How does role composition work?
http://docs.splunk.com/Documentation/Splunk/6.0/Security/Aboutusersandroles#How_users_inherit_search_filter_restrictionsI read the blurb above, but still find myself with questions.Not using...
View ArticleSplunk for Snort app installation in 5.0.6 clustered environment?
Has anyone installed the Splunk for Snort app in a 5.0.6 clustered environment? I am curious if the are any caveats for running the app in a clustered environment? Is the app installed only on the...
View ArticleConfigure Splunk for Active Directory
I am attempting to follow the online documentation/PDF for configuring my AD forwarder, but am having some trouble.When customizing the index names in the .conf files, where in my Splunk install can I...
View ArticleChronological Eventcount Per User
Hi,is it possible to a add field to each event and add a value to this field, that shows the chronological count of the specific event per user? Let's call this field "eventserial".So that the first...
View ArticleTransaction Duration Duplicated due to multiple same event
Hello,I'm trying to get the duration of a transaction starting with "green" and stopping with "red" : The problem is that when i have data like this :time_001 Greentime_002 Greentime_003 Redtime_004...
View Articlesplunk and shibboleth log analysis
Has anyone configured Splunk to read the audit logs from Shibboleth to try to summarize the source of the incoming authentication request? The log format seems unique to Shibboleth .
View ArticleFAILED_LOAD_DEPLOYMENT_SERVER__TENANT_default - keep seeing on restart
I keep seeing this on Splunk restarts in the GUIFAILED_LOAD_DEPLOYMENT_SERVER__TENANT_default Anyone know what it is or why I am seeing it ?I did upgrade from Splunk 5.0 to 6.0 a few weeks back, so...
View ArticleComparing two fields from different sources
Dear all,I would like to compare two fields on a sequential way coming from different sourcetypes already indexed at splunk. For instance, the sourcetype 1 has the querys done by clients to the DNS....
View ArticleSplunk dont show fields after parsed. why?
Sample Log File2013-10-31|2013-10-31 00:00:00|serv1|ws1|Mozilla|p1=1,p2=2,p3=3|hash1||method1|id||2.012013-11-01|2013-10-31...
View Articlespan index over multiple indexers
Hi, question:can I span one index over multiple indexers without using clustering? If so, how? :) TY!
View ArticleNew Field From a Current Field Up to a Certain Character (In a Search)
I have a field named FieldA. It looks like this:10.10.10.10->10.11.11.11I want to create a new field (FieldB) that is everything left of the "->". I tried using LTRIM, among others, but I can't...
View ArticleStrange error with subsearch
I have a query with a subquery that I am using to identify a set of transactions that contain a string - from those transactions I am extracting a unique identifier that will find all other...
View ArticleInhibiting alerts from saved searches that had search errors
Is there a way to inhibit alerts from saved searches that had errors? Saved searches will sometimes fail with errors like the one below:-- Search generated the following messages -- Message Level: WARN...
View Articlesideview Redirector from a chart
Hi.I got a static select:<module name="StaticSelect" layoutPanel="mainSearchControls"> <param name="settingToCreate">group_setting2</param> <param name="label">Summarized by:...
View Articlepassing search result as token
How can I pass the simple search query result value as a token to second search query which in turn used by one chart in simlexml? please help me
View Articlesplunkweb reporting splunkd timeout
Hello,I am currently running into problems with my Search Heads. Users are experiencing intermittent timeouts of splunkd, which is stated on by Splunkweb during search, log in, etc. When Splunk is...
View ArticleSplunk 6 with Splunk for Unix Add-on: Setup Dashboard goes 404 not found
New to splunk... getting to know my way around.Installed the Splunk for Unix Add-on App, but the Dashboard doesnt work. Navigating to the Dashboard Setup gets you a 404 error.The app is collecting...
View ArticleLine breaks within a CSV field.
I have a .csv file with several fields. there are many date fields and text fields, but fields are long blobs of text (such as the body of an e-mail) lets call such a field "longtext". The problem is...
View ArticleReal-time Alerts stopped working
We have a number of RT searches that we alert on. All were working fine. for several months. I cannot pin-point the time that they stopped working, but they all have stopped working. I have disabled...
View Articleerex not working in splunk 6
In previous versions of splunk, I've been able to use erex at search time to define a regular expression based on search time data, which is especially helpful in very large events or very spread out...
View Article