Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About cwilmoth
cwilmoth
Path Finder
Member since:
04-17-2013
10-21-2025
Community Statistics
| Posts | 23 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 9 |
| Member Since | 04-17-2013 |
Activity Feed
- Posted Cisco Secure Endpoint events on All Apps and Add-ons. 10-21-2025 12:19 PM
- Got Karma for Why is Drilldown to new dashboard not interpreting token value with whitespace properly?. 03-20-2024 06:01 AM
- Got Karma for Reset all inputs to default in dashboard studio?. 12-19-2023 10:19 AM
- Got Karma for Reset all inputs to default in dashboard studio?. 02-02-2023 11:57 AM
- Posted Reset all inputs to default in dashboard studio? on Dashboards & Visualizations. 02-02-2023 11:38 AM
- Posted Why is Drilldown to new dashboard not interpreting token value with whitespace properly? on Dashboards & Visualizations. 01-06-2023 07:11 AM
- Got Karma for Default LINE_BREAKER broken?. 06-05-2020 12:48 AM
- Got Karma for Re: Should I use root events, root transactions, or root searches to set up my data model?. 06-05-2020 12:48 AM
- Got Karma for How to change the label for a Submit button in HTML?. 06-05-2020 12:47 AM
- Got Karma for DB Connect in a Clustered Environment: Why am I getting missing python script errors, failed configuration bundle distribution and duplicate data?. 06-05-2020 12:47 AM
- Got Karma for DB Connect in a Clustered Environment: Why am I getting missing python script errors, failed configuration bundle distribution and duplicate data?. 06-05-2020 12:47 AM
- Got Karma for How to calculate total duration for overlapping transactions. 06-05-2020 12:47 AM
- Posted Restrict searches from unowned search head in indexer cluster on Deployment Architecture. 10-22-2019 02:34 PM
- Tagged Restrict searches from unowned search head in indexer cluster on Deployment Architecture. 10-22-2019 02:34 PM
- Tagged Restrict searches from unowned search head in indexer cluster on Deployment Architecture. 10-22-2019 02:34 PM
- Posted Re: Should I use root events, root transactions, or root searches to set up my data model? on Splunk Search. 05-09-2017 01:16 PM
- Posted Re: Splunk Common Information Model (CIM): Why is data model acceleration not working for Email data model? on Splunk Enterprise Security. 04-18-2017 05:33 AM
- Posted Splunk Common Information Model (CIM): Why is data model acceleration not working for Email data model? on Splunk Enterprise Security. 04-17-2017 12:47 PM
- Tagged Splunk Common Information Model (CIM): Why is data model acceleration not working for Email data model? on Splunk Enterprise Security. 04-17-2017 12:47 PM
- Posted Re: Splunk Enterprise Security: Is it recommended to turn data model acceleration on or use correlation search for the Identity Management data model? on Splunk Enterprise Security. 03-21-2017 06:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
10-21-2025
12:19 PM
We have configured the Cisco Security Cloud app with a Secure Endpoint input. The input works and we are getting some data, but not all of the same data that we got through the old Cisco AMP for Endpoints add-on. In the documentation for Cisco Security Cloud, there is a (mandatory) option to select Event Types when configuring the input. And it says that you can configure multiple Event Types here. We do not see this option when setting it up on our Splunk Cloud search head. Is this a bug?
... View more
Labels
- Labels:
-
configuration
02-02-2023
11:38 AM
2 Karma
Is there a way to one-click reset all inputs back to their default values in dashboard studio? I have 7 different inputs (dropdowns and text) that are being used as filter criteria for a table. I would like a way to click "something" and have them all set back to their respective default values. I have done something similar for another dashboard that resets tokens that have been set based on clicked rows in charts/tables (just using a single value panel and setting all of the tokens), but I don't see a way to do this for inputs. Reloading the dashboard doesn't set them back to default either. It requires exiting the dashboard and relaunching.
