Whoever decided that field X is supposed to be INDEXED into metadata, should have done the last step which is setting up fields.conf in the Search Head where the field is supposed to be searched for. So you can do a rest call to that fields.conf and see what has been defined there:  https://docs.splunk.com/Documentation/Splunk/9.0.4/Data/Configureindex-timefieldextraction#Add_an_entry_to_fields.conf_for_the_new_field | rest /services/configs/conf-fields | where INDEXED=1 | table title You can then relate the field name with props.conf and transforms by issuing similar calls ... View more

This is an older post, but we just started using 5000+ Universal Forwarders so this is really relevant to us. After a few months we're really feeling the pain of manual whitelisting. After reading through the documentation and forum posts, here's what I found. You can specify a csv file, or a field in a csv file for the serverclass to read from.    Example: whitelist.from_pathname = clientLists/clientList1_whitelist.csv https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Serverclassconf whitelist.from_pathname = <pathname> blacklist.from_pathname = <pathname> * As as alternative to a series of (whitelist|blacklist).<n>, the <clientName>, <IP address>, and <hostname> list can be imported from <pathname> that is either a plain text file or a comma-separated values (CSV) file. * May be used in conjunction with (whitelist|blacklist).select_field, (whitelist|blacklist).where_field, and (whitelist|blacklist).where_equals. * If used by itself, then <pathname> specifies a plain text file where one <clientName>, <IP address>, or <hostname> is given per line. * If used in conjunction with select_field, where_field, and where_equals, then <pathname> specifies a CSV file. * The <pathname> is relative to $SPLUNK_HOME. * May also be used in conjunction with (whitelist|blacklist).<n> to specify additional values, but there is no direct relation between them. * At most one from_pathname may be given per stanza.  There are a few other options with specifying fields in existing CSV's, so I'd recommend taking a look. ... View more

Hi Can you please tell us how u resolved the issue? ... View more

Run  /opt/splunk/bin/splunk btool outputs list --debug You should see that the whitelisted index list does not include _internal. It is a precedence issue.  For us the issue was because the SplunkForwarder app did not include _internal in the whitelist for indexes. Just put this in /opt/splunk/etc/system/local/outputs.conf OR /opt/splunk/etc/SplunkForwarder/local/outputs.conf [tcpout] forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry)     ... View more

We have a ticket index i.e index=incident the status of the ticket is Assigned but I need to write the same data back into the incident index with new status = Orphaned Also need to changed the _time index=incident Incident_Number="XXXXXX" ticketStatus=Assigned | rex mode=sed "s/Status=\"Assigned\"/Status=\"Orphaned\"/" | rex mode=sed "s/ticketStatus=\"Assigned\"/ticketStatus=\"Orphaned\"/" | collect index=incident ... View more

Hello  sir, do you by any chance know how to set up Alerts for a few Heavy Forwarders we have to notify us when the rate of output / sending data decreases below a certain level like 15% of the daily total? Thank u in advance. ... View more

The given information works, but I would consider something that is more direct: MVCompare | Splunkbase ... View more

@bowesmana  Yes, the row is not working with a pie-chart. Can you check the below code to implement your use case? <dashboard> <label>States</label> <row> <panel> <chart> <title>States Chart</title> <search> <query>| inputlookup geo_attr_us_states | stats count by state_name</query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">all</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="my_token">$click.value$</set> </drilldown> </chart> </panel> </row> <row> <panel> <table depends="$my_token$"> <title>States Details</title> <search> <query>| inputlookup geo_attr_us_states where state_name="$my_token$" </query> <earliest>-15m</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="count">5</option> </table> </panel> </row> </dashboard>   If you find my solution useful, an upvote would be appreciated. ... View more

To convert a report to an alert, open the Advanced Edit, and set the filter to  alert_ Then set: alert_type alert_comparator alert_threshold   Here's a simple example:   If you are searching the rest endpoint and trying to classify your saved searches, here's a search I find helpful to start from:   | rest splunk_server=local /services/saved/searches | fields - display.* dispatch.* | search is_visible=1 AND disabled!=true AND is_scheduled=1 | eval type=if(alert_type="always", "report", "alert") | table title type disabled scheduled cron_schedule eai:acl.app eai:acl.owner actions search   ... View more

deleting /splunk/var/lib/splunk/modinputs/checkpoint_opseclea/Audit_audit then splunk restart solved the problem. ... View more

EVAL-_time = if(match(_raw,"SB"), _time+86400, _time) Fixing the formatting issues caused by the transition to Khoros, copied from the @tiagofbmm post ... View more

@mvagionakis Did you find the the root cause? ... View more

In later versions, Splunk Enterprise,->Settings->Forwarding and receiving->Configure receiving. e.g. 7.3.5. ... View more

No need to change the server. If the specs were for 6.5, you'll be fine now with 7.3 ... View more

You can definitely use the suggestion above about creating a lookup, and then using the lookup command like this: | lookup csvName.csv ID_1 OUTPUT ISSUE , and then you can run aggregations on that ISSUE field (the ID_1 is the joining field) You can use a stats command as well, but it's a bit difficult to understand what is the most ideal given the data you've given and you'd have to do a bit more fanciness with the fields. If you're just looking for instances of B, you can filter your second sourcetype to that in the base search and then run a command like this: base search filtering to only B logs | stats count(ISSUE) as issueCount, values(DESCRIPTION) as description by ID_1 Let me know if this is helpful/you have any other questions ... View more

Very big thumps up, it worked, thanks. I am testing few more scenarios and will comment later today. ... View more

Hi @lmvmandadi , The answer to your question of whether it's safe to delete is, "it depends". If you're in a SHC environment you might be able to remove items from that folder without some major impacts. However, given the questions and the responses in the thread you've posted, I would probably look at re-building that particular search head. 1. Stop the problem search head 2. Back up the /opt/splunk (or whatever $SPLUNK_HOME is associated to) folder 3. Move or delete the /opt/splunk folder 4. Install a clean copy of Splunk the same version as your other members 5. Add the clean install member to the SHC and let the SHC captain re-sync all the files The downside to the above is that you will lose any changes that you made on that particular server (not lose permanently because we backed up all the config files, but the changes will need to be re-done on the clean copy). I think this might be a better solution, given that you'll probably spend more time troubleshooting SHC issues, trying to resolve them and potentially introduce other problems into the SHC. Hope this helps. ... View more

i have to display count of hosnames, that have last_seen >30 days, in first day of week: for 08.07.19 count number of hostnames that have last_seen >30 days for 01.07.19 count number of hostnames that have last_seen >30 days for 24.06.19 count number of hostnames that have last_seen >30 days for 17.06.19 count number of hostnames that have last_seen >30 days the output will be: week1 count week2 count week3 count week4 count all this i need to do in one search ... View more

tried it and worked, thanks ... View more

If only Splunk does ... View more

I don't get where is that lookup coming from. It is not in the most up to date app for win infra or in the Windows TA. The eventtype you had a problem before is in the TA for windows https://splunkbase.splunk.com/app/742/ Make sure you install that in your search head so you can get search enrichments you want. Besides that, I'd check on your splunk env where that lookup is referred cause I really can't find it ... View more

Fundamentals 2 is free for registered and eligible partners. If you are a eligible partner, contact the partner team to resolve. ... View more

Is that > supposed to be there? Why? ... View more

Thanks tiagofbmm, this solved my question. ... View more