Hi    trying to build a dashboard for user gateaccess, How to visualise this in a live data.   I am looking for some inbuilt visuaisations that helps for this, something like a missilemap but for user moving from one gate to other ... View more

We have two separate splunk instances with ES (standalone not clustered) . Consider it as a HO DR   when i try to move to DR instance of splunk and copy /etc/apps , After restarting DR instance all the notables are in new status . Those notables which are closed in HO splunk is also showing as new. What could be the reason?   I do know that this is managed as a kv store. If we have to migrate KV store related to this. What are the best practises in this case     ... View more

  I have logs indexed like this. How to break entries based on each lines . i need each line as a seperate entry.   I tried to do this via line breaker but didnt succeed. Any method to do it via search after indexing   ... View more

Hi Splunkers The idea is to pull any new file creations on a particular folder inside C:\users\<username>\appdata\local\somefolder i wrote a batch script to pull and index this data. its working but the issue is i cannot define a token for users. eg: In script if i mention the path as C:\users\<user1>\appdata\local the batch script will run as expected an data will be indexed to splunk but if i mention the user1 as %userprofile% or %localappdata% the batch script is not running. How to resolve this     ... View more

Hi  Is it possible to restore archive data from one single host consider we have an index=windows ,we want to restore archive data only for one host ie;index=windows host=xxx . Is it possible someway?   Thanks in advance ... View more

Hi    I have a lookup which looks like this no  name     student     rollno 1      john           yes           12 2       George     no             2345 3      jin                yes          111   How can i iterate through this lookup by the 'no' field and display each entry as a result . I only need one result at a time so when i first run the search the result should be no  name     student     rollno 1      john           yes           12   When i run the same search after a minute the result should be   no  name     student     rollno 2       George     no             2345     Please help ... View more

Hi Team I want to collect source ip from an alert triggered /search ran and then add that to a .txt file exposed on a separate server.(https://urlofserver/ipfile.txt)   What is the best way to achieve this   ... View more

Hi I have an extracted field from regex, ie Time_extract which gives hour. Now I want to get the logs between a period of time, ie time_extract>=10 AND time_extract<23 ..how to go about that? Current search: Date_extract="10/29/16" | stats count by severity | where Time_extract>=12 AND Time_extract<23 ... View more

Hi Team My Splunk Enterprise Security Incident Review is not loading...It just shows "loading" for a long time. I created a notable event and also tried copying the same code to create a separate incident review button, but no luck...please help Thanks in advance ... View more