Thanks
Craig
... View more
Labels
- Labels:
-
Dashboard Studio
-
token
01-06-2023
07:11 AM
1 Karma
I have created a dashboard in Dashboard Studio and have configured a "Link to dashboard" drilldown. It works fine when the token value does not have any whitespace in it but does not work when there are spaces. The URL that is generated from the drilldown has a format of "firstword%2Bsecondword" and when I show the token value in the second dashboard, it is translated to "firstword+secondword". This causes the search to return 0 results due to the "+" in the value. How do I configure this so that there is a space in the value instead of a "+"?
Thanks
... View more
Labels
- Labels:
-
dashboard
-
Dashboard Studio
-
drilldown
-
token
10-22-2019
02:34 PM
We have a 3 node indexer cluster with one search head. We have allowed another team to connect their search head to our cluster so that they can pull certain statistics. Is there a way to restrict what they are allowed to search (namely disable real-time search ability)? We have control over our search head as far as what users can do, but we don't have any control over their search head configuration. We used to be able to restrict them when they connected via distributed search (needed a valid user/role on our end), but now that they are using clustering (only need the secret key to join) we don't have that option anymore.
Thanks.
... View more
05-09-2017
01:16 PM
1 Karma
Iguinn,
From the Knowledge Manager manual:
Datasets can only be accelerated if they contain at least one root event hierarchy or one **root search hierarchy that only includes streaming commands. Dataset hierarchies based on root search datasets that include nonstreaming commands and root transaction datasets are not accelerated
Doesn't that mean that root search datasets can in fact be accelerated? I am asking because it does not look like the CIM Malware Operations dataset is accelerating for us (which would agree with your previous statement), but the manual seems to imply that it should.
... View more
04-18-2017
05:33 AM
The data model is accelerated. I can go to the Data Model Audit page and see that it is enabled, but it does not build. It is always at 0. When I clone it to a new name, that model builds to completion in about 10 minutes. I can leave the Email model go for days and it never goes past 0.
The scheduler is running the searches for this every five minutes but it looks like it is coming back with zero results every time. I started digging through the acceleration searches and I think I found something. There is a warning from the StringSearchExpander that it is "Unable to find tag email". This tag is specified in the TA_cisco_esa app and has global permissions, so I'm not sure why it can't be "found".
... View more
04-17-2017
12:47 PM
We are running the latest versions of Splunk Enterprise, Splunk Enterprise Security, and Splunk Common Information Model (CIM) [SA_CIM]. I can enable acceleration for the Email data model, but it never goes past 0% built and always says "Building". I am not having issues with any other data model. If I search for tag=email like the data model constrains to, I get plenty of events (Cisco IronPort source). If I search the data model | datamodel Email search , it returns events. Yet acceleration (which drives the email dashboards) does not work. If I clone the Email model to Email_temp and accelerate the new one, it works fine. What could be the issue here?
Thanks
Craig
... View more
03-21-2017
06:47 AM
Ah. Datamodel commands do not use accelerations. That answers my question. Thanks jwelch.
... View more
03-20-2017
11:35 AM
This is not a SHC. We just have one Search Head
We are running Splunk 6.5.2 and ES 4.5.2
The correlation search is set to Start Time -5m@m, End time +5m@m Cron schedule */5 * * * *, and Scheduling is "Real-time Schedule"
I have already added the "index=xxx" to the data model and it is slightly faster but not much.
The main question is "why is the correlation search showing that it is searching through a bunch of events when the data model is essentially empty?" This is an accelerated search, so it should be searching the accelerated index. Is it due to the fact that the correlation search looks to "future" events (+5m@m) that are not in the accelerated index?
Thanks.
... View more
03-16-2017
09:00 AM
Does it make sense to turn data model acceleration on for the Incident Management data model (default summary range is "None")? Of concern in this case is the Expired Entity Activity search in Splunk Enterprise Security (ES). I enabled acceleration for this model and it took a very long time to complete the build. After showing 100% complete, the size of the model is only .5MB. One of the longest running/most skipped searches we have is the correlation search that looks for expired user activity from this model. When I run the manual | datamodel ... search, I see it iterating through thousands of events when I would expect the acceleration to be doing that in the background and my correlation search returns immediately (since there aren't any matches). Is this a case of when the data model is empty the search goes to _raw? Would acceleration on the correlation search be better than the data model?
