DNS lookup for IP address in Log Meesage
Hello :)I need help in DNS resolution of the ip addresses in the logs:*Oct 9 21:31:47.095: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 172.30.0.20 (Tunnel10) is up: new adjacencyI've this log...
View Articlesearch correction with NOT
I have an alert setup. It is like"ABC-* NOT ("ABC-1" OR "ABC-2")"ABC-1", "ABC-2" being stuff I have taken care of.My result is like:ABC- ABC-3 ABC-4 ABC-5I want to remove that "ABC-". The problem is,...
View ArticleCan I specify a regex in a lookup table to group similar requests into the...
Hi,We would like to create a look up table based on some user agents. Mozilla/5.0 (compatible; Traverse/0.1; ABC 22175) Mozilla/5.0 (compatible; Traverse/0.1; ABC 23457) Mozilla/5.0 (compatible;...
View ArticleBucketMover moving to cold on UNC
I get the following error:ERROR BucketMover - aborting move because recursive copy from src='C:Program FilesSplunkvarlibsplunkf5testwarmdbdb_1380909713_1380904989_18' to...
View ArticleWhat is all the extra fields in Summary data
I am looking for indexing latency for firewall logingHere is my searchindex=Firewall | eval diff_sec=(_indextime - _time)| where diff_sec > 0 | sistats avg(diff_sec) as latencyHere are the fields...
View ArticleRegex help
Hi, I am new to splunk and regex, sorry for poor knowledge.I am trying to extract hostname from /var/log/syslog/2013/11/14/hostname_messages.log So far I came up with [a-zA-Z]*([^]+).log$ but this...
View ArticleCan I specify a name server for DNS
Hi,We are having some DNS issues in our infrastructure. Apparently the name servers our splunk hosts are using are not able to resolve some PTR queries, because of our network topology. Unfortunately,...
View ArticleDNS Resolution in a search
Is it possible to have ip addresses in a search resolved to a host name and displayed in the results rather then the ip address. My search is:source="udp:514" "dst=192.168." | stats count by dst | sort...
View ArticleSplunk app for unix and linux change in functional design.
I'm not really sure where to put this as there really isn't any publicly viewable feedback on apps anymore (is a public discussion about a splunk supported inappropriate for answers.spk?)We've been...
View ArticleDNS lookup failing
Hi I read http://www.splunk.com/base/Documentation/4.2.2/Knowledge/Addfieldsfromexternaldatasources and see my default transform.conf has # Example external lookup [dnslookup] external_cmd =...
View Articlefeeding fields to an external script
I've written a little python one-liner that basically calls showmount -a with an argv array at the end and my goal is to be able to feed it a list of hosts and get the showmount output for each host.if...
View ArticleInputs.conf and special characters
I have an inputs.conf file that had a monitor statement like:[monitor:///*_ECM/A/doc/abc.log]Files are NOT being picked up. If I get rid of the * and put a file name...
View ArticleClik here to view.
DB Connect: How to create a trigger to synthesize raising column values?
In that Database Input view: Splunk>Manager>>Data>>Data Inputs>>new, under the Tail Input - Rising Column field, there is a brief explanation:" Choose a column with an increasing...
View ArticleDistributed Search and Roles
I have a Search Head with three indexers setup in distributed search.There is another team in our enterprise that has logs in there own indexer and out team has access to there search head using AD.So...
View ArticleRestrict user to view only specified dashboards in one apps only
I am trying to create a user account that can access one and only one apps and only view some dashboards within that apps. Nothing else.What I have done so far: 1. Created a custom apps called myapps...
View Articlehow can I upload code to Answers without MarkDown mangling it?
Not technically a question, but pretty sure will be helpful to many. If not helpful to you, please don't upvote.MarkDown (the Wiki engine used on this site) respects internal (between tokens on a line)...
View ArticleHow to extract numeric data from a String name value pair?
Hello, I am new to SPLUNK and have gone through the tutorials about searching for data and have managed to find some basic things I am looking for.However this is my situation: I have an App that...
View ArticleMultiple Splunk Instances on Single Server
We have 5 16-core 2.67 GHz/48GB RAM and 3 8-core 2.39 GHz/32GB RAM Physicals. 2 of the 16 core boxes are search heads, the other 3 are indexers. 2 of the 8 core boxes are search heads (1 Job Server for...
View ArticleRegex not matching in multiline events with XML
Hi all,I have a log format with plain text followed by XML payload spread over multiple lines.CREATION_TS=15-11-13 09:00:05| SomeText <?xml version="1.0" encoding="UTF-8"?> <newline>...
View ArticleWhy are there decommissionned instances listed in the S.o.S. pulldown for...
Why am I seeing decommissioned instances (i.e. search peers, forwarders) in the S.o.S. pulldowns and deployment topology view?
View Article