cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
paulbannister
Communicator
Member since: ‎09-30-2016
‎03-30-2021
Community Statistics
Posts 76
Solutions 8
Karma Given 22
Karma Received 16
Member Since ‎09-30-2016
Activity Feed
View All

Re: Syndication Input (RSS/ATOM/RDF) Add-On

by in All Apps and Add-ons
‎01-05-2022 10:44 AM
‎01-05-2022 10:44 AM
@Mark_D61 can you clarify what you did to get the add-on to appear again? It seems to disappear whenever I attempt to modify syndication.py and restart Splunk. ... View more

Re: Configuring Splunk TA for microsoft teams

by in All Apps and Add-ons
‎06-03-2021 11:41 AM
‎06-03-2021 11:41 AM
Having the same issue.  Anyone able to get this to work? ... View more

Re: Crowdstrike Stream Stops Woking

by in Getting Data In
‎05-20-2021 09:47 AM
‎05-20-2021 09:47 AM
Any updates? Where can I get this beta version 2.0.8?  ... View more

Re: Dropped events with Splunk Add-on for ServiceN...

by in Getting Data In
‎01-18-2021 03:57 AM
‎01-18-2021 03:57 AM
Just as an FYI for anyone with the same issue, the latest version of the TA has been released and contains the fix for the issue. ... View more

Re: Large JSONs are truncated at 4KB

by in All Apps and Add-ons
‎11-29-2020 09:23 PM
‎11-29-2020 09:23 PM
No, we changed our input to use HEC directly. ... View more

Re: Microsoft Teams Add-on for Splunk on a Cloud I...

by in All Apps and Add-ons
‎11-25-2020 12:39 AM
‎11-25-2020 12:39 AM
Hi @thambisetty  I've had it installed on our IDM already and Splunk Support have stated there is no reason it shouldn't work so we have been looking to configure with no luck so far However I've got a feeling that the issue may lie on our Teams admin side trying to configure the credentials, tokens and certs correctly for "public" access, just trying to ascertain if anyone had any success so far with this setup and what pitfalls were encountered ... View more

Re: Hi team, i need to extract the locale field in...

by in Splunk Search
‎11-17-2020 07:58 AM
‎11-17-2020 07:58 AM
Hi There, \/(?P<locale>[^\/]+)\/klarna Or within the Splunk search itself:   |rex field= ##INSERT RELEVANT FIELDNAME## "\/(?P<locale>[^\/]+)\/klarna" ... View more

Re: Subtract time from time picker token response

by SplunkTrust in Dashboards & Visualizations
‎02-07-2020 12:20 PM
‎02-07-2020 12:20 PM
I believe you're looking for this. https://answers.splunk.com/answers/558071/how-to-subtract-date-for-a-timechart-panel-from-th.html#answer-558579 ... View more

Re: Scheduled Searches delayed by one hour

by in Splunk Search
‎02-07-2020 08:41 AM
‎02-07-2020 08:41 AM
Thank you, guys. The mail idea brought me on the right track. The email apparently sometimes gets quarantined because of its attachment and then released automatically an hour later. ... View more

Re: I just created this account to study for the C...

by in Training + Certification Discussions
‎02-07-2020 07:44 AM
‎02-07-2020 07:44 AM
Ok, then yes you'll need to login with the admin account and it should prompt you to change the license type, if not then head to Settings > Licensing and you'll be able to change the details from there ... View more

Re: Can we create DB Connect inputs in separate ap...

by in All Apps and Add-ons
‎09-13-2019 06:48 AM
‎09-13-2019 06:48 AM
Hi There, What version of DB Connect and Splunk were the original inputs created under, also why is there a requirement to create said inputs under a separate app? But as quick fix, as I've experienced a db migration issue before, just re-create the db input as a new input and all should work fine ... View more

Re: DB Connect 3.1.4 Data Duplication & Rising Col...

by in All Apps and Add-ons
‎07-19-2019 03:37 AM
1 Karma
‎07-19-2019 03:37 AM
1 Karma
UPDATE Currently we are exploring the fact that in might be a limit issue on the size of messages that HEC can handle, to resolve this we've updated our HF to 7.0.6 so that we are able to set the maxEventSize in the inputs.conf for [HTTP] So far all feeds concerned seem stable and are continuing to ingest data, but we have had periods of stability like this before so we're going to let it sit for a week or so to confirm FIXED So doing the above seemed to have fixed the issue, updating to 7.0.6 which allowed us to use the maxEventSize config setting, an obscure issue but hopefully this will prove helpful to someone down the line. Under $SPLUNK_HOME$/etc/apps/splunk_httpinput/local/inputs.conf we merely added the stansa: [http] maxEventSize=15728640 ... View more

