Al\ll, I've never had to roll to frozen before and we've moved to Google Cloud. Looking for a walk through on setting up rolling to frozen on google cloud or similar? ... View more

All, So currently when I start an instance of Splunk I use an init.d script which disable THP and sets ulimits. How do I verify this is happening in the Docker container version of Splunk Enterprise? ... View more

All, I am looking for a daily PDF report that verifies none of the dropped events are outside of my retention policy for that index and gives me warning if an indexer might be over tasked. Any idea how I would get that going? ... View more

All, I've been asked to automatically rotate the local passwords on Splunk every week. It can be predictable. Like HelloP@ssword1June1st goes to HelloP@ssword1June8th. But just needs to rotate to meet the auditors requirement. Any idea how I would tackle that? ... View more

All, I am looking to create a single timechart which displays the count of status by requestcommand by action. So two "by's". Maybe I should compound the field? tag=myrest "https://api.mydomain.net/somemethod/listings/*" host=MYHOST* | rex field=_raw "action=(?<requestcommand>RELEASE|HOLD|EXTEND|PURCHASE)" | rename event.Properties.LogEntry.ResponseStatusCode AS status | search status=* | timechart count(status) by action, requestcommand ... View more

Morning, So we have about 100 application stacks. Many of them are fronted by various versions of Apache(httpd). Until now we have not really cared that field extractions had not been working. But it's coming up more and more. The issue is we have more than 20 varying configs for the logs. Each server has a different apache logging config. Basically just 8+ years of good intention. Now I can battle politics and go in and get all these stacks to align to one standard, maybe even force them to key value pairs while i am in there. But that could take weeks. Alternatively I could go in write a separate inputs.conf with a different source-type for each standard I find. Or is there another option I am not seeing? ... View more

Good morning, I am just trying to formalize , automate and hopefully hand off some Splunk maintenance to some junior employees. Trying to free up some time that sort of thing. Anyone already have a document or site that can refer me to which has a normal maintenance routine for Splunk? thanks -Daniel ... View more

all, I have two CSV and I want to just get the diff between then. Any idea how I tackle this? thanks, -Daniel Wilson ... View more

All, How can I determine which search time field extractions are my most costly? ... View more

All, Alright, don't really have my head around knowledge objects permissions. I have roughly 100 field extractions that I am globally exporting. I'd rather restrict the to a single app called "Company App" (note the space). Here is what I tried in my default.meta [] export = Company App But didn't seem to work. Guessing there is a trick to this I am missing. ... View more

All, We have some highly unstructured data I'd like to export from one Splunk instance to another one for testing reasons. Basically a few gigs of a subset of the data. I remember seeing a way to replay the data and stream it via TCP to another indexer, but for the life of me I can't find the docs. Any help here? ... View more

Good morning, I have a log file, that I am told by security the email addresses need to be hashed. Any idea how I do this? ... View more

All, I have a soucetype that is quite complex. So I need to leave autoKV extractions on. In one of the logs there is a key value which is the line of an error. Literally line=1234. I see in props.conf a coworker explicitly is extracting line as line=(?\d*) . Is there any value to this? Given we have autoKV on, seems rather redundant. I can imagine a situation where a user might be looking at a million of these records. So think there is value there? ... View more

All, Still getting my head around metrics. I shameless stole this line of bash and setup metrics and it's working . UI was cool. echo "mydesktop.cpu.util:$intCount|c" | nc -w 1 -u myheavyforwarders.domain.com 8125 With this in mind how would I send more than one metric? Say I wanted all the output of TOP? Can you send more than one metric at a time? I understand these metric can have dimension, is that basically an array of values? ... View more

All, So we're slowly moving off of index=java to index=applicationlogs for a few reasons. Is there a way to alias index=java to index=applicationlogs for users? ... View more

I have an event that is using X amount of space. The search is: index=network default send string I'd like to search how many gigs of license this event is using over the last week. Anyway to do that with a search? ... View more

All, I have 400+ servers with Splunk for Nix installed and collecting metrics to index=os. What I'd like to do is create a dashboard which determines which servers are showing 20% more CPU than they were last week. That the final result is just a table of servers which have showed 20% increase or more CPU compare the previous week. I really have no idea where to start. Any ideas? ... View more

All, Testing an index'd time field extraction in a test environment. It SEEMS to have worked, but randomly the field I am extracting ( pool ) just disappears from search results. That is if I just search, pool is extracted the 400 or so times I expect. But once I try and USE that field it's simply missing except for one host. The other 400 in the test setup are not getting extracted. Heavy Forwarder has this #transforms.conf [pool_transform] REGEX = slcs\d\d(...)\d\d\d FORMAT = pool::"$1" WRITE_META = true #props.conf [host::*] TRANSFORMS-indextimepooltransform = pool_transform #fields.conf [pool] INDEXED=true Search Head has this [pool] INDEXED=true Indexer has this #fields.conf [pool] INDEXED=true Any idea why the field would sorta.. disappear randomly. ... View more