About hbacbs

hbacbs · ‎10-17-2018

Hi Darren, thanks for your quick response. The subsearch basically works as expected. Unfortunately it fails if a transaction is not closed because there is a "Start exclude messages" event without matching "End exclude messages" event or vice versa. Also I could not get the proposed combination of main search and subsearch working. If I directly apply the syntax as I receive an error: Search Factory: Unknown search command 'index'. However when I add the search keyword to the subsearch index=IndexWhereTheDataIs sourcetype=SourcetypeWhereTheDataIs [ search index= ... the search result is empty and I could not figure out why since when I execute the searches separately and add the result of the subsearch manually to the main search, it works like a charm.

markusspitzli · ‎02-22-2019

I'm not sure but I think you have a / to much in your stanza. It should look like this: [monitor:///var/log/nginx/server-access.log*] If this still not works I would make two stanzas: [monitor:///var/log/nginx/server-access.log] [monitor:///var/log/nginx/server-access.log-*]

lakromani · ‎10-16-2018

This is an ugly hack. You modify the original Splunk application. This should be done using an app, or even better there should be a built in setting to configure this.

hbacbs · ‎10-11-2019

CSS is made for styling not for security. It's like putting the key under the mat.

Posts	6
Solutions	0
Karma Given	0
Karma Received	2
Member Since	‎08-17-2012

Online Status	Offline
Date Last Visited	‎10-11-2022 06:54 AM

How to exclude multiple time ranges in a search?

Stanza to select Nginx log files

Re: How to exclude multiple time ranges in a searc...

Re: Stanza to select Nginx log files

Re: Is there a way to hide or disable "Manage Apps...

Re: SPLUNK 6.1.1 - Customzing Splunk logo and Mess...

Join the Conversation