How to check the list of Universal Forwarders in the CLI of the Deployment Server? (Splunk versions 6/7) ... View more

Have you ever asked a question and then wanted to kick yourself when someone gives you the answer? IT was exactly as you described and makes perfect sense, thanks. ... View more

Anyone? How do you show more than the 10 indexes? ... View more

Thanks gfuente, I tried that with the same results. The dashboard still displays sorted by event time, not by total_run_time. ... View more

You should be able to do this in the GUI, by dragging around the panels as well. ... View more

Check the dashboards permissions (apps -> your_app -> View Objects). Just found out that if sharing is set to private, it's not placed in the app local directory, but hidden somewhere else. Changing the sharing to App places the dashboard into the apps local/data/ui/views folder. This was with Splunk 7.1.2 so it might not be entirely accurate for Splunk 5. ... View more

Okay, is your CSS correctly loaded in the browser? ... View more

It really depends what you consider to be an "expensive" search! Is a search that uses several gigabytes of physical memory expensive? If yes, you might want to check the "Top 20 memory-consuming searches" panel in the "CPU/Memory Resource Usage" view to identify such searches. Is a search that runs for several hours expensive? If yes, you should probably take a look at the "Search Usage Patterns" view. Finally, for a higher-level view of your search workload, I would recommend to start with the "Search Activity" view. ... View more

Start with this: | rest /servicesNS/user/app/saved/searches That'll give you literally everything there is to know about a saved search saved in that app for that user. Replace the user with a dash - to get searches shared to that app. See http://docs.splunk.com/Documentation/Splunk/6.1.3/RESTAPI/RESTsearch#GET_saved.2Fsearches for reference. ... View more

Hello there... First, regarding the sourcetype: In order for a sourcetype to show up in the dropdown list in the inputs form the sourcetype definition must have a line like this: pulldown_type = true the [modsec_audit] definition that comes with the app does not. So you could have selected "manual" and just typed it in. however, as it explains in the documentation, it's perfectly legitimate to use another name. However, from what you've described, you now have a stanza that is called [modsec_audit2] be sure it contains the same entries as the [modsec_audit] definition found in $SPLUNK_HOME/etc/apps/modsecurity/default/props.conf as there are some essential field extractions in there... As for the dashboards not populating even though the index is populated... Best thing to do is to take a look at the searches that the dashboards are running. One of my customers had the same problem, and it turned out that he simply wasn't logging any of the fields that the app author thought were interesting. So the dashboards had nothing to show... The dashboards are written with Advanced XML but the searches are all Saved Searches. So you can run them independently. You can see the code for the Dashboards here: $SPLUNK_HOME/etc/apps/modsecurity/default/data/ui/views/ modsecurity_dashboard.xml for instance runs the following saved searches that look like this: <savedSearch>Modsec denied by ip</savedSearch> modsec_index modsec_src |stats dc(msg) as Messages by clientip |sort - Messages |head 10 check out savedsearches.conf and run them... see what you can see. ... View more

What I mean is, I need to have all operations from xyz.log displayed, not just MOVE operations, but should only need to grab data from abc.log if the operation is MOVE. Also, forgive my ignorance, but I get an error when using the syntax you provided. |earliest=my_timestamp_var tells me it doesn't know what earliest is, same with latest. ... View more