From the splunk docs i have observed server.conf ciphersuite is different from inputs.conf and outputs.conf. Check your cipheresuite. https://docs.splunk.com/Documentation/Splunk/7.1.3/Security/Ciphersuites ... View more

Hi, I tried temperature sourcetype=kaa | rex field=_raw "\"endpointKeyHash\":{\"string\":\"(? [^\"])\".\"Event\": (? {.*})}$"| spath input=mydata | table _time, endpoint, temperature | eval threshold = 50 | where temperature > threshold | sendemail to="abc@mail.com" sendresults=true but python.log still show the same msg 2017-06-20 23:07:05,436 +0800 ERROR sendemail:137 - Sending email. subject="Splunk Alert: Temperature Threshold Exceeded!", results_link="http://HS:8000/app/search/search?q=%7Cloadjob%20rt_scheduler__admin__search__RMD565cc5b97a7fcf839_at_1497971133_358.2%20%7C%20head%201%20%7C%20tail%201&earliest=0&latest=now", recipients="[u'abc@mail.com']", server="localhost" 2017-06-20 23:07:05,437 +0800 ERROR sendemail:443 - [Errno 10061] No connection could be made because the target machine actively refused it while sending mail to: abc@mail.com May I know how do I verify that the email exchange is setup/configured properly on Splunk Server? ... View more

Change from batch to monitor so that the original source file is preserved (this step is not necessary if you have access to the original file through some other means) and then check the source field for the event that contains the header. Once you know the name of the offending file, go back to it and examine it. I believe you will find something in that file that is different from all the other files. There might be a blank line as the first line or some other unexpected characters or formatting. Eliminate the source of this and that will fix your problem. ... View more

Like this: index=MyIndex (sourctype=sourcetype1 OR sourcetype=sourcetype2) | stats dc(sourcetype) AS numSourcetypes values(*) AS * by CID | search numSourcetypes=2 | table CN Application ... View more

And if you want to index the epoch timestamp field (dt) then remove/comment out DATETIME_CONFIG and add the following lines instead #DATETIME_CONFIG = CURRENT MAX_TIMESTAMP_LOOKAHEAD=230 TIME_FORMAT=%s TIME_PREFIX=dt.:\s ... View more

Way to go @alacercogitatus! If your theory is correct, then the OP can get example code by downloading the Splunk v6 Dashboard Examples app here: https://splunkbase.splunk.com/app/1603/ Inside, there is a very clear run-anywhere example of a Django-based Sankey diagram that does exactly this but with a much simpler visual abstraction (not quite a fancy as your picture). The only real downside is that I have heard from a Splunk employee (actually written in this very forum) that Splunk will be moving away from and probably eventually deprecating Django. ... View more

here: firstTime is the timestamp for the first time that the indexer saw an event from this host. lastTime is the timestamp for the last time that the indexer saw an event from this host. recentTime is the indextime for the most recent time that the index saw an event from this host. In other words, this is the time of the last update. 691 and 2012 are the hrs ... View more

Hi Ishangajera, In regards to 10k data limitation for post-search, my understanding (from reading the documentation) is that transforming commands do not remove this limitation; it's simply a way to reduce the amount of _raw data to hopefully less than 10k. I've not actually tested this, so I could be wrong. Maybe I'll give it a go if I get some time. ... View more

even i am getting same issue plz suggest me ... View more

It Is working perfectly with single value. If i want to apply the same thing to other value in the same dashboard. suppose if i added below code to the .XML file how to change the background of this value based on resulting value . <searchString>index=$index$ OR index=_$index$|stats count</searchString> <earliestTime>$time.earliest$</earliestTime> <latestTime>$time.latest$</latestTime> <option name="field">count</option> <option name="beforeLabel">There is</option> <option name="afterLabel">Total Events</option> <option name="underLabel">All events</option> </single> please let me know how i have to do? Thx in Advance. ... View more

Has there been any updates to this issue using DB Connect 1 or 2? ... View more