All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it. Search p... See more...
I was able to resolve the issue. in the _internal index, the following events were generated. I used this to determine which index Splunk wanted to sort the events into, and created it. Search peer mysplunkidxs.splunkcloud.com has the following message: Redirected event for unconfigured/disabled/deleted index=intended_index with source="source::1234" host="host::abc" sourcetype="sourcetype::456:efg" into the LastChanceIndex. So far received events from 1 missing index(es).
We are using 2 load balanced HFs for this.
IMO you should use a HF for this. HF will route data based on its contents. So if a log comes with something "trend micro" send to a specific index. It will be something like this: Solved: How do I... See more...
IMO you should use a HF for this. HF will route data based on its contents. So if a log comes with something "trend micro" send to a specific index. It will be something like this: Solved: How do I route data to specific index based on a f... - Splunk Community    
I added a new syslog source using upd port 514. The data is being ingested into "lastchanceindex". How can I find out what index splunk "wants" to put the data into, so that I can create that index? ... See more...
I added a new syslog source using upd port 514. The data is being ingested into "lastchanceindex". How can I find out what index splunk "wants" to put the data into, so that I can create that index? Or how can I specify an index without disrupting the other syslog data sources? We use udp://514 for many different syslog data sources, so specifying all of it to go to one index wouldn't work.
I'm on Splunk Cloud version 9.0.2305.201. Don't I need the quotes in the relative_time function?  If $time.earliest$ is a relative time modifier (e.g., -7d@h), it needs quotes, right?
Hello, I have a peculiar question: Below is sample data: _time data storage name Size of data storage 2023-04-30T00:31:00.000 data_storage_1 10 2023-04-30T00:31:00.000 data_storage_2... See more...
Hello, I have a peculiar question: Below is sample data: _time data storage name Size of data storage 2023-04-30T00:31:00.000 data_storage_1 10 2023-04-30T00:31:00.000 data_storage_2 15 2023-04-30T12:31:00.000 data_storage_1 15 2023-04-30T12:31:00.000 data_storage_2 20 2023-05-01T00:31:00.000 data_storage_1 20 2023-05-01T00:31:00.000 data_storage_2 30 2023-05-01T12:31:00.000 data_storage_1 30 2023-05-01T12:31:00.000 data_storage_2 40 2023-05-02T00:31:00.000 data_storage_1 40 2023-05-02T00:31:00.000 data_storage_2 50 2023-05-02T12:31:00.000 data_storage_1 50 2023-05-02T12:31:00.000 data_storage_2 50   How do i go about getting the the sum of all storages per time frame? Example of output:  Time                   Total Storage 04/30 00:31 -> 25 04/30 12:31 -> 35 05/01 00:31 -> 50 05/01 12:31 -> 70
@richgalloway thank you for your reply. so, what im trying to achieve is, i want to trigger an email alert if there is any event between the time period 7pm to next day 7am. I'm using scheduled alert... See more...
@richgalloway thank you for your reply. so, what im trying to achieve is, i want to trigger an email alert if there is any event between the time period 7pm to next day 7am. I'm using scheduled alerting mechanism. My cron scheduler runs every 15mins starting from 7pm until 7am next day. During this period if it comes across any event record after 7pm and before 7am next day from a search. I want to trigger an email. But im struggling to embed time range for search between 7pm to 7am. 
summary index merges multiple line values into one row, while regular index put the values into a separate lines, so when I used stats values command on summary idnex to group by ip, the merged val... See more...
summary index merges multiple line values into one row, while regular index put the values into a separate lines, so when I used stats values command on summary idnex to group by ip, the merged values are not unique. Questions: 1) How do I make summary index put multiple values into separate lines like on a regular index?  2) When I use stats values command, should it return unique values?    Thank you so much for your help See below example:   1a) Search using regular index index=regular_index | table company, ip company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 1b) Search regular index after grouped with stats values index=regular_index | stats values(company) by ip | table company, ip   company ip companyA 1.1.1.1 companyB 1.1.1.2 2a) Search using summary index index=summary report=test_ip | table company, ip company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2 2b) Search summary index after grouped with stats values index=regular_index | stats values(company) by ip | table company, ip   company ip companyA companyA 1.1.1.1 companyB companyB companyB 1.1.1.2  
If the search runs every 15 minutes then there's little reason to search more than 20 minute back.  So, earliest=-20m latest=now.  What is the use case?
