All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Roy_9 - Are you running the search in the same App where you created the lookup definition?
So I am experiencing this same issue as well, what would be the best way to add entity_title into a search or incorporate the field into the notable event/episodes?
@VatsalJagani @PickleRick Can you please help me with this?
@yuanliu I'm looking for previous 2 "weekday" average.  Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data.  Along with this, how can the... See more...
@yuanliu I'm looking for previous 2 "weekday" average.  Consider, today is "Wednesday". I want to plot avg of previous 2 Wednesday's as a comparison against live data.  Along with this, how can the search be only limited to the time range selected from the time picker ?   
In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy. My suggestion would be to add one or more policies befo... See more...
In my mind this isn't a Splunk problem - although you could use Splunk to identify the ports being allowed through by the permissive policy. My suggestion would be to add one or more policies before the permissive policy that allow through the ports that you definitely want to allow.  This will, overtime, reduce the number of ports being allowed through by the permissive policy and, at a point in time, the permissive policy can be removed.
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-No-Enforcement-License/m-p/428446 I will update to 8 and then to 9, in the above link there was something about no enforcement license so... See more...
https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-No-Enforcement-License/m-p/428446 I will update to 8 and then to 9, in the above link there was something about no enforcement license so checking if the license will still be applicable for 8.1 and later
Currently we have below license Splunk Enterprise - No Enforcement (6.5 )  , I was told this license is not supported for new users in splunk anymore. If I upgrade to 8 to 9, will this license still... See more...
Currently we have below license Splunk Enterprise - No Enforcement (6.5 )  , I was told this license is not supported for new users in splunk anymore. If I upgrade to 8 to 9, will this license still be accepted?
@P3G4SUS - You can do that like this: .... | eval empty_cells = case(isnull(A) AND isnull(B), 2, isnull(A), 1, isnull(B), 1, 1==1, 0) | stats sum(empty_cells) as total_empty_cells   I'm assuming y... See more...
@P3G4SUS - You can do that like this: .... | eval empty_cells = case(isnull(A) AND isnull(B), 2, isnull(A), 1, isnull(B), 1, 1==1, 0) | stats sum(empty_cells) as total_empty_cells   I'm assuming your two fields in the table is A and B, but you can replace that with what you have in above query and you should get your answer.   I hope this helps!!!
So, I am searching for Multiple users logged into a single machine at the same time, or even within the same hour. Initially this is my search query to display how many users log-on in 1 host. ... See more...
So, I am searching for Multiple users logged into a single machine at the same time, or even within the same hour. Initially this is my search query to display how many users log-on in 1 host. index="windows" sourcetype="WinEventLog" EventCode=4624 | search host!="*$*" | stats dc(user) as user_count by host the problem is it does not count the current user since there's log off events. hope I explained that clearly. Thanks.
Hi, I have submitted my app into Splunk Cloud Platform for vetting process and it is in "Pending" status for more then 3 weeks. Is this timespan normal?  Is there anyway to contact the team and c... See more...
Hi, I have submitted my app into Splunk Cloud Platform for vetting process and it is in "Pending" status for more then 3 weeks. Is this timespan normal?  Is there anyway to contact the team and check for a more specific status? Thanks
This is a bit vague - what events are you dealing with (please provide anonymised samples)? In general, you could assign log on events a value 1 and log off events a value -1, then do a streamstats ... See more...
This is a bit vague - what events are you dealing with (please provide anonymised samples)? In general, you could assign log on events a value 1 and log off events a value -1, then do a streamstats summing these values and when the sum is above 1 you have multiple users logged on. You would have to take care of the issue of log off events appearing without a preceding log on event, and all this tell you is the change, you might want to consider setting your start time to be when there is known to be zero users logged on.
| nomv FieldB | nomv FieldC | nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>," ")]
Please select the logs you wanted to ingest... fine-tune it. thats all. its very simple actually.  or simply, go with filesize.  order all your ingested files by their size(in DMC----license consu... See more...
Please select the logs you wanted to ingest... fine-tune it. thats all. its very simple actually.  or simply, go with filesize.  order all your ingested files by their size(in DMC----license consumed by log sources in last 24hrs dashboard)... if you see any logs in top 10, top20 which is an unwanted log file, then... remove it from inputs.conf (you may be using wildcards in inputs.conf.... if so, add a blacklist for that file)
As we are on the Splunk cloud GCP its won't supports the  null-queue.
I have data like provided below:  field A Field B Field C Field D abc.com 1 1 AB CD 1 1 xyz.com 2 2   AB CD 1 1 abc.com 1 1 AB  CD 1 1 xyz.com ... See more...
I have data like provided below:  field A Field B Field C Field D abc.com 1 1 AB CD 1 1 xyz.com 2 2   AB CD 1 1 abc.com 1 1 AB  CD 1 1 xyz.com 2 2 AB CD 1 1 def.com 1 AB CD 0   I want to group Field A values such that all abc.com value come in 1 row with associated count. I want output like field A count Field B Field C Field D abc.com 2 1 1 AB CD 1 1 xyz.com 2 2 2   AB CD 1 1 def.com 1 1 AB CD 0   if I take path of stats count then it split field C and D which I don't want, I want them to be uniquely compared as a group value. looking for suggestions. Thanks in advance. 
Hi, I am sending logs without indexing on Splunk to another product by using the "SYSLOG_ROUTING" DEST_KEY on the transform.conf file. Looking at the documentation of "How Splunk licensing works", ... See more...
Hi, I am sending logs without indexing on Splunk to another product by using the "SYSLOG_ROUTING" DEST_KEY on the transform.conf file. Looking at the documentation of "How Splunk licensing works",  it says: "When ingesting event data, the measured data volume is based on the raw data that is placed into the indexing pipeline." By looking on the monitor console I realized that the indexer pipeline is made by: syslog out, tcp out and indexer lines, so it seems that by using syslog_routing dest key I could also consume Splunk license. Can you confirm this? Kind Regards, Angelo      are those
Hey All I've configured tcp-ssl on HF, created certificates and the following configuration. The HF receive syslog from third-party, I'll send the third party company the CA (combined certificat... See more...
Hey All I've configured tcp-ssl on HF, created certificates and the following configuration. The HF receive syslog from third-party, I'll send the third party company the CA (combined certificat) I created based on these docs: 1. How to create and sign your own TLS certificates  2. Create a single combined certificate file  inputs.conf [tcp-ssl://2222] index = test sourcetype = st_test [SSL] serverCert = C:\Program Files\Splunk\etc\auth\mycerts\myServerCertificate.pem sslPassword = <Server.key password> sslRootCAPath = C:\Program Files\Splunk\etc\auth\mycerts\myCertAuthCertificate.pem Server.conf [sslconfig] sslPassword = <password encrypted that I didn't configured> And yet Splunk isn't listening to the requested port for example 2222 What am I missing? The error I get in Splunk _internal is: SSL context not found. Will not open raw (SSL) IPv4 port 2222 Please assist, and Thank YOU!!!  
the "unwanted logs" is a very vague term and the ES app definitely got no app to monitor this vagueness.  as said by above reply, you should fine-tune what to ingest and what not to ingest(and send ... See more...
the "unwanted logs" is a very vague term and the ES app definitely got no app to monitor this vagueness.  as said by above reply, you should fine-tune what to ingest and what not to ingest(and send it to null-queue). 
Ok, now i see and get the data.    thanks!