Ratio using src_bytes instead of count for two fields
how can I do a ratio search not based on count, but based on src_bytes (inbound traffic) to get a ratio for two fields. For example, I want to do a ratio of two categories Shopping sites to Search...
View ArticleInline REX extraction not working once I move it Field Extraction
The following gives me exactly what I wanthost=****** Failed_Reason minutesago=15 | rex "\>(?<Failed_Reason>.*?)\<" but when I use the regex to build a field extraction I cannot get a...
View ArticleHow to Generate Bar Chart to Include Hosts with No Events?
I have a dashboard panel that displays the number of user sessions on a web server in a column chart. The user wants to know if we can display each of the hosts dedicated to his application even if...
View ArticleWhat is the difference between display view in a search?
Hello Splunk Expert,I came accross several searches that i have already developed with 4 options: 1-None 2-Flashtimeline 3-report_builder_display 4-charting 5- etc...I have used the first 3 values and...
View ArticleLookup Source IP or Destination IP value
Greetings,My journey continues. Now I would like to have a lookup match either the source or destination IP to an internal department.This works for src_ip:transforms.conf[ipam] filename = ipam.csv...
View ArticleSearch for logs before and after given timestamp
I would like to be able to provide a timestamp and have splunk return the log nearest/before the timestamp and nearest/after the timestamp, essentially bookending the provided timestamp.The use case is...
View ArticleIs it possible to populate a specific summary index using sitimechart?
I've created a new summary index that I'd like to populate with historical data. I cannot seem to find any documentation that indicates how to specify the name of a summary index when populating the...
View ArticlePrior day Report on Monday
I have a report that shows me the items installed on my systems for the prior day. the only problem is Monday as no one works on Sunday the report is always blank but should show for all day Friday and...
View ArticleData forwarded as syslog gets always indexed
I filtered some of our Windows events before indexing. This worked perfectly. We had the idea to send the filtered data to a remote system for archiving via syslog. UPDATE 3Clarification: This is what...
View ArticleERROR TailingProcessor - File will not be read
Hi,I,am having problem with the configuration inputs.conf file, I'm monitoring remote computer with universal forwarder.Remote host (monitoring): Ditectory E:SQLAuditLog...
View Articlecan I offset the polling interval for scripts per source server
I am looking at using the Unix/Linux app for monitoring a large number of servers and it occurs to me that it can't be good for all the servers to send events all at the same time to the same indexer....
View ArticleDate AND Time Range
I'm pretty new to Splunk, so hopefully this is an easy question. I've looked all over the community questions and I have no problems finding out how to search for ranges of dates OR times, but for the...
View ArticleDBConnect output to distributed indexers
I am struggling getting the output of my dbx application to send to distributed/load-balanced indexers. I can get output to go to a locally defined index fine, but am unable to get it output to...
View ArticleDate_Hour Question
Hi All,I have a search which I am adding date_hour to a table:...| stats count as 1week_ago_count by qos, date_hourWhen the data is on the table, the date and time show as the following:09/10/2013...
View ArticleCluster's hot bucket behavior
I have a 5.0.4 cluster environment with search factor (SF) and replication factor (RF) set as 2. Since SF=2 both peers should have searchable copies of the hot bucket therefore I was expecting to get...
View ArticleConverting MIB to Python module and creating the EGG.
Can anyone provide more detailed steps? I have a plain text MIB file, PowerNet-MIB.mib. I converted it to PowerNet-MIB.py, using the command: build-pysnmp-mib -o PowerNet-MIB.py PowerNet-MIB.mib. Then...
View Articlestreamstats multiple moving averages
My current Splunk search looks like this:sourcetype="ContributionWebApiUat" DbResponseTime=* | chart values(DbResponseTime) by _time, DbQuery This produces a bar chart with 3 types of DbQuery and their...
View ArticleExchange App While searching message store A get users from message store B
I am running to distinct and separated exchange servers; ABC.com and XYZ.org. The drop down box in the Mail Store Overview context of the Exchange app shows both. However, when I run the Mail Store...
View Articlerouting tcp data
Hi,How would I route raw data via tcp to an external system (based upon sourcetype or host), but also index that data (and all other data being processed by that splunk forwarder)? I don't see any...
View ArticleSavedSplunker - Max alive instance count=1 reached for saved search_id
Splunk Version : 4.3.4 OS : Redhat Message : SavedSplunker - Max alive instance count=1 reached for saved search_id=... What's this message mean?
View Article