| stats max(avg_io_wait_time) as avg_io_wait_time by host | sort avg_io_wait_time | streamstats c as severity | eval host = printf("%*s", len(host) + severity, host) | stats max(avg_io_wait_time) as avg_io_wait_time by host ... View more

@hsynli wrote: Has there been an update and/or resolution to this issue? Or do we know the root of the issue? I have a similar, most probably the same issue. It seems to me Splunk forwarder stops sending logs when the defender platform or engine is updated (event codes 2002 and 2014, but not limited to). Logs start being sent to Splunk as soon as the splunkforwarder is restarted. That matches the issue. Fixed in 8.2.7 and above, and also in 9.0.0 and abovehttps://docs.splunk.com/Documentation/Splunk/8.2.7/ReleaseNotes/Fixedissues#Universal_forwarder_issues   ... View more

Just check, it was your case actually ... View more

For anyone finding this, as this came up on Slack: [default] doesn't apply to modular inputs, most notably wineventlog. You'll need to add it to the top level stanza for that input type: [WinEventLog] _meta = hf_proxy::meta_test https://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorWindowseventlogdata#Specify_global_settings_for_Windows_Event_Log_inputs ... View more

It is accurate. Martin Mueller has verified it too. ... View more

Worked a similar issue with support, but couldn't use the "where" option due to the way my search was formed. You can also make a change to limits.conf to use the old behavior. Documenting here in case anyone else finds this article looking for a similar solution. Workaround: limits.conf: [search] use_search_evaluator_v2=false Tracked as Splunk Issues: SPL-179357, SPL-179700 Reference: https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/Knownissues ... View more

The subsearch one was reported as SPL-176990 is fixed in 7.3.3 for where tstats where, reported as SPL-179746, fix planned for 7.3.4 at the moment ... View more

Great! You can mark my answer as accepted, the remaining part of the solution (fixing the regex) are comments under that same answer 🙂 https://answers.splunk.com/answering/735899/view.html ... View more

The answer from @mhoogcarspel_splunk is correct. If it isn't working, try also adding: INDEXED_VALUE = true If that doesn't work, then open a support case with splunk. ... View more

New Error "Error in 'SearchProcessor': Found circular dependency when expanding from.Network_Traffic.All_Traffic" ... View more

Hi, can you take a look at this post again? I am having some issues with the code. Thanks, Steve ... View more

Great its working for me ... View more

Thanks for the update, thats what i feel but just thought of double check ... View more

This reads like SPL-154973 actually, fixed in 7.1.3+ http://docs.splunk.com/Documentation/Splunk/7.1.3/ReleaseNotes/Fixedissues Upgrade SH and IDX to 7.1.4+ (can't recommend to upgrade to 7.1.3 for other issues). ... View more

Maarten from support here, I found this after the case you raised with me. I provided something similar to the answer here: https://answers.splunk.com/answers/386482/how-to-configure-splunk-to-index-netapp-cifs-logs.html [netapp-audit] SHOULD_LINEMERGE=false LINE_BREAKER=()() TIME_PREFIX=TimeCreated KV_MODE=xml ... View more

The eval at the end gives you the responseTime field that has that information, should just be there if you're not filtering fields after the eval, sounds like you might be filtering it out somewhere though? Add this to the end for a bit of formatting/filtering: | table transactionId responseTime request response ... View more

This worked - thx ... View more

By looking at the CIM doc http://docs.splunk.com/Documentation/CIM/4.9.1/User/Malware you want to use "dest_nt_domain" field to extract the domain separately from the username. ... View more

Depending on your version of splunk, you have to have fields.conf in your indexer (6.5 or below) From 6.6 this is taken from the search head: http://docs.splunk.com/Documentation/Splunk/6.6.0/Installation/Aboutupgradingto6.6READTHISFIRST#Indexers_in_a_distributed_Splunk_environment_now_respect_the_INDEXED_setting_in_fields.conf_on_search_heads_only Also, make sure that if you're using a seperate app to deploy your fields.conf, that it's shared outside the app using the metadata files. ./app/metadata/default.meta: [fields] export = system ... View more

Gorgeous ; - ) ... View more

Maybe try an eval based field with replace() I checked it using: | makeresults | head 1| eval _raw="field = 1;like&" | eval testfield=replace(_raw, "[^0-9&',-.\\/a-z\n]", "") testfield comes out as: "field1like&" ... View more

lol, I see just now that your problem is not my problem. I should go into the weekend 😄 My problem is, that I use the searchmanager to execute a search which writes data from the dashboard (basically the dashboards sole reason is collecting user input which can't be automatically collected) into a summary index. There it occurs sometimes that one search results in two events added to the index. In other words the search is executed twice, but not the js code. Any idea anyway? ... View more

Not only if you deploy the fields.conf in an app but /etc/system/local as well. The field would show up in a search but as soon as you try to search for a specific field value it would return no results. I had to add the export = system if I was deploying it to /etc/system/local ... View more