sure thing, glad to help! 😄 ... View more

Correct, that enables the tag. Once set, and splunk is reloaded/restarted, when you run searches you'll find the tag field show up for any events that match that eventtype, and therefore that tag. You can also directly search for a tag, i.e. tag="costBU" OR tag="GNS" ... View more

the format for tags is <tagname> = [enabled|disabled] so, costBU = enabled or GNS = enabled ... View more

Hi jacqu3sy, checkout out the lookup tables section of the transforms.conf spec. In particular, for this lookup definition you'll want to set match_type = WILDCARD to tell splunk that lookup commands that are run against it should consider the asterisk a wildcard. This will allow you to compare the dest_mac in the events against the wildcarded unauthorised field in the lookup, and OUTPUT the vendor. See: http://docs.splunk.com/Documentation/Splunk/6.5.2/admin/transformsconf#Lookup_tables Please let me know if this answers your question! ... View more

Hi sreejith2k2, First of all, you'll want to make sure that the events with these different time formats are partitioned out to their own sources and/or sourcetypes. I'd guess that Splunk can probably make sense of the timestamp for at least some of these formats. For the sources that Splunk can't recognize the timestamp for (the "Add Data" wizard is great for determining this, take a sample set of events and run it through that to immediately find out if Splunk can figure it out), you can set Props configuration on the source/sourcetype to tell Splunk some attributes concerning the timestamp in the events. See this for more details : http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Configuretimestamprecognition Essentially, you can tell Splunk the strptime format ( strptime ) , you can give it a regex for a pattern that precedes the timestamp ( TIME_PREFIX ), and you can tell it how many characters either into the event, or from the prefix it should look for the timestamp ( MAX_TIMESTAMP_LOOKAHEAD ) Also, see the "Timestamp extraction configuration" section of the props.conf spec for a full list of available configuration directives. Please let me know if this answers your question! ... View more

I don't expect it would have any process to run through and remove any history of the SH, but it shouldn't matter. If any issues persist, it would have to involve Splunk support as it would be something fundamental to the way Splunk works, and they'd have to work out enhancement requests to improve it in future versions. That being said, I'd be really surprised if this had any lasting effect on the cluster once you've restarted everything. Please accept this answer if it works out for you 😄 (in any case let me know how it works out) ... View more

first of all, be very careful with that delete command. Do you have a local splunk certified admin to help? You do not want to throw that command around without careful consideration. Secondly, that eval statement isn't needed. Based on the search results, all events will have fbus_summary for the index value. Thirdly, if you do run that command it would delete ALL events in that index for that time frame. You will want to qualify the search to be very specific regarding the events you want deleted. But now the concern is, Iam not getting on how to use the "index" command on my Email Security Appliance. I don't quite know what you mean by Email Security Appliance. There isn't an index command in splunk, index is one of the default fields that each event has a value for, and is used in searching. ... View more

Hi dhsetty, You can delete data from a Splunk index by running the delete command after searching for all the data you wish to be deleted. Note, the delete command won't free up any storage space. It essentially marks those events as unsearchable in the index. To entirely remove data, you'd have to delete the index, or allow for the retention settings to take care of it (time, disk space, however you have retention set for the index). Many more details are available here : http://docs.splunk.com/Documentation/Splunk/6.5.2/Indexer/RemovedatafromSplunk Please let me know if this answers your question! ... View more

Hi templier, You don't necessarily have to specify an initial checkpoint value. Splunk will get as many records as it can, and then whatever the rising column is, it will take the latest value and set that as the checkpoint. If you want to set a starting checkpoint, then you can specify that latest value manually. Behind the scenes Splunk will modify the query to swap in a WHERE clause to return only records whose RecordId is great than the checkpoint. This is slightly different depending on which version of DB Connect you are using, but this is the general idea. Please let me know if this answers your question! ... View more

These instructions require the members to have splunk running, and either be available at the command line, or otherwise have the management port available. For the case in questions, the members no longer exist, and so can't have these commands run against them. ... View more

Hi hettervi, Schedule a brief outage window and shutdown all remaining search heads in the cluster. Once they are all down, start them back up, one by one. I believe this will resolve the issue of the "down" hosts. Please let me know if this answers your question! 😄 ... View more

Hi realsplunk, I don't believe that this is possible within the scope of splunk clustering configuration. You could, of course, throttle network throughput at various other scopes, but this generally isn't advised unless necessary, and you do some testing to make sure you have available overhead in the case of a spike in splunk ingestion/replication. Please let me know if this answers your question! ... View more

anything of note in the job inspector results? ... View more

ah yeah, that would make sense ... View more

Have you tested this configuration on a single instance to make sure it works as expected? Do you see the app being loaded onto one of the new instances? ... View more

Hi Iksridhar, I expect you'll find more info in the search job inspector. More info on accessing that here : https://docs.splunk.com/Documentation/Splunk/6.5.2/Search/ViewsearchjobpropertieswiththeJobInspector You should find additional debug information there. If you don't get this error on all searches, my guess is that it has something to do with either the iplocation or geostats command. In particular, I'd take another look at the geostats documentation to make sure you are passing any parameters that might help the command : https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Geostats Please let me know if this helps! ... View more

My first guess is something weird with the ID column. I'm guessing its a unique auto-incrementing primary key for the table? If it was mixed up and non-unique, that would explain the bouncing around and duplicate event indexing. ... View more

Hi prakashv546, You'll want to setup a input monitor on the files. See: http://docs.splunk.com/Documentation/Splunk/6.5.2/Data/Monitorfilesanddirectorieswithinputs.conf for more details on how to accomplish this. Splunk quite readily handles continually-written-to files, and so that shouldn't be an issue Please let me know if this answers your question! 😄 ... View more

as long as you have some LDAP users in the admin role, one solution to this would be to simply delete the default admin user. Otherwise you could alert on any _audit events for the admin user. ... View more

glad to hear 😄 please don't forget to accept 😄 ... View more

each action has a different set of associated fields, so in the case of a user edit it should also have the user edited. You'd have to nail down exactly which actions you care about, and then formulate tables / visualizations in order to present the events. ... View more