issue at time of changing deployment server information
Hi,I am facing issue at time of changing deployment server from A to B.e.g. At time of installation of forwarders I added deployment.conf in system/default folder to point server A. Now I am planning...
View ArticleExtract date from source path with a varying name
Hi Guys,My log files has events with the time stamp on it, just the time not the date but luckily the source name has the date in it and splunk automatically identifies date from the source name and...
View ArticlePorting ArcSight content to Splunk - compare between two fields of the same...
Hi, I need to port ArcSight content to Splunk and I'm afraid I stumbled upon a fundamental difference on how to implement filters in ArcSight vs. saved searches in Splunk. How to filter out events by...
View ArticleClik here to view.
Retro Old Single Value module
Is there a way to use the old single value:Instead of:In simple or advanced (still in 5.0.x)
View ArticleLine chart comparing yesterday's result with today's result in dashboard
I was intrigued by a chart that I saw the other day in an App. The App had a dashboard that compared last weeks results vs this weeks results on the same chart. Unfortunately, I did not see the search...
View ArticleProblems comparing 2 Weeks, timeranges get lost
Hy all, here a well known question i a new context.I am comparing Data over weeks, but it seems that im shifting in a little bit wrong bay old timerange to new range.Querying over 14 Days shows me a...
View ArticleCompare set of data from different times
I have the following query to capture the application response time, and put it in summary index source=iislog app="abc" | sistats avg(time_taken) count by source index=summary search_name="capture app...
View ArticleHow do we specify same day last week
Hi,i want to compare the traffic from today to the traffic from the same day a week back. in the time range i have -7d@h in the from filed and left empty in the to field. Also my query is like this...
View ArticleFraud detection - how to compare last weeks average count with todays count...
Basically I need to construct a search that compare last weeks average count for "successful authorizations" with today count and shows that in a chart. I also need to measure the gap between these to...
View ArticleCompare today to yesterday's results
Hi how should I modify my search to make it work?host="javaserver1" source="/var/log/javastuff.log" earliest=-1d@d latest=-0d@d Sending failed | multikv | eval ReportKey="yesterday" | append [search...
View ArticleCompare two timerange in one report
Hello,I did a chart where compare two timeranges. This is my search:source="tcp:5543" Service_Type="*" earliest=-0d@d latest=now | multikv | eval ReportKey="today" | append [search source="tcp:5543"...
View Articleaverage count of events over days of the week
I wonder if it is possible to compute average number of events over the days of the weeks, i.e. Monday, Tuesday... for the whole month. The following code will compute over dates of the month, which I...
View ArticleHow do I compare a Saturday to another Saturday
I want to compare the results from one Saturday to 3-4 prior Saturdays. The query I am using is created from the postings here and returns the # of events/second that were logged for a particular...
View ArticleComparing time ranges one report
I'm trying to get Thursday of this week compared with Thursday of last week and have the values overlay in a stack graph.Using the following search, based off this link, I'm not able to get the data to...
View ArticleEventstats Question/Bug
I notice that sometimes eventstats loads more data than the event results produce. For example lets say I have a search on field id that produces 5 results which I then pass to eventstats.id=1 |...
View ArticleHow do I extract a semicolon separated field during search?
Hi I have a Log string event like this, between a different defined log format. How could is separate the fields during the search time?It is possible, to add the additional field definition into my...
View Articledata being sent to _internal index not specified index
I have a deployment server that has within the index.conf file a line that states[default] index = lab_dmzYet all of my data is being dumped into the _internal index. I have run "splunk cmd btool...
View ArticleQuery is not fully resolved in dashboard
I have a Simple XML dashboard which does<form> <label>Admin Dashboard</label> <description/> <fieldset> <input type="dropdown" token="company"...
View ArticleDashboard help
Hi I'm trying to create a custom dashboard which list the companies and products we have running on our servers. To define the term company i setup a field extraction -> transform to look at a...
View ArticleSearch & rex to munge log data for execution of "sudo" commands
I'm looking to create a custom search for dashboard I'm working on related to security. The idea is to detect the execution or attempted execution of sudo commands, and to be alerted or notified when...
View Article