Activity Feed
- Got Karma for Re: Add newline into table cell?. 01-24-2025 07:55 AM
- Karma Re: add field to Selected Fields permanently (bar on left side of search results) for woodcock. 11-08-2023 11:54 AM
- Karma Re: add field to Selected Fields permanently (bar on left side of search results) for woodcock. 11-08-2023 11:54 AM
- Posted Selected Fields - Open in new tab (or window) - Value does not carry over. on Splunk Search. 08-07-2023 11:43 AM
- Karma Re: How to enable a new tab opening from within a dashboard? for Michael. 08-07-2023 11:20 AM
- Got Karma for Re: Monitoring file is not indexing anymore - WatchedFile - File too small to check seekcrc, probably truncated. 04-06-2022 11:33 AM
- Posted How to Recursive monitor all *.log files (in X directory) (via UF on Windows)? on Getting Data In. 04-02-2022 12:16 PM
- Posted Re: splunk list monitor does not show directories on Monitoring Splunk. 03-31-2022 12:07 AM
- Tagged Re: splunk list monitor does not show directories on Monitoring Splunk. 03-31-2022 12:07 AM
- Karma Re: Daily License Usage by Index across all Indexers? for hexx. 10-29-2021 10:54 AM
- Karma Increase 'Top 10' field values in Search App, increase limits of counted variations >100 for Thomas_Gresch. 10-29-2021 09:42 AM
- Karma Re: In Splunk Dashboard examples, how do I disable a report that is embedded? for burwell. 10-25-2021 03:09 PM
- Got Karma for Re: How to use the REST API to just run a search and stream the results back?. 08-09-2021 02:19 AM
- Posted Re: How to use the REST API to just run a search and stream the results back? on Splunk Search. 05-27-2021 10:57 AM
- Karma Re: How to use the REST API to just run a search and stream the results back? for kutzi. 05-27-2021 10:45 AM
- Posted Forwarder- seekptr checksum error and logs not being sent on Getting Data In. 08-24-2020 12:21 PM
- Tagged Forwarder- seekptr checksum error and logs not being sent on Getting Data In. 08-24-2020 12:21 PM
- Karma splunk why must XML sources be so complicated? for zenSplunk. 08-15-2020 10:17 PM
- Posted Re: Add newline into table cell? on Dashboards & Visualizations. 08-15-2020 11:13 AM
- Karma Re: Add newline into table cell? for nagendra008. 08-15-2020 11:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-24-2024
11:28 PM
In your search, you need to escape your quotes, like this: search="search index=list-service source=\"eventhub://sams-jupiter-prod-scus-logs-premium-1.servicebus.windows.net/list-service;\" \"kubernetes.namespace_name\"=\"list-service\" | stats dc(kubernetes.pod_name) as pod_count" or use single quotes around the search contents: search=‘search index=list-service source="eventhub://sams-jupiter-prod-scus-logs-premium-1.servicebus.windows.net/list-service;" "kubernetes.namespace_name”="list-service" | stats dc(kubernetes.pod_name) as pod_count’
... View more
08-07-2023
09:19 PM
Hi @spunk311z ... this right click on the URL and opening it in a new tab is controlled by the Chrome browser.. (this may be a splunk issue.. I think, the right click'ed URL is not passing the extra fields i think). One simple workaround is.. on the interesting fields list, instead of opening it in a new tab.. just click that interesting field directly.. so, the clicked interesting field will be added to the current SPL query and the logs will be filtered as per the interesting field you clicked. one issue.. this will just run in the current tab itself.. as you wanted it to open in a new tab... just do this. duplicate the current tab and click the interesting field. (On Chrome browser, to create duplicate tab, you can right click the tab and duplicate it.. .. OR You can use a combination of two keyboard shortcuts to duplicate a Chrome tab. Step 1 – Press ALT + D. This selects the current tab. Step 2 – While the URL is selected in the address bar, press ALT + ENTER.)
