

Hi, I want to setup departmental architecture because we are getting daily data volume is 1 GB/day. As per the ...

by Path Finder in

How to separate column for different date

Hi everyone. I have this current search result below and I want to have another column for different dates as a desir...

by New Member in

Splunk version changes depending on the screen I am on

Hello, Splunk is showing me different versions depending on where I am. For instance: On Apps, I see version ...

by Path Finder in

About real time search

I want to know about CPU occupation when doing a real-time search. If I build Splunk in a standalone way, and I co...

by Builder in

Why there is an GET call to rum.statuscake.com:8000 in Splunk answers page

Hi Splunkers, This is not related to Splunk product details, found something interesting on splunk answers page. R...

by Explorer in

how to split the time into different shifts to find how many employees came in shift 1 and shift2

we have a data with employee numbers who enter the office during different times in the day. We want to categorize...

by New Member in

What is the best way to estimate frozen storage sizing needs?

Hello All, I'm trying to assess some offline storage needs for archiving old Splunk data. I'm planning to adjust m...

by Path Finder in

Multiple Join Nested Join similar to IF ELSE LOGIC

I have sourcetype = sourcetype1 with field 1, field 2, field 3, field 4, part1, key1 sourcetype = sourcetype2 with f...

by Explorer in

How Can I add another Search Head into my Existing Splunk Enterprise Setup?

We have 3 Indexers and 2 Search Heads configured in our setup. The goal is to add another Search Head. Is this possib...

by New Member in

How to search for all components of a Splunk deployment

Hi, I am new to Splunk and would like to start using Splunk on my firm's applications monitoring. Please let me know ...

by New Member in

How to reset the link on a link list input

Hi, this is my first post on here, am very new to using SPLUNK so please bear with me if how I am doing things is clu...

by New Member in

How to install a splunk app?

i downloaded the Dshield splunk app. How to install it on my Windows splunk?

by Engager in

Triggered Events generated by adding new Correlation Rules, shown in Top Notable Events (Security Posture) & not shown in the Incident Review Page

In Splunk ES, Correlation Rules Added with Adaptive Response Actions (Notables with specified Domain), when triggered...

by Engager in

Auto refresh a dashboard

Is there any setting that I could enable for my entire dashboard to auto-refresh every couple of seconds or minutes ?

by Explorer in

Use lookup table values as a input for search query and display lookup table values with query manipulated fields

Hi I have a lookup table with the field (indexname). I want to use each lookup table field (indexname) values as a i...

by Explorer in

How to find previous releases using current release?

Lookup file contains release number and its start date. The fields in lookup file are Release and Production (start d...

by Communicator in

Change color of stats count visualization

Hi I am new to splunk. I am trying to do a bar chart viz and trying to color each sourcetype by a color but havent...

by Path Finder in

How can we eliminate orphaned searches?

We have orphaned searches we reassigned to our accounts but still see the messages every saying you have 11 orphaned ...

by Communicator in

File monitor wildcard not matching?

I'm trying to monitor a catalina logs that look like this: /home/loader/logs/catalina.2017-09-01.log with this ...

by Explorer in

Getting McAfee ESM logs to Splunk

Hi All, Have a requirement with a client that they are looking at integrating their Existing McAfee ESM with the S...

by Explorer in

MAX_EVENTS issue on local Splunk Enterprise application

Hello all, I am having an problem with a Splunk application I am making on my local instance of Splunk Enterprise ...

by Path Finder in

Adding static vertical lines to a scatter plot

Hello, right now I have a scatter plot of duration vs. size and i want to make 2 vertical lines at different values o...

by Engager in

Is there a way to index SSL certificate (.cer) file using Universal Forwarder?

Hello, I have a certificate file that I want to index in Splunk. The file reside in "D:\somedir\name.cer" I have t...

by Explorer in

Splunk Add-on for CrowdStrike: Compatibility with Splunk v6.6?

Can we install this app into Splunk version 6.6? I'm wondering that installation this app into splunk 6.6 is supporte...

by Splunk Employee in

Changing _time for a dashboard to another time field

Hi, i have a dashboard done up with a time range filter. By default, the time range filter is using time to scope the...

by Path Finder in

How to install separate Splunk Indexer in AWS?

Would you be please able to provide me with a steps how to install a standalone indexer in AWS account? Should we use...

by Path Finder in

Need to find all fields related to sourcetype

Hi All New to spluk and have a basic question want know how to get all fields (selected and interesting fields...

by Engager in

Splunk install earlier enterprise version

Hi! I would like to know if it possible to reinstall old version of Splunk Enterprise(6.4.0) and replace the 6.5.4...

by Path Finder in

How to bundle and reference jquery-ui library in Splunk

I am trying to figure out how to load the jquery-ui library into my splunk app and reference it in my Splunk dashboar...

by Path Finder in

.conf2017 : Anyone attending Splunk annual conference in Washington DC?

Not sure if this is the correct forum to check, if any of you guys are attending Splunk Conference in DC .conf2017? ...

by Super Champion in

Incident Review Incidents Disappear when search completes

This is an odd issue. After a restart of Splunk my incident review dashboard will show all of my incidents as long as...

by Explorer in

Splunk installation issues version 6.6.1

Hi All, I have tried to install the splunk 6.6.1 version in VM Linux environment for a testing purpose and while extr...

by Motivator in

Cannot View data in Splunk Console

Hi I am new to Splunk and we have to complete POC . We have two server : Server A ( Index Server where Splunk Ente...

by Explorer in

Query many fields with the same part in the name

Hi, i have events in one sourcetype with over 90 similar fields like field1, field2 ... field90. I can write a...

by Communicator in

Stats (count(x) as countX, count(y) as countY) BY FIELD X

Hi, As the title suggests, I am after a query which gives me both the values of count(x) and count(y) by fieldX t...

by Engager in

How to extract the host name and database name

Hi, I would like to extract the Host Name and Database Name from the below string. URL : jdbc:sqlserver://WBMSSQL...

by New Member in

Response Time capture and count

I have a below SPLUNK event: ns=app1 Service='trigger1' id=100 ActNo='101' ServiceType='REST',ResponseCode='200',Resp...

by Explorer in

unexpectedly installed a another instance of splunk on the Linux server on the same path,but the service is not started yet for the new installation.how to get it removed.

ran rpm -e on search head and then ran rpm -I --prefix= Now if I run ./splunk from splunk/bin folder, I am unable to...

by Engager in