I would like to create a dashboard to show Windows server up time where it is more than 60 days.. Basically I would like to present as a count of servers running continuously for more than 60 days. ... View more

I have created a search to display Server up time for Windows servers... which works fine, however I would like to list applications related to the those servers... . Can you anyone suggest please... ... View more

I need to create a search which extract last word of the URL as below:- https://hostname/bs/cf/webservice/WordtoExtract ... Please let me now how to extract last word of above URL i.e WordtoExtract. ... View more

I have created various alerts, however, sometimes alerts get generated even though there is no issue at all. Upon investigation, we have found out this happens when Splunk is not getting from servers. Is there a way we can put a condition in alert to verify if data is coming from the server? ... View more

I have created an alert which basically checks the occurrence in particular keyword in two log files , however there is a difference of time from anywhere between 1 min to 1 hours for that keyword to appear in both log files. Example:- If keywork CorrID appears in Log File A, then it can appear in Log File B between anywhere from 1min to 1 hour.... So our search first checks in Log File A and then wait for an hour to check in Log File B. Problem is when keyword does not appear in Log File B for more than 1 hour, then we get an alert, which is false, because keyword had appeared up in Log File B after 70 minutes. So now, I want to run a search which verifies the output again in last two hours in both log files..? ... View more

I have created a splunk alert which runs after every one hour to check for certain pattern in last one hour. Most of the time it finds the pattern within one hour window, but there are case when it takes more than one hour. I want to create a splunk search which verifies the output in next hour if did not appear in first hour. ... View more

I am trying to use a field of a Index1 in Index2 to search for status of Correlation ID, but it is not working as expected. For example... Batch job A has Correlation id, I want to check the status of that Correlation ID in Batch Job B .. index=Index1 host=xxx source="yyy" CorrID AND Batch Job B | dedup CorrID | table CorrID | append[search index=Index2 host=xxx source="yyy" Corr id AND BatchJob A AND "Message Enqueued to database access layer : " | rex "Corr ID[\\": ](?[^\\":]) Queue:"] | fields CorrID | dedup CorrID |table CorrID | stats count by CorrID | where count=1 ... View more

Hi, I am trying to create alert for user locked in LDAP. Is there a way to do so in SPLUNK? I am aware about WINEVENT , but that is not required. Please assist. Thanks, ... View more

I have created a search where unix process names are searched and display results on dashboard. Is there a way where I can display results in terms of running or not running if certain process names are not found or found in the search? ... View more

I have set up a query to check the status of linux/unix processes for a number of processes. However, when it displays the results, it shows the whole output of the command line instead of showing the status of process. For example, the search is to check the output of process ABCDEF. But when I run the query, it shows as below:- ://java/path/abc: ABCDEF:/export/path/... Is there a way I can extract just the process name instead of the whole command line as output? regex Thanks, ... View more