Please advise.
Thanks.
Craig
... View more
06-14-2016
08:28 AM
Nothing has been changed in the default directory. The props.conf file is dated 5/12/2016 just like all the other default files that were put in place by the 6.4.1 upgrade. The previous default files (6.3.3) were all dated 4/28/2015 and that old props.conf file also had SHOULD_LINEMERGE set to true.
From props.conf.spec:
SHOULD_LINEMERGE = [true|false]
* When set to true, Splunk combines several lines of data into a single
multiline event, based on the following configuration attributes.
* *Defaults to true.*
... View more
06-14-2016
06:39 AM
With:
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf [deepsecurity-system_events]
F:\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
F:\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
F:\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
F:\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
F:\Splunk\etc\system\default\props.conf CHARSET = AUTO
F:\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
F:\Splunk\etc\system\default\props.conf HEADER_MODE =
F:\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf LINE_BREAKER = ([\r\n]+)
F:\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
F:\Splunk\etc\system\local\props.conf MAX_DAYS_AGO = 90
F:\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
F:\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
F:\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
F:\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
F:\Splunk\etc\system\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
F:\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
F:\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
F:\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
F:\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
F:\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
F:\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
F:\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
F:\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
F:\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf SHOULD_LINEMERGE = false
F:\Splunk\etc\system\default\props.conf TRANSFORMS =
F:\Splunk\etc\apps\rb_steelhead_ta\default\props.conf TRANSFORMS-riverbed_src = riverbed_src
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf TRANSFORMS-t3 = set-tm-fw-sourcetype,set-tm-log-sourcetype,set-tm-im-sourcetype,set-tm-ip-sourcetype,set-tm-ipsevents
F:\Splunk\etc\system\default\props.conf TRUNCATE = 10000
F:\Splunk\etc\system\default\props.conf detect_trailing_nulls = auto
F:\Splunk\etc\system\default\props.conf maxDist = 100
F:\Splunk\etc\system\default\props.conf priority =
F:\Splunk\etc\system\default\props.conf sourcetype =
Without:
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf [deepsecurity-system_events]
F:\Splunk\etc\system\default\props.conf ANNOTATE_PUNCT = True
F:\Splunk\etc\system\default\props.conf AUTO_KV_JSON = true
F:\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE =
F:\Splunk\etc\system\default\props.conf BREAK_ONLY_BEFORE_DATE = True
F:\Splunk\etc\system\default\props.conf CHARSET = AUTO
F:\Splunk\etc\system\default\props.conf DATETIME_CONFIG = \etc\datetime.xml
F:\Splunk\etc\system\default\props.conf HEADER_MODE =
F:\Splunk\etc\system\default\props.conf LEARN_SOURCETYPE = true
F:\Splunk\etc\system\default\props.conf LINE_BREAKER_LOOKBEHIND = 100
F:\Splunk\etc\system\local\props.conf MAX_DAYS_AGO = 90
F:\Splunk\etc\system\default\props.conf MAX_DAYS_HENCE = 2
F:\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_AGO = 3600
F:\Splunk\etc\system\default\props.conf MAX_DIFF_SECS_HENCE = 604800
F:\Splunk\etc\system\default\props.conf MAX_EVENTS = 256
F:\Splunk\etc\system\default\props.conf MAX_TIMESTAMP_LOOKAHEAD = 128
F:\Splunk\etc\system\default\props.conf MUST_BREAK_AFTER =
F:\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_AFTER =
F:\Splunk\etc\system\default\props.conf MUST_NOT_BREAK_BEFORE =
F:\Splunk\etc\system\default\props.conf SEGMENTATION = indexing
F:\Splunk\etc\system\default\props.conf SEGMENTATION-all = full
F:\Splunk\etc\system\default\props.conf SEGMENTATION-inner = inner
F:\Splunk\etc\system\default\props.conf SEGMENTATION-outer = outer
