How to selectively not forward based on index?
I have a full Splunk instance that indexes and forwards (indexAndForward = true). I also installed the *NIX app on the forwarder instance.Now the forwarder is trying to send all of the *NIX app inputs...
View ArticleAre Job Inspector 'duration's a total or an average across the invocations?
In the Job Inspector, each line gives a duration, a component, and a number of invocations, e.g.:Execution costs Duration (seconds) Component Invocations Input count Output count 1.408 command.dedup 43...
View ArticleHelp with Sideview Utils Dashboard, ValueSetter, ArrayValueSetter and running...
I didn't really know how to phrase this question so I just included the SideView modules I'm using.I have a set of events that have a unique identifier field. Let's call it 'refid'. Then, sometimes,...
View Articleforwarder inputs.conf to watch multiple paths
I've tried a bunch of different things on my Forwarder to get it to watch 2 different paths, and blacklist one folder within the second path, and nothing is working. What is the recommended solution...
View Articlecustomizing fields in incident review tickets
Can I customized the fields that I see for an incident ticket for the notable event in the incident review dashboard.For example if I want to assign the compliance field that shows its for...
View ArticleMulti Subnets in a Macro
How would you structure a macro to list dozens of IP Subnets?For example: If you want a macro to list the following, what is the correct macro syntax?10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
View ArticleHow long until posted REST API data is available?
I'm testing out the Splunk Storm RESTful API. I've posted some data and received a 200 OK response from the server. It's been about 20 minutes and I'm still not seeing any signs of data in the "Explore...
View ArticleExtract Fields opens wrong log
Within the Search function, if I click on the blue down arrow and select "Extract Fields", for log source=/Library/Logs/AppleFileService/AppleFileServiceAccess.log, it opens the Extract Fields window...
View ArticleNeed to understand the following expression.
I recently came across a Splunk expression, as rex "(?i)".*? (?P<fieldname>/\w+/((\w+\.\d+)|(\w+\d+))/((\w+/)|(\w+/\w+/)|((\w+/\w+/\w+/)))\D+((\?)|(\s)))\w+" and due to the usage of toom many...
View ArticleExtracting fields from imported Windows Event Logs (text format)
Hi Splunkers & Splunkettes,I have a Splunk Indexer/Search Head running on a WIndows platform and I'm trying to import a text file containing archived Windows Event Log (Application) events as you...
View ArticleThe app doesn't work 99% of the time
The lea-loggrabber app doesn't work most of the time where in it let the connection to be created but on the final step of the submit button doesn't seem to work i.e. some time the final submit button...
View ArticleSplunk Free v.5.0.4 Static Lookups Not Working
Hello,I have setup a splunk free instance with DHCP, DNS (squid), and Firewall logs going in to it. I am trying to configure a lookup table to assist with resolving DNS names. I have tried and tried,...
View Articlecheckpoint lea-loggrabber app not working most of the time
The lea-loggrabber app doesn't work most of the time where in it let the connection to be created but on the final step of the submit button doesn't seem to work i.e. some time the final submit button...
View ArticleCreating workflows using ES App
Can I create a security operations workflows using the ES app? For example, if I want a ticket to be opened in the ticketing system etc. how do i do that in ES app.
View ArticleCorrelation search generating "Max alive instance_count=1 reached" errors.
In Splunk + ES there is a canned correlated search called "Network - Substantial Increase in Port Activity". I configured the search to run every 4 hours since it's an expensive search (takes approx....
View Articleデータの中身からタイムスタンプを生成する方法
SplunkForwarderを使って特定のフォルダ上に生成されるテキストファイルをSplunkに転送しています。 そのテキストファイルの中身が以下のようになっています。No. : 3990Time: 1960936063Type: sysenterSNo.: a0 (NtQueryKey)Cid : 62c.640Name: explorer.exeNote: key_handle:...
View ArticleSOS app - no data in CPU/Memory dashboard?
Hello,I installed the SOS app today to troubleshoot some performance issues with my Splunk 5.0.4 + ES installation. For the SOS app installation, I have:SOS 3.0.1 TA SOS for Splunk - Linux/Unix 2.0.4...
View ArticleHow to display saved search in dashboard panel
HiI created a splunk app, everything is fine but I can't see my saved search in any menu of app. How do I provide this functionality in app so user can save their search and same time they can see in...
View ArticleMySQL slow query log parsing
I have a mysql slow.log being piped into splunk and works great. Splunk also seems to do a good job of separating the queries out. The only issue I have is I want to have splunk parse out the fields...
View ArticleOnly 100 Results return with python API query
Hello there, I'm still newer to Splunk (and python which doesn't help). I used the code from the search and poll results code on the sdk page. I can't seem to figure out how to get more than 100...
View Article