Turning a search into a new field
The following search removes usernames, host names, all time information, any digits, and turns all strings of white space into a single "_" for the _raw message. .... |rex mode=sed "s/[a-z]+\d{1,4}//"...
View ArticlePostProcess search filters seem to be missing results (sideview)
hi,I'm building a dashboard using the awesome Sideview Utils, but in my view, I seem to be missing data. My view has the following structure:<search> <postprocess> <postprocess>...
View ArticleNeed help with nullQueue (specifics included)
Hi everyone,For a few days now I've been tweaking my props.conf, transforms.conf, and rebooting Splunk trying to exclude certain events from being indexed (nullQueue). I have included the stanzas in my...
View ArticleIn the scheduler.log, what does status=continued mean?
I see a number of events in my scheduler.log that have the string "status=continued" in them. Further, these entries lack the run_time (and other fields) that would seem to indicate successful saved...
View ArticleMacro calling a saved search...
We are using a hidden search module that calls a macro with one parameter. The macro basically just calls a saved search. The saved search has ealiest time set to -30d@d and latest time set to @d. The...
View ArticlePull Down Module Multiple Select
Hello,I have the following dropdown module code but I cannot seem to get it to populate the data from a search and be multi select. Do I have the correct syntax for the population? ` <module...
View ArticleHow to add based on the 4 hour timeperiods
HelloI am trying to create a solution which compares 4 hour counts of a day with a average of the same 4hour period of time across last 60 days. _time Org Count 8/19/13 12:00:00 AM A 5 8/19/13 4:00:00...
View Articleone event one filed multi value
hello I have my log form as multi lines breaked with an empty line thanks to ziegfried, I have devided each event successfully with his help now I want to extract a field, in each event, may covers...
View Articlehow does transaction command work?
i am still confused after reading the reference for example i fabricated some data and search with "*|transaction host tag" Splunk gave me 2 sets of events: 1 » 13-8-20 上午12:01:00.000 20130820 00:01:00...
View ArticleHow to obtain the highest daily traffic flow data that hour
hi! I want to get the highest daily traffic by day, so I try this as below... | convert timeformat="%Y/%m/%d" ctime(_time) as Date | stats count as c by` Date,date_hour | sort 1 - c But the num of sort...
View ArticleHow is CustomeBehavior module working model is?
why is My application.js doesn't seem to work as intended?I had my application.js look like thisSideview.utils.declareCustomBehavior("NullModule", function(module) { module.onContextChange = function()...
View ArticleCan multiple sourcetypes be monitored from the same path
I know that this question has been asked quite a few times, but I have not been able to resolve this. Can I monitor multiple sourcetypes from the same path? The answer seems to be yes, but this just...
View ArticleMass emailing custom user reports?
Hello Splunkers!A question I was asked recently was whether Splunk could be used to generate potentially thousands of custom emailed reports of things such as an individuals data/phone usage over any...
View ArticleIronport Web WSA Splunk Dashboard Problems
Hi all. I am new to splunk and am using the cisco security suite to setup the ironport web logs. I am currently using UDP 514 and pushing the access.log from my web appliance to my splunk instance....
View ArticleSplunk and QRadar integration
Hello, I am interested in examples of integration of Splunk as data source to QRadar. May be somebody has any? What kind of data, in what format and what way have you sent to Qradar? Is it a...
View ArticleUnable connect splunk using javascript SDK examples
Hi, I downloaded the java script SDK version and tried run the client side examples but without success. the connection to spluck is failed the ProxyHttp("/proxy") method returns local path:...
View ArticleIBM QRadar and Splunk Integration?
does anyone have any recommendations or best practice for forwarding splunk app events to IBM QRadar?Thanks in advance,
View Articlehelp in a regular expression extraction
I have a text that contains anything followed by a word that start with either XPOS, POS and HF and ended by - Example: ABC XPOS2024 - DEF POS340903 - GHI HF3948329 - ...How to extract XPOS2024 ,...
View ArticleCluster Master unable to send bundles to slave-apps directory on cluster peers
The cluster master and cluster peers are fully set up and were successfully communicating. After upgrading all instances to 5.0.4, the cluster master is no longer able to successfully move...
View Article