...ntermediate forwarder, so sometimes I can see data ingested by an HF coming from another HF). What about data sent not with a Splunk agent/host? For example, suppose I have this flow: Log source w...
Hi, I would like to ask a question regarding the lookups table. I am managing logs about login and I want to be sure that on a specific host you can access only with a specific IP address, o...
Hey guys I've been having trouble finding documentation about removing indexed data. After looking through the "meta woot!" app I saw my hosts were growing a few thousand a day and my estreamer a...
...hem if they go down. We've created this search so far to accomplish this:
sourcetype=tandem* "Host is OFFLINE" OR "Host is ONLINE"
| rex field=Text "Host is (?P\w+)"
| stats latest(Status) as S...
...eturns a count of 1.
|inputlookup file.csv | join type=left host [|tstats count by host]
About a dozen hosts return counts; the rest return null values.&n...
...s eth0, eth1, sit0, sum, etc in my hosts column. This data is not accurate. When I click on one of the host fields to see get more information about the source, I see...
host=0.00 sourcetype=s...
...urrently active but was not active before... Query 1: index=anIndex sourcetype=aSourceypte earliest=-17m@m latest=-2m@m | rex field=_raw "^(?:[^,\n]*,){2}(?P<LoginUserID>\w+\.\w+)" | dedup host L...
Hi, I successfully created an SPL that does what I need for a single host but I cannot get it to work for all hosts. This works index=<my_index> host=<specific_host> s...
I want to check the Splunk forwarder versions of about 70-90 hosts. Is there any way to do this? Is it possible from the deployment server or search head?
Hi, Unfortunately I inherited a Splunk deployment where the previous admin co-located multiple roles to one Splunk host. The admin put Deployment Server, SHC Deployer, and M...