Hey Splunkers, I am trying to fine tune usage of our Splunk Cloud instance to reduce instances of concurrent searches and I am looking to turn off acceleration for unused data models to assist in this effort. How do I use search to find data model usage by users for a specific app? I'd assume index=_internal and sourcetype=splunkd would be a good place to start but I'm having trouble finding the standard Splunk fields for "data_model". Are there any? Thanks! ... View more

Hi Splunkers, I'm having issues with the Box App for Splunk where it seems to be missing a place to enter the URL for the API. The instructions seem to indicate that there is an "Endpoint URL" but I don't seem to be able to enter one in anywhere. Does anyone know what the format might be for the URL inclusion in the inputs.conf for the API input? Thanks! ... View more

Hello, I am trying to see if the Cisco Security Suite will provide benefit in using the following logging levels or if they can be disabled: logging buffered informational logging trap informational logging history informational logging asdm informational Ultimately, we are trying to tailor our logging to fit Splunk and I am trying to see what the best logging configuration is for the ASA's in our environment to be set at to provide the best visibility. It sounds like not necessarily everything needs to be enabled though. Where do I find this information? Thank you! ... View more

Hello Splunkers, Just checking to see if this is possible or If I'm running into a limitation I didn't know about... I have a very simple "source of truth" .csv file used as a lookup file. It has a single field with about 70 unique values. I am trying to compare that against a single field with about 60 of the same unique values in an index. I need remove the 60 values in the index from the 70 values in the lookup table so that only the 10 values that are not in the index remain. I had tried by using a simple |inputlookup NOT index field value NOT index field value NOT index field value etc, but I am getting the error: Error in 'inputlookup' command: Invalid argument: 'NOT'. I'm guessing you can't NOT a lookup table. Is there some other equivalent command we can use for a lookup table? Alternately, is there a way for me to accomplish this outside of a simple NOT statement? Thanks! ... View more

Hello Splunkers, I am running two separate searches, both of which are running fine. The results of these two searches are two lists of host names that match partially, which is expected. There are more in list A than in list B. I am trying to mash them together in a way that tells me which are missing in list B. |inputlookup DNS.csv | eval hostname=upper(hostname) | join hostname type=inner[|search index=dns |stats count by host | rename host AS hostname | fields + hostname] I also tried an outer on the join, but that's not quite doing it either. Any suggestions on how I show which are missing from column B? Thanks, Lindsay ... View more

Hello, Just checking to see if it is okay to upgrade my Linux universal forwarders directly from 6.0.3 to 6.3.0 or if I need to make an intermediary jump. Thanks. ... View more

Hello Splunkers, I am trying to find a way to determine the rate of events of a single index compared to all non-internal indexes. There are numerous indexes, and so I am going to have to use a base search of index=* NOT index=D | timechart span=1h count but then I need to overlay index=D | timechart span=1h count over the top of it for the timechart. I'm guessing I need to do an appendcols with the index=D data, but am unsure of syntax. Any suggestions? Thanks! ... View more

I am new to this particular Splunk environment and need to familiarize myself with its content and layout. The majority of logs are being parsed by syslog servers and universal forwarders, but not all reference a deployment server. What is the best search to find out what devices are currently reporting into Splunk by network? I currently have the following search. Does this look about right? index=_internal sourcetype=splunkd (111.111.111.* OR 222.222.222.* OR 333.333.333.*) | dedup sourceIp I am returning entries that look like the following: 08-17-2015 12:01:23.745 -0700 INFO StatusMgr - destPort=9998, eventType=connect_done, sourceHost=111.111.111.3, sourceIp=111.111.111.3, sourcePort=30703, statusee=TcpInputProcessor What is this search returning for me exactly? Is there a better way for me to determine what endpoints are reporting into Splunk by subnet? I don't have direct access to the forwarders at the moment and can't check the rlog server directories. Thanks. ... View more

Hello Splunkers, I am working to build an LDAP search to list out all machines within a basedn. The problem is that the machines are spread out within multiple basedn=paths and not necessarily in a hierarchical order. I am finding that I need to specify exact statements to locate the systems. I am able to query successfully within one DN but I am not yet able to specify multiple paths to look in for hostnames. | ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_ET_UnblockAllowed,OU=Winx,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn The search above returns results, but when I try and add another basedn, the search just stalls out. | ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" AND basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn What am I missing? Thanks, Lindsay ... View more

Hello Splunkers, ES was recently deployed in our environment and some incidents were created as part of testing functionality. I now have a bunch of erroneous incidents that are messing with my data. How do I delete them and clean the slate? Thanks. ... View more

Hello Splunkers, I am trying to find a way to e-mail a report I have already setup to e-mail a .csv of the report. Currently I have a .pdf output mailing successfully but I'm having trouble locating where I can send this in .csv. What am I missing/where is that option? Thanks, Lindsay ... View more

Hello Splunkers, I am at the very end of installing the Splunk App for Windows Infrastructure and everything is working great except the LDAP Search feature of the Splunk Supporting Add-on for Active Directory (SSAOAD...or SAD for short) 🙂 . Everything else seems to be functioning properly, but the LDAP functions support a large number of dashboards so we can't 'go live' yet. An example of one not working would be the all users macro query: ldapsearch domain="$domain$" search="(&(objectclass=user)(!(objectClass=computer)))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl Or any other macro that has ldapsearch in it works until the point in the pipeline where ldapsearch is introduced. When I go to the "SAD" configuration page and do a test on my domain, the test connection passes. I have rebuilt the LDAP lookup and backed it out to the top level and it passes again. I have run the |ldaptestconnection domain=mydomainname and it populates with the expected single event signifying success. When I run the |ldapsearch command directly from SAD on the search head, I get the following: Script output = " ERROR Missing required value for alternatedomain in ldap/default. " I'm guessing it means ldap.conf. Oddly there is a local directory, which I don't believe should require a default directory but it's looking there anyways. Everything is #'d out. Against my better judgement, I added the contents to from the LOCAL ldap.conf at the top of and restarted Splunk services on the search head and things are still not populating. What am I missing? Thanks! ... View more