How to schedule search between 7pm to 7am and alert if and only if there is an event recorded between 7pm to 7am? my cron expression is */15 19-23,0-6 * * *. What should be the earliest and latest va... See more...
How to schedule search between 7pm to 7am and alert if and only if there is an event recorded between 7pm to 7am? my cron expression is */15 19-23,0-6 * * *. What should be the earliest and latest value?
Check out the mvstats for Splunk app in splunkbase (https://splunkbase.splunk.com/app/5198).
Still a little confused. I have tried both the $host and $name token and neither work. My search sends an alert when any host reach a certain level of CPU utilization. At times there are multiple hos... See more...
Still a little confused. I have tried both the $host and $name token and neither work. My search sends an alert when any host reach a certain level of CPU utilization. At times there are multiple host that show in the search. when adding the token in the subject line it appears in the email sent as $host or $name. An email is triggered for each host but the goal is to have the host name and value in the subject line.
i am still recieving the same issues on 9.1.1 forwarder and splunk enterprise as of 1406 EST 10/27/2023. are you as well?
The default sourcetype for data that is generated for a summary index is stash.  So the fact that it has a different sourcetype (specific_st) and you found a configuration stanza for it seems to impl... See more...
The default sourcetype for data that is generated for a summary index is stash.  So the fact that it has a different sourcetype (specific_st) and you found a configuration stanza for it seems to imply it is not summary-index data.   Keep in mind that the Splunk docs refer a lot to a "summary index" - but you can have real-time event data and summary index data in the same index.  BUT - it is a best practice to keep them separate because raw data typically has a pattern of ingestion/search that is wildly different from summary data, so long term you tune those indexes differently.  Thus why the docs often refer to it as a separate index. But based on what you've provided so far it sounds like someone configured that sourcetype to go into what others think is a "summary data only" index.  What's the source values for those events?  Are they Splunk servers, or are they part of an application/webserver/database pool of servers?
I have one to many multivalue fields with exact size and I would like to do the average by index. ex: multivalue field1 1 2 3 multivalue field2  3 6 7 Result: 2 4 5
Hello! where did you find the old sendemail.py?
In the configuration of your HTTP Event Collector (HEC) token you can set how it handles the connection host.   I don't think this is in the GUI, so you might have to edit your inputs.conf file con... See more...
In the configuration of your HTTP Event Collector (HEC) token you can set how it handles the connection host.   I don't think this is in the GUI, so you might have to edit your inputs.conf file containing your HEC-related stanzas to set the connection_host property to get your desired behavior:   connection_host = [ip|dns|proxied_ip|none] * Specifies the host if an event doesn't have a host set. * "ip" sets the host to the IP address of the system sending the data. * "dns" sets the host to the reverse DNS entry for IP address of the system that sends the data. For this to work correctly, set the forward DNS lookup to match the reverse DNS lookup in your DNS configuration. * "proxied_ip" checks whether an X-Forwarded-For header was sent (presumably by a proxy server) and if so, sets the host to that value. Otherwise, the IP address of the system sending the data is used. * "none" leaves the host as specified in the HTTP header. * No default.  
There's several older posts that seem to be related to a default setting not being correct in their case in an etc/system/local/inputs.conf.  I would check through your Splunk configs to see if there... See more...
There's several older posts that seem to be related to a default setting not being correct in their case in an etc/system/local/inputs.conf.  I would check through your Splunk configs to see if there's a server name not set correctly, or if an override is in place that is causing it to use a non-existent hardcoded value instead of relying on what the OS thinks the server name is (i.e. look through our .conf files): Solved: Inputs.conf $decideonstartup - Splunk Community Why is host=$decideOnStartup for Splunk Stream, bu... - Splunk Community How to Configure host = $decideOnStartup correctl... - Splunk Community Solved: $decideOnStartup Remote Perfmon - Splunk Community
Is this possible to get source which sending the data or IP of the source. If it possible. Thanks
same problem here