... View more
04-03-2022
09:06 AM
This inputs.conf should work: [monitor://C:\Users\pc\Documents\vMixStorage]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream
[monitor://C:\ProgramData\vMix]
disabled = 0
index = pcs
recursive = true
sourcetype = vMIX
whitelist = \.log
blacklist = stream If this input stanza does not work please check the following things: * Whether index "pcs" is created or not? * Are you searching the data from the search head? (In case you are forwarding the logs to Splunk distributed or clustered environment.) -> Verify outputs.conf in your machine. * Look for any warnings and errors in Splunk _internal logs. -> index=_internal (CASE("WARN*") OR CASE("ERROR"))
... View more
03-31-2022
12:07 AM
same question here unfortunately...
... View more
- Tags:
- same
07-27-2021
08:39 AM
This worked for me: [host::(10.3.4.2|10.12.3.4|IP3|IP4|and_so_on)]
... View more
12-08-2020
12:46 AM
I was having the same issue: Moving the "index" field to the selected field list for all users. I was testing various config files and settings. This is the one which solved the issue for me: /opt/splunk/etc/apps/myapp/default/ui-prefs.conf
[default]
display.events.fields = ["host","index","source","sourcetype"] (system/local/ui-prefs.conf should work as well.) Now it is important to note that if a user had already changed his selected fields prior to this change, then the user preferences ( /opt/splunk/etc/users/your_user/search/local/ui-prefs.conf) will override the global setting above and thus the "index" field might not display under selected fields. Regardless, it will work for newly created users and users who haven't changed their selected fields yet.
... View more
11-22-2020
11:34 PM
Are you guys sure of this method with tstats? | tstats count where (index=test* earliest="2/1/2020:00:00:00" latest="3/1/2020:00:00:00") BY _time span=1d | inputlookup append=true testlookup.cvs | outputlookup testlookup.csv
... View more
08-24-2020
01:11 PM
Moved question to Splunk Adminstration, "Getting Data In", where you will get better answers than in "Search".
... View more
08-15-2020
11:13 AM
1 Karma
thanks! this worked great for me as well. (nagendra008 's split method , not the css way) (i didnt want to mess with CSS nor make a new app for a quick table). if this helps others, i used the blank space as the linebreak / replace char; | eval dateonly=strftime(_time, "%m-%d %A %I:%M%P") | eval dateonly= split(dateonly," ") so i ended up with exactly what i wanted 🙂 - vs this before 😐 (unrelated- what is up with the login process for the forums here? its now login on page 1, pw on page2, which breaks chrome and FF password save/remember. maybe they are doing this to fight off bruteforce/bots? etherway its pretty annoying as i now have to lookup + type both 😞
... View more
07-19-2020
01:04 PM
Lots of great info and search queries in this thread (thanks), splunk really is amazing! One thing i can contribute is this search (below) that i often use to show all of my scheduled reports (it pairs nicely with some of the resource usage searches in this thread to help ID and modify your scheduled reports or their cron entry). Also its nice to review this from time to time as its easy to loose track of cron scheduled reports you may no longer need to run (or run as frequently); | rest /servicesNS/-/-/saved/searches | search is_scheduled=1 | table author cron_schedule is_scheduled schedule_window title updated embed.enabled Search thanks
... View more
07-19-2020
11:06 AM
I frequently use my 400+ splunk saved reports. Thus im constantly accessing this url: http://splunkServer.com:8000/en-US/app/search/reports and then type into the search box in the middle (which filters the reports displayed in real-time). Is there any direct url which can search/list my saved reports? (ie a url that can give me the the same output as typing into the search box in the url above). ie something like http://splunkServer.com:8000/app/search/saved-reports/reports?q=Cisco (and then ill see any of my saved-reports where report-title matches "Cisco") Im trying to add my splunk saved searches as a "My Search Engines" entry in Chrome browser, such that i can just type into the chrome url bar: spr <tab> blah (and it will bring me to a page showing any saved reports matching "blah" ). The closest ive been able to pull out is a long splunk url which i can add a search query to, but it returns my saved-reports matches as raw JSON. thanks ----------- BTW: A super useful, related tip for others: Im already doing this for splunk searches (this= chrome url bar -> splunk search results) via this url below (note the %s at the end, chrome uses %s to fill in what you have typed into the chrome url bar) http://splunkServer.com:8000/en-US/app/search/search?earliest=-4h%40m&latest=now&q=search%20%s (the chrome setting for this is located in: Settings -> Search Engine -> Manage Search engines -> "Other Search Engines" (Add) ) So using chrome keyword "sp" im able to type into the chrome url bar: sp <tab> blah and i get the splunk search results for "blah" for the past 4 hours. (ofcourse i can also do: " sp <tab> index=network blah " , and so on ) thanks
... View more
Labels
- Labels:
-
saved search
06-18-2020
10:12 AM
2 Karma
awesome, thanks so much for this reply (and that you came back and posted the post-fix'd solution). Was having this exact same issue with splunk UF monitoring some log files (and to debug i was searching the last 4 hours on my indexer to see when/if i had fixed inputs.conf on the uf . was also monitoring splunkd.log on the uf - but I couldnt fix it!) This was the issue, splunk UF couldn't read the timestamp of the log files it was monitoring properly, so the files were being sent but in the past!. (so my fix, was the same as yours, in that i made a custom sourcetype with timestamp="current time" on the main splunk indexer (web gui), and then on the UF input.conf set the stanza for monitor://c:/blah/file.log.* to use that custom sourcetype) thanks again!
