Unknown search command 'importutil'.
Getting this error. Don't know the reason why am I not able to use this command. Please help
View ArticleChart monthly Top 3 by day with 20 columns/block
Hello Maybe someone has gone through this before: I need to make a monthly report per day to get the top 3 of the hos _raw having more fortunately I get with the help of this case...
View Articleindex time SED from props.conf
Are the SED commands in props.conf excuted in order? In other wordsNote: (All the following is under [default])Can I write a test to set a field so it will fail a SED testSEDCMD-callid...
View ArticleMultiple SEDCMDs
Greetz,Does anyone know if multiple SEDCMDs are supported at index time in props.conf?Also, can I implement this search through a regex transform or any other way?sourcetype="vul:foresight" | rex...
View ArticleCreating workflows using ES App
Can I create a security operations workflows using the ES app? For example, if I want a ticket to be opened in the ticketing system etc. how do i do that in ES app.
View ArticleTrouble searching for multiple values using rex
I am having trouble searching mutliple patterns using rex. I have the log files containg the following pattern lines:BLAH BLAH BLAH, Processtype : <12345> BLAH BLAH BLAH.I want to get table...
View ArticleHow do I configure Splunk for Nagios to ingest nagios events from syslog
Duplicate events are being captured by syslog (and therefore Splunk too). For example, nagios events are being written to the following two files on the central syslog server :-user.log syslog Splunk...
View ArticleCustom summary index not showing up in "select the summary index" dropdown
Hi,I have created a new app for one of our teams. This includes a new role dma, and new indexes dma_main and dma_summary. The dma role has been set up to search the main;summary;dma_main;dma_summary...
View Articlefield extractor app errors
I'm trying to use the field extractor app, but when I click on the Extract Fields workflow, it gives me an error: Stacktrace: Traceback (most recent call last): File "<string>", line 397, in...
View ArticleCombine similar events into a single count
I have the search:index="weblogs" filter_result!="-" useragent=" (compatible; MSIE 10.6; )" OR useragent=" (compatible; MSIE 10.0; )" OR useragent=" (compatible; MSIE 9.0; )" OR useragent="...
View Articletesting for the occurrence of a user
Hi,I need to check to see if a list of users (150+) have logged in recently. The data comes in via syslog, and I've been able to extract the usernames from the syslog. I created a lookup file that...
View ArticleHow can I set host for TCP input to deploy client machine?
I'm using the configuration deployment server to manage a bunch of forwarders. One of the apps that they get has inputs.conf with a stanza like this[tcp://12345] connection_host = dns sourcetype =...
View ArticleReal time alerts
I originally posted this because our alerts weren't working, and I wanted to confirm the syntax for multiple recipients. It seems that our alerts still aren't working (not getting email notification or...
View ArticleThroughput calculation over last "n" number of days
I have following query which calculates and charts(hourly) file conversion throughput over last 24 hours however i am not able to range that over "n" number of days.... an attempt to configure that...
View Articlefield extractor issues
Hi,I'm trying to use the field extractor to create some field. When I click on an event, and choose "Extract fields", the search that is presented is not the search that I had run, and therefore, my...
View ArticleSplunk ES App incident management for notable events
The ES App currently configured to run few correlation searches and when the notable events are created those events can be assigned to an owner(Analyst 1) under the incident review dashboard for...
View Article5.0.4 duplicate blocks of events
Specs:5.0.4 indexer installed on three VMs: indexer1 and indexer2, and search15.0.4 U. forwarder installed on VM: forward1Using Tomcat 7.0.42Using Java applications 1.7.0_03Using Log4j 1.2.14Question:I...
View ArticleHow can a send a simple test event to my new index to test that it is...
I have spun up a new index in Production and want to quickly test that it is properly configured. I'd like to confirm this before my source starts sending data to it. What are some ways I could test...
View ArticleTabs Within Tabs
I have a number of views with Sideview tabs that work well. In these instances the view shows the same four sets of information, one for each tab. Those are very straight forward and easy to...
View ArticleClik here to view.
SavedSearch module doesn't use results from scheduled search
I'm trying to use the Sideview SavedSearch module to load results from a previous scheduled search in order to quickly populate dropdowns on my page.<module name="SavedSearch" autoRun="True">...
View Article