cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
hmarkus
Explorer
Member since: ‎01-12-2018
‎06-05-2020
Community Statistics
Posts 5
Solutions 1
Karma Given 3
Karma Received 2
Member Since ‎01-12-2018
Activity Feed
Topics I've Started
No posts to display.
View All

Re: How to disable a index temporarily

by in Installation
‎06-13-2019 12:15 AM
‎06-13-2019 12:15 AM
As @Vijeta mentioned, you can also disable it by adding the disabled = true to your indexes.conf. In an index cluster I would add the line in the indexes.conf in your app on the Cluster Master, that is used to configure all indexes in your Cluster (in $SPLUNK_HOME/etc/master-apps/), and than push your new configuration bundle. On a single instance you could use the CLI ... View more

Re: How to disable a index temporarily

by in Installation
‎06-12-2019 09:17 AM
1 Karma
‎06-12-2019 09:17 AM
1 Karma
https://docs.splunk.com/Documentation/Splunk/7.3.0/Indexer/RemovedatafromSplunk#Disable_an_index_without_removing_it ... View more

Re: Cisco ASA: How to limit ASA logs being logged ...

by in All Apps and Add-ons
‎06-12-2019 12:11 AM
‎06-12-2019 12:11 AM
You could use Heavy Forwarder or build a App for Splunk Cloud to filter your Logs. If you know, how your unnecessary Logs look like, you can filter it: add in props.conf TRANSFORMS-asa_filter_cloud = filterAsaLogs add in transforms.conf [filterAsaLogs] SOURCE_KEY = _raw DEST_KEY = queue FORMAT = nullQueue REGEX = (your regex to detect them) ... View more

Re: How to extract the HTTP Status Code?

by in Splunk Search
‎06-12-2019 12:01 AM
1 Karma
‎06-12-2019 12:01 AM
1 Karma
something like 200 0 0 140 or 403 0 0 455 is the end of every line? -> add in props.conf in your apache Sourcetype: EXTRACT-http_statuscode = (?<statuscode>\d+)\s\d+\s\d+\s\d+$ -> If your data is already in Splunk, you can use this in your search to test it: <your search> | rex field=_raw "(?<statuscode>\d+)\s\d+\s\d+\s\d+$" -> explanation: https://regex101.com/r/ct4C7D/1 -> After extracting the field (either in props.conf or in your search) you can use <your search and extraction> | timechart count by statuscode or <your search and extraction> | stats count by statuscode -> or use Splunk built in extractions for default access logs <your search> | extract access-extractions | stats count by statuscode ... View more

Re: How to index same source to multiple indexes

by in Getting Data In
‎06-11-2019 04:46 AM
‎06-11-2019 04:46 AM
You send it to the same Indexer? You could send it to one index, and clone data in Splunk 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All