splunk behind an apache proxy login issue
My splunk instance is is behind an apache proxy. Everything works correctly except for login. When i log into splunk, the return_to param is being url quoted twice, but only url unquoted once it seems....
View ArticleXenApp 5 - no data
I have installed the Splunk App for XenApp and I am getting data from the 6.5 version systems in my environment, but no data is coming from my version 5. I am getting Windows Event data, but none of...
View ArticleExclude a known IP from results
I am returning query results that give a list of IPs on which an event has occurred. I want to create an alert to fire historically on the data if criteria is met HOWEVER I have a known IP address that...
View ArticleField Definitions Not Applied from Transforms.conf
I migrated my indexes to a new Splunk Server. I moved the transforms.conf and props.conf files to the new searcheads and the props.conf to the new indexers. This was the same set up that I used for the...
View Articlehow many jobs is an acceptable number
I getting the warning about the jobs in my screen "Too many search jobs found in the dispatch directory" and I was getting rid of them with the clean-dispatch command, starting with the oldest ones,...
View ArticleHow to add Custom email alert content.
Hi.Where can you configure the content of an Email sent? For instance currently the alert looks like thisSaved search results. Name: 'Service unavailable Test' Query Terms:...
View ArticlePassing parent data into subsearch
I have a parent search which returns_time, key, value1 value2 Now I want to join it with a CSV file with the following formatkey, startDate, endDate, internalValue I want the subsearch to join based on...
View Articledb connect doesn't see table
Hi,I have a database input issue. I setup the database connection, and run a tail command, but it keeps telling me that the table or view doesn't exist. It does exist, and I do have permissions to see...
View ArticleInputs.conf whitelist syntax assistance
I have several virtual hosts under /opt/log//opt/log/webA /opt/log/webB /opt/log/webCThey all have denied.log that I need to index, would this be correct inputs.conf?[monitor:///opt/log/www*]...
View ArticleCumulative time based (temporal) lookups possible?
I have some data in Splunk that I would like to link to some external CSV files Splunk events have this format_time, data, link1 The first CSV will be a time based lookup based on link1dd/mm/yyyy,...
View Articletroubleshooting a customer monitor config line
SynopsisI need to monitor all DHCP and DNS logs on a server. In the DHCP directory I want to view both DhcpSrvLog-DAY.log and DhcpV6SrvLog-DAY.log files as they rotate weekly. In the DNS directory I am...
View ArticleHow to add delete update tags using | rest command?
How to add delete update tags using | rest command?I do see examples using curl in doc, but i would like to know the syntax using | rest command in ui| rest splunk_server=local /servicesNS/-/-/Anand
View Article/opt/splunkforwarder Default?
Hi, please can you advise how do I install Splunk universal forwarder manually to /opt/splunkforwarder?It's says: /opt/splunkforwarder is default on page:...
View ArticleReport Dedup
Is there a way to eliminate duplicates by reports? Specifically what I'm looking to do is run a report every 24hrs for X range | stat count by shost. I don't want the report to show any hosts that...
View Articlemultiple outputlookup in one search
Hello! It is possible to use multiple outputlookup in one search?For example,| table Field1, Field2, Field3, Field4 | outputlookup Lookup1 | outputlookup Lookup2 I would like to put in Lookup1 Field1...
View ArticleSplunk for Nagios Configuration
Hi, I am currently trying to get the app SplunkForNagios to send alerts to Nagios. I think that most of my configuration is correct but I can't find what should be put in "WWW=splunk (ie. url of splunk...
View ArticleApplication level Admin access...
Hi,I was wondering if there is a way to provide admin access @ application level (all its objects) to a specific role instead of global admin access (admin_all_objects).Thanks
View ArticleInstall another instance with a lower version on Windows Platform?
Good Day,I have installed the latest Splunk on my test machine (WINDOWS), and I want to install another instance having a much lower version of it. I know it sounds crazy but is it possible without...
View ArticleCan't find the right source type
Hello,I got a problem in defining source type to get logs from a windows host on my lan.I receive the logs over tcp on port 30000. I get the logs but they'rent parse well.Which source type should i...
View Article