Knowledge Management

Ask a Question

Discussions

Thread Info

How to check if the automatic lookup is working?

How to check if the automatic lookup is working? Lookup is working fine how can I test auto lookup is working too?

by Explorer in

How do I add and delete host in Data Summary from Data Summary Splunk?

Hi there. Newbie on splunk here. I have a rookie question to ask ... In Search menu, under Data Summary, how do...

by Communicator in

Why does this error "('createIndex', domain: '5', code: '10088'): exception: cannot index parallel arrays" causes KVstore to stop working?

Hi all, I’m experiencing an unclear issue with KVstore (Splunk 6.5.6). I’m leveraging field acceleration within KVsto...

by Splunk Employee in

Do anybody know about fields +?

What is difference between fields + and fields -?

by Path Finder in

Why is kvstore update failing with code 115?

I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @d...

by Motivator in

Why to ever use Structured Data Header Extraction?

I am confused about when to use Structured Data Header Extraction. Am I correct in understanding that structured data...

by Path Finder in

KV Store on Heavy Forwarder

EDITED: I am building a TA. I have installed it on my Heavy Forwarder, it writes events to the Indexer. The TA uses c...

by Explorer in

How to pull data from a lookup within a date range?

I created a lookup definition, account_admin, for a csv file that I have. ark_admin - file - Time,User,Source IP,Ser...

by Path Finder in

Splunk Mobile App End of Life

Hi Guys it seems that the ios and android app was taken out of the Apple App Store and Google Playstore because it is...

by New Member in

Can other server types (clustered indexers, heavy forwarders, etc.) fetch config on initial startup (non-search heads)?

Search heads have a config option conf_deploy_fetch_url under shclustering in server.conf that causes them to, on sta...

by Path Finder in

Additional indexed fields

Splunk generally index data based on _time. We have a use case where we want to retrieve results from summary inde...

by Path Finder in

TA for IIS that follows the Common Information Model

Is there an addon(TA-iis perhaps) that follows the CIM for IIS logs?

by Motivator in

Is it possible to create a field alias on a lookup output field for mapping to the CIM model?

Hi guys, I am in the midst of trying to map the fields in my data to the splunk authentication CIM. However, I rea...

by Explorer in

Is there any way to limit the number of search results in a data model?

When searching on an index, you can pipe to "head 100" and retrieve 100 results. index=my_index cookie* | head 100...

by Explorer in

Linux servers - Universal Forwarder or Syslog

What is the best practice to capture data from our *nix servers? Install the Splunk forwarder agent and the Splunk fo...

by Engager in

SPUNK saves logs. does it fulfill STIG requirements?

When SPLUNK saves logs in raw data does it fulfill STIG requirement Full requirement of Logging: 1.Logs must be tampe...

by New Member in

Hungry Newbie: Best way to learn Splunk well efficiently (shortest amount of time)?

I am a reasonably clever, tech-savvy young man but by no means a genius. I am a very hard worker and I am planning on...

by Path Finder in

SDK DataSet Mangement

I was wondering if there is a way to upload / manage Splunk Datasets with the SDK ? I quick run through the very nice...

by New Member in

What is the max character limit for a macro?

I have a macro which does not work when invoked in a search, but does work when the contents are cut and paste direct...

by Splunk Employee in

Summary indexing

Search peer indexer has the following message: Received event for unconfigured/disabled/deleted index=voiceapp_summar...

by Explorer in

Why don't I see match_type in Lookup Definition Advanced options

I'm running Splunk 6.5. I see Min Matches, Max Matches, and Default Matches. I would like to define a lookup table th...

by Engager in

How to pass the values of an evaluated field into a summary index with collect?

Hi I am trying to adjust an existing process which collects results of a query into a summary index. What I'm tryi...

by Explorer in

To rename-and-recreate or to copy-truncate in log rotate - so that most real time data is got and no data is lost even in edge cases?

Hi, After reading: - https://answers.splunk.com/answers/49663/log-rotation-best-practices.html - https://answers.s...

by Engager in

Summary Index Backfill - Skipped

Hello I have a scheduled search that populates a summary index. I would like to backfill that summary index for the l...

by Communicator in

Is there a way to traverse a log record line by line?

I'm working on a complicated query on a single log record. Here is an example of log record: I am the log record. ...

by New Member in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

How to check if the automatic lookup is working?

How do I add and delete host in Data Summary from Data Summary Splunk?

Why does this error "('createIndex', domain: '5', code: '10088'): exception: cannot index parallel arrays" causes KVstore to stop working?

Do anybody know about fields +?

Why is kvstore update failing with code 115?

Why to ever use Structured Data Header Extraction?

KV Store on Heavy Forwarder

How to pull data from a lookup within a date range?

Splunk Mobile App End of Life

Can other server types (clustered indexers, heavy forwarders, etc.) fetch config on initial startup (non-search heads)?

Additional indexed fields

TA for IIS that follows the Common Information Model

Is it possible to create a field alias on a lookup output field for mapping to the CIM model?

Is there any way to limit the number of search results in a data model?

Linux servers - Universal Forwarder or Syslog

SPUNK saves logs. does it fulfill STIG requirements?

Hungry Newbie: Best way to learn Splunk well efficiently (shortest amount of time)?

SDK DataSet Mangement

What is the max character limit for a macro?

Summary indexing

Why don't I see match_type in Lookup Definition Advanced options

How to pass the values of an evaluated field into a summary index with collect?

To rename-and-recreate or to copy-truncate in log rotate - so that most real time data is got and no data is lost even in edge cases?

Summary Index Backfill - Skipped

Is there a way to traverse a log record line by line?

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

New Splunk TcpOutput persistent queue

Persistent queue problems

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...