Re: Monitoring private shared drive on a remote se...

by in Monitoring Splunk
‎07-03-2019 05:42 AM
‎07-03-2019 05:42 AM
Thanks for the answer. I found that the file logs are not being captured by the event viewer. So first I will need to get the logs to the event viewer then send to the platform. Any idea on getting this done? Thanks ... View more

Re: sql query not working after upgrading db conne...

by in All Apps and Add-ons
‎07-03-2019 06:58 AM
‎07-03-2019 06:58 AM
No problem, its always the little things that trip us up! ... View more

Re: how to make sparkline and barchart in 1 dashbo...

by in Dashboards & Visualizations
‎07-02-2019 08:34 AM
‎07-02-2019 08:34 AM
Please paste your xml code so that people here can help you better. ... View more

Re: Can we track changes to a file

by in Monitoring Splunk
‎06-20-2019 06:54 AM
1 Karma
‎06-20-2019 06:54 AM
1 Karma
Hi There, There is a deprecated input method called "fschange" that monitors for file system changes which may provide what you are looking for, as I said it is being deprecated but still currently works for us, example inputs below: [fschange:\YOUR_FILE_PATH] fullEvent=true pollPeriod=3600 recurse=true sendEventMaxSize=100000 signedaudit=false disabled=0 ... View more

Re: Could you help me with the syntax for an "IF/T...

by SplunkTrust in Splunk Search
‎10-05-2018 10:25 AM
‎10-05-2018 10:25 AM
@Mohsin123 Can you please replace your value in my sample search and execute? |makeresults | eval Response_time=<<REPLACE_YOU_VALUE>> | eval Response_time=case(Response_time<1000,"lt1Sec",Response_time>=1000 AND Response_time<=3000,"bet1-3Sec",Response_time=3000,"gt3SEC") OR Can you please share the sample output of your search? So I can work on it. YOUR_SEARCH | table Response_time | head 5 ... View more

Re: From a Heavy Forwarder to an Indexer, how can ...

by in Getting Data In
‎09-21-2018 10:10 AM
‎09-21-2018 10:10 AM
Thanks for the response! Adding the index= directly to the universal forwarder instead of only on the indexer worked for me. ... View more

Re: change column name with specified new column v...

by in Splunk Search
‎06-27-2018 11:11 AM
1 Karma
‎06-27-2018 11:11 AM
1 Karma
Hi, Perhaps I am not getting your use case or I am not able to explain. At any rate I have written a query on the default _audit index , so that you can run the query as it is (select last 24 hours) index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-27-2018 Now, the 06-27-2018 needs to be replaced by current day -1, so if you run this on 30th June you would write something like - index="_audit" | eval current = strftime(_time,"%m-%d-%Y") | eval A = if(action="search","search","no search") | eval {current} = A |table 06-29-2018 Is this something like what you need? ... View more

Re: How to search in the subquery for join?

by in Splunk Search
‎06-05-2018 07:39 AM
‎06-05-2018 07:39 AM
Oops, error on my part, I had an invalid serial number ... View more

Re: How to use an index for a lookup

by in Splunk Search
‎03-21-2018 10:29 AM
‎03-21-2018 10:29 AM
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that ... View more

Re: how to initially setup a summary index ?

by in Splunk Dev
‎04-25-2018 10:21 PM
‎04-25-2018 10:21 PM
gratzi - accelerated the report and it gave me exactly what i was looking for. ... View more

Re: search to find Bush's stolen watch

by in Splunk Search
‎03-07-2018 05:00 PM
1 Karma
‎03-07-2018 05:00 PM
1 Karma
SInce there are so many presidents and watches in the index, you'd want to be in the habit of checking identity of the president first, rather than wasting all those mips counting up the other couple of hundred records. Also, since typists may get confused between the various George Bush presidents, and because the name can appear in various forms, you might be better off testing for something like... | search (first_name="George" AND last_name="Bush") OR president_number = 43 ... View more

Re: Cannot update Qualys API credentials

by SplunkTrust in All Apps and Add-ons
‎02-01-2018 03:15 PM
3 Karma
‎02-01-2018 03:15 PM
3 Karma
Here's the response I got from Qualys support: In order to update the changes successfully into the Qualys TA for Splunk, please follow the below steps: 1)From Settings> Data Inputs disable the TA Inputs 2)Delete passwords.conf file. 3)Reboot the splunk instance. 4)Go to TA config in Splunk UI and give the credentials again. 5)Check if the passwords.conf file created 6)Enable TA inputs from data Inputs Perpetual workaround, it seems 😞 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-30-2021 01:11 PM
Karma from