Well... scrub can work strangely sometimes. For example, scrubbing my firewall logs shows that my firewalls do actions: - allowed - blocked - dropped - mckenzie 🤣
... View more
I'm trying to export and import alerts from one search head to a new search head. Can transfersplunkknowledgeobjects.py be used for this? I don't know what to use for "-srcApp" so I am trying "alerts" (without the quotes) Right now I'm getting 404 errors. I do have a Bearer Token but where to put it? I looked at "Version Control for Splunk" but that is even harder to figure out how to use it.
... View more
https://github.com/mehransafari/Splunk_FrozenData_FIND_by_DATE_and_Restore an script for finding frozen bucket files in time range you gave shows folders + size + start time and endtime of logs contains on each folder log it may help you
... View more
Asolutely awsome. i was looking for a way to create a quick overview on limited space which then indicates that one should take a closer look at the real timecharts...this is basically exactly that. Thanks, Mike
... View more
Hello from the future. I have time traveled back to 2018 to see if there are still any plans to port this to Windows. Not my choice, I am in a Windows only shop.
... View more
btw, The Error is listed in Softwares known issues as 2014-10-02 SPL-91638, SPL-107375 For scheduled searches in a search head cluster, empty search jobs may appear in the job inspector for a cluster member.
... View more
Hi - Just to come back - i reused this answer again for new issues, seriously great answer 🙂 - Hope to see you at the .cof 2021 🙂 The below 2 isnull commands were needed to get it going | eval firstHalfCountNonZero = mvcount(mvfilter(firstHalf>0)) | eval firstHalfCountNonZero=if(isnull(firstHalfCountNonZero),0,firstHalfCountNonZero) | eval lastHalf=mvindex(sparkdata, ceiling(mvcount/2), mvcount) | eval lastHalfCountNonZero = mvcount(mvfilter(lastHalf>0))
... View more
@afurrowgtri How do handle a multi valued filed. For example if a field is enclosed in { }. Say a filed called MemberOf: { CN=(cndata) (otherdata) }. The filed does not populate in the export. It exports like this MemberOf="System.Object[]" with no data. Thanks for your help.
... View more
This works to clear the form field. But the URL is not modified to reflect this fact. So, if the page gets refreshed by the user or was left open when the browser was shut down and the user has the start where I left off option set the page will rerun the dash board. How does one clear the field and reset the URL to reflect that fact?
... View more
This link: splunk.training/certifications.html gives the steps but the image is outdated as the site has been updated. In the top right of splunk.com com (after logging in) to the left of the profile login select Support drop-down then Support Portal. On the left side of the next page select My Certifications. Your certifications should be listed on the next page.
... View more
Hello Karthick, I don't personally use the ta-thehive-ce only the create_thehive_alert from my github link, still in prod. Main page is providing all the details to do the setup. It should allow you to make it work Regards
... View more
hi @amilavsky,
Did you have a chance to check out bangalorep 's answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya.
... View more
I am not sure how useful it is to put in configuration but you could add this to your props
[your sourcetype name]
EVAL-PerDayValue = Cost/round((relative_time(_time,"+1mon@mon")-relative_time(_time,"@mon"))/86400,0)
This will create PerDayValue field in the event where there is Cost field
... View more
hi @jcachosousa,
Did you have a chance to try out DalJeanis's answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!
... View more
hi @zmmt,
Did you have a chance to check out WHRG's answer? If it worked, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!
... View more