... View more
03-22-2020
09:43 PM
You can use the bin command to group your data into your desired time-span and then do a distinct count on the ip.
Something like
index=_internal | bin _time span=5s | stats dc(clientip)
... View more
02-14-2020
08:32 AM
Im a bit new to deploying forwarders on endpoints i manage (im not new to splunk)-
Many guides i see (including the install instructions for this sysmon TA), state that you should deploy this TA onto your forwarders.
To do this, the user will need to manually create a outputs.conf file (w indexer IP/dns) and place it in: \TA-microsoft-sysmon\default\
So why is there not a default/blank output.conf file located in \TA-microsoft-sysmon\default\ , from the start?
(or even a blank file, with just a #nothing line? I get that the devs dont know the IP / DNS of our indexers).
(im not complaining about this , im asking this incase im missing something and so that i can better understand, as it would seem to me a majority of users of this TA will be deploying it on forwarders as well as their indexer- so im wondering why there is not a outputs.conf "place holder").
thanks!
... View more
02-13-2020
11:58 PM
Hi @spunk311z,
are you sure that "WinRegMon://default" is the sourcetype of the events to delete?
see them in Splunk.
It's correct to install Universal Forwarders on Endpoints, but have you any intermediate Heavy Forwarder between UFs and Indexers?
Ciao.
Giuseppe
... View more
03-03-2020
07:50 AM
This might help you!
https://docs.splunk.com/Documentation/Splunk/8.0.2/Forwarding/Routeandfilterdatad
... View more
01-01-2020
03:19 PM
awesome! thanks so much, that did work!
for any others in the future, all i had to do was upload the csv file, create a lookup definition, (after which you should then see the Supported fields column update w the header from your csv file, in my case just 1x header/column). then you can use richgalloway's [ | inputlookup LIST.csv | fields asn | format ] to pull queries from that csv file, which makes for easy updating in the future!)
... View more
12-29-2019
10:01 PM
@spunk311z once you convert Dashboard to HTML you use the advantages of Simple XML Framework and you will have to use Splunk Web Framework to create Panels, Viz and Searches. Refer to documentation for conversion from Simple XML to HTML and understanding the HTML Dashboard components: https://dev.splunk.com/enterprise/docs/developapps/webframework/usewebframework/convertsimplexml
However, could you please explain the specific reason for HTML dashboards as to what can not be done in Simple XML dashboard (with JS and CSS extensions if required)?
... View more
03-05-2020
12:04 AM
1 Karma
If you found this advice helpfu, please accept the answer as it benefits the entire community, which is the goal.
... View more
02-15-2020
10:24 PM
I was able to resolve this by editing this file:
C:\Program Files\Splunk\etc\apps\splunk_app_windows_infrastructure\default\eventtypes.conf
(and doing find-> "wineventlog-dns" ) and then commenting out that one stanza (was a stanza not relevant to me, espeically since it wasnt working anyway). I did the same thing for "wineventlog-ds" as i was getting an error on that as well. tks
... View more
02-11-2020
12:43 PM
to be more clear, i want to add that in a deployed app (on a universal forwarderder), i to make this work on a input.conf i had to add it like this:
[default]
index=xyz
Note the line break in my code block above, as on the inputs.conf adding it all as ONE LINE like this below:
[default] index=xyz
did not work / had effect. This was on a 6.6.x splunk setup / UF
tks
... View more