F:\Splunk\etc\system\default\props.conf SEGMENTATION-raw = none
F:\Splunk\etc\system\default\props.conf SEGMENTATION-standard = standard
F:\Splunk\etc\system\default\props.conf SHOULD_LINEMERGE = True
F:\Splunk\etc\system\default\props.conf TRANSFORMS =
F:\Splunk\etc\apps\rb_steelhead_ta\default\props.conf TRANSFORMS-riverbed_src = riverbed_src
F:\Splunk\etc\apps\Dso_deploy_hvy_fwdrs\default\props.conf TRANSFORMS-t3 = set-tm-fw-sourcetype,set-tm-log-sourcetype,set-tm-im-sourcetype,set-tm-ip-sourcetype,set-tm-ipsevents
F:\Splunk\etc\system\default\props.conf TRUNCATE = 10000
F:\Splunk\etc\system\default\props.conf detect_trailing_nulls = auto
F:\Splunk\etc\system\default\props.conf maxDist = 100
F:\Splunk\etc\system\default\props.conf priority =
F:\Splunk\etc\system\default\props.conf sourcetype =
... View more
06-13-2016
02:43 PM
1 Karma
We recently upgraded from 6.3.3 to 6.4.1 in an attempt to fix some performance issues. After upgrading, there were a ton of "Changing breaking behavior for event stream because MAX_EVENTS (256) was exceeded without a single event break..." for multiple data sources on our heavy forwarders. I struggled to figure out why and eventually just created a [default] stanza in the props.conf file that gets deployed to both of our heavy forwarders and put the default LINE_BREAKER = ([\r\n]+) in there. After deployment, events are breaking just fine (like they were before).
Is this a known issue? I did not see anything in the release notes.
Thanks.
... View more
- Tags:
- line_breaker
05-18-2016
08:59 AM
Well, that's kind of my point - the warning did not go away after 14 days. I would like this to go away so that other admins do not think that there is something wrong...
... View more
05-17-2016
10:25 AM
BTW, we are running a 3 node indexer cluster here which is why there are 3 warnings - they all came in at the same time.
... View more
05-17-2016
10:23 AM
We exceeded our license one day only a couple of months ago and I still see the warning showing up in the Licensing window of our Master license server. Aren't these supposed to go away after 14 days with no other violations?
"3 license window warnings reported by 3 indexers 2 months ago"
Thanks.
... View more
- Tags:
- license-violation
05-17-2016
10:18 AM
According to Splunk support, this will be fixed in the 6.3.5 release which is not out yet...
... View more
03-15-2016
07:08 AM
We have recently switched our Splunk environment over to larger physical servers running 2 - Intel Xeon E5-2695 v3 processors each. These are 14 core processors, so each machine should be showing 28 cores. However, when I query the server info REST endpoint, it only shows 14 cores each. So I'm sure this is causing issues with performance since Splunk sets parameters based on number of cores. Also, our Enterprise Security app is complaining that the search head doesn't meet the minimum required specifications for hardware.
Please advise.
Thanks.
... View more
01-27-2016
03:47 PM
1 Karma
I have been trolling the community and have found a lot of information regarding usage of transactions, however I am not finding a solution for what I need to do. I need to calculate the total duration for a users Citrix sessions for a particular day. This is pretty easy if:
user ICA_START=08:00 id=1111
user ICA_END=12:00 id=1111
user ICA_START=13:00 id=2222
user ICA_END=17:00 id=2222
I can just use "transaction user id startswith="ICA_START" endswith="ICA_END" | stats sum(duration) by user" (simplified from my actual search, but this is the core of it) to get a total duration of 08:00:00.
This works fine if the transactions do not overlap, but how do I go about this when a user decides to open up multiple Citrix sessions? i.e.
user ICA_START=08:00 id=1111
user ICA_START=08:10 id=2222
user ICA_END=17:00 id=(1111 OR 2222 - depending on which one they shut down first)
user ICA_END=17:10 id=(1111 OR 2222 - depending on which one they shut down last)
If I use the above search, I get a duration of 18:00:00 when really what I want to show is 09:10:00. I have no way of knowing how many sessions will be opened during a day or how many will be concurrent.
So basically what I (think I) need is a way to fill time buckets per user per day for each session they use
...
