Hello, as i did understand within Hunk data is returned in Jason format. I have log data in my Hadoop Environment. Connection + Search is working fine. But the line break does not work properly. In one "Hunk" Event are always 4 of my Events. Even the events have quite similar structure... how can i configure the event break settings within Hunk? couldn't find anything in the documentation. Thanks a lot Matthias ... View more

Hello, i used the Splunk Enterprise 6 Dashboard Examples app to create in a own app (independent of the simple_xml_examples app) a visualization with the D3 Parallel Coordinates visualization. followed the documentation and did copy the parallelcoords directory from /appserver/static/components to my own dashboard. additionally i added the html tags with the visualization + did edit the path of the files in the require section + added the autodiscover.js to the dashboard tag as well copied into the appserver/static/ directory. after this the visualizations are not displayed. what is going wrong? br ... View more

Hello, i have some scheduled searches. Some run every 5 minutes, some 15 minutes some hourly etc. Some of those searches are there to generate a summary index, a few other to exportcsv to feed it into another tool regularly. if there is an outage of the search head (even with two search heads or SH pooling) some jobs might be skipped or missed as they won't rerun. This will result in a not complete dataset. In the first step, i'll would need a Report which shows me, based on the actual schedule which search was skipped. index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | search savedsearch_name="Project Honey Pot - Threatscore AVG Last 4 Hours" NOT continued | table sched status savedsearch_name Report Like: User Activity Search - Last RUN | scheduled every 5 Minutes | STATUS=Completed - Last RUN - 5 minutes | STATUS=Completed - Last RUN -10 Minutes | STATUS=Completed - Last RUN -15 Minutes | Status=Not Executed - Last RUN -20 Minutes | Status-Completed and this for each scheduled search dynamically with the scheduled every 5 minutes. The above example would show a potential Restart of the SH 15 minutes ago. And then i can manually investigate and re-run the export for this specific timeframe to add the data again... or it can review the last 10 successfull runs - subtract the times and then automatically detect that it is running all 5 minutes. Thanks a lot Matthias ... View more

Hello, i want to allow my people to mail an event in a custom format to other people out of splunk manually. so i'm looking for a way to involve the workflow action for event types. i tried to use like: mailto:test@test.com?subject="ALARM-Stufe_Rot_$host$?body=Hello_that_is_body_test_with_clientip_$clientip$ this does not work. the workflow does only appear if a URL is included... does someone know how i can work around this? copy into clipboard would also work, but i think with the MailTo it might be easier. br matthias ... View more

Hello, i have a scripted lookup which is working fine. i configured in the lookups that the field name is called clientip for lookups. now i want to make it more dynamic so that the lookup can also be used for other fields containing an ip address. those fields might be clientip, src_ip, source_ip, dst_ip, dest_ip and so on. currently i found only that i need to configure one lookup command for each field name or rename the field in a pre command. i want to make my app ip reputation more generic. so that someone can type ... | lookup threatscore src_ip as well as ... | lookup threatscore clientip or other field names depending what's required. Thanks a lot Matthias ... View more