hi I have created a tag for the field "counter" called "a" But when I run a search with tag=a or with tag::counter="a", there is no results what is the problem please? ... View more

Hello I have great difficulties to understand where to begin for using the CIM datamodel Is anybody can clearly summarize the different ways to apply a CIM datamodel in my own apps? Thanks in advance ... View more

hello I need to display 2 curves in my line chart from two different index so i am doing this : index="disk" sourcetype="Perfmon:disk" | bin span=10m _time | eval time=strftime(_time, "%H:%M:%S") | stats avg(Value) as Disque by time | eval Disque=round(Disque, 2) | append [ search index="mem" sourcetype="Perfmon:mem" | bin span=10m _time | eval time=strftime(_time, "%H:%M:%S") | stats avg(Value) as Mémoire by time | eval Mémoire=round(Mémoire, 2)] the problem I have is that on the x axis my curves are not aligned on the same time slot what is wrong please? thanks ... View more

Hi I have to create correlation searches in Splunk ES My cron schedule will be */60**** Is it better to use a real-time schedule or a continuous schedule? Is it necessary to fill the time range (start time and end time)? Last question : if an alert event exists, does it means that this event will be created many times in the incident review dashboard? I need to creat just an incident for the same alert. How to do this? Thanks in advance   ... View more

hello   I have a admin role when I create a field alias, I can see it in the props.conf file but when I run the search the field names are unchanged [sourcetype="Perfmon:mem"] FIELDALIAS-Value = Value AS titi counter AS tutu   what is wrong please? ... View more

Hello As far I understand, the Splunk datamodel has two main goals 1)  Data models enable users of Pivot to create compelling reports and dashboards without designing the searches that generate them.  So, the Pivot tool lets to report on a specific data set without the Splunk Search Processing Language  2) It's possible to refer to the CIM data models to normalize different name of data having the same function In this case, we need to normalize data by using tags, alias, eventtypes, etc... Alerts Application State Authentication Certificates Databases Data Loss Prevention Email Interprocess Messaging Intrusion Detection Inventory Java Virtual Machines Malware Network Resolution (DNS) Network Sessions Network Traffic Performance Ticket Management Updates Vulnerabilities Web Is it correct? Thanks ... View more

Hi In the example below, I clearly understand that the "hello world" will be updated in a Splunk event { "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":"hello world"}' Now imagine that my json file contains many items like below { "time": 1426279439, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello world!" } { "time": 1426279538, // epoch time "host": "localhost", "source": "random-data-generator", "sourcetype": "my_sample_data", "index": "main", "event": "Hello eveybody!" } Is the curl command to use should be like this? curl -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://localhost:8088/services/collector/event -d '{"event":}'  Last question : instead using a prompt command to send the json logs in Splunk, is it possible to use a json script to do that? Or something else Is anybody has good examples of that? thanks ... View more