07:55 - 0
08:00 - 1
08:05 - 1
08:10 - 2
...
11:55 - 2
12:00 - 0
...
13:00 - 0
13:05 - 1
13:10 - 2
...
17:00 - 2
17:05 - 0
And then count the number of buckets that are > 0 and multiply by 5? I would do this on a more granular basis, but set it to 5 minute buckets for brevity.
If anyone has done this or has suggestions, I would really appreciate it.
Thanks
Craig
... View more
07-16-2015
08:08 AM
We have installed the eStreamer app on a Linux forwarder feeding up to our Windows indexers. It will work fine for a number of days and then all of a sudden we stop indexing data from it. We look in the logs on the forwarder and do not see any errors. The estreamer_client.pl script is still running but apparently doing nothing. If we kill the process, another one starts up after a short while and we start receiving defense center data again. However, it does not pick back up from the last point that we received data - so we have a gap that corresponds to how long it took us to realize that the data stopped coming in. The client check utility is no help here. Anyone else seen this? I hate to schedule a recurring restart of the process, but that is the path we are heading down right now.
Thanks.
... View more
04-14-2015
02:12 PM
I have seen a few other questions about huge data volumes surrounding Windows Event log processing, but I haven't seen a clear answer as to the cause.
We have a group of servers that have the System and Security event log monitors active. I am watching 10-15MB of license usage being consumed per minute with these servers. If I search based on indextime > xxx and look at the _time values, they are in fact older events. However, when I talk to the Windows admin and have him look at the System log on the server he reports a count of around 75,000. I have close to 30 million events and still counting for this one server (average of 500 events per second). Where can it be pulling this data from? It doesn't look like it is duplicate data.
We need to get a handle on this prior to deploying to the rest of our production Windows hosts. I appreciate any help in targeting the problem here.
Thanks.
... View more
09-23-2014
01:57 PM
2 Karma
We have a master cluster, 2 search heads and 2 indexers in our setup. We have done development on a standalone server and are now moving the configuration to the cluster. I put the dbx app out in the /opt/splunk/etc/master-apps directory so that it gets distributed to both indexers, but we are seeing some issues:
- Configuration bundle distribution fails from the UI on the master cluster server. It complains about invalid stanzas and spec files. If I do a distribution from the command line with the --skip-validation option, everything goes out and the db connections gather data like they are supposed to. Why is this complaining when performing validation?
- Unable to list the database inputs on the indexers. When I click on Settings->Data Inputs, I see that there are 2 Database INputs listed which is correct. When I click on the database inputs link to list them, I get "An error occurred completing this request: In handler 'dbx-monitors': Cannot call handler 'dbx-monitors' due to missing script 'rest_handler_dbmon.py'". I verified that this file exists under the /opt/splunk/etc/slave-apps/dbx directory, so not sure why this is erroring out.
- Unable to list the external databases on the indexers. When I click on Settings->External Databases, I get "An error occurred completing this request: In handler 'databases': Cannot call handler 'databases' due to missing script 'rest_handler_dbs.py'". I also verified that this file exists under slave-apps.
- Lastly, I was under the impression that if you had two peer servers in a cluster synchronizing the same indexes that there would be no duplicates. We are querying data from the same source db tables and putting them into the same indexes on both peers and we are seeing two of every row. Is there a setting we need to set to deduplicate?
Thanks.
... View more
09-10-2014
12:46 PM
1 Karma
I have a form that contains a submit button and it has been converted to HTML so that I can change the label from "Search" to "Submit". However, this does not work. Here is the code that Splunk created for me when I chose to "Convert to HTML":
<div class="input form-submit" id="search_btn">
<button class="btn btn-primary submit">Search</button>
</div>
I should just have to change the description, right? To this?:
<div class="input form-submit" id="search_btn">
<button class="btn btn-primary submit">Submit</button>
</div>
It still shows "Search" as the label for the button on the form when using the second example. If I change or remove the id tag (id="submit_btn"), then the label changes to whatever I put right before the tag, but then the submit functionality does not work. Does anyone know what is going on here? Splunk version 6.0.2.
Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-21-2025
12:13 PM
|
