regex fu (if contains : do this)
Hey guys, this is one for any regex grand masters.I have a field (snort_dst) which contains addresses in both these formats:1.2.3.4 5.6.7.8:910 where :910 denotes the port number. I have the following...
View Articleaverage count of events over days of the week
I wonder if it is possible to compute average number of events over the days of the weeks, i.e. Monday, Tuesday... for the whole month. The following code will compute over dates of the month, which I...
View ArticleField extraction
hi,I want to extract a particular word and add it to a calculated field from a message field i have a share point server logsample entries are04/02/2013 00:41:51.82 w3wp.exe (0x2324) 0x1D5C SharePoint...
View ArticleRealtime search in dashboard slow compared to realtime in flashtimeline
Hi All,I have a realtime search to find TPS in a dashboard. But the search in dashboard runs ten times slower than the same search run on search window. Couldn't figure out why. Also some times the...
View ArticleBackfill not working for a realtime dashboard
Hi All,My realtime dashboard using Advanced xml (1hour window) is not doing the backfill. The backfill in limits.conf is set to trueWhat else could prevent from dashboard doing the backfill ?Thanks in...
View Article1 orphaned indexer reported by 1 indexer
What made this warning appear ? 1 orphaned indexer reported by 1 indexer How to Correct by midnight to avoid violation.Tried finding out the issue, but can't get any clue yet. Any help is much...
View ArticleInstall another instance with a lower version on Windows Platform?
Good Day,I have installed the latest Splunk on my test machine (WINDOWS), and I want to install another instance having a much lower version of it. I know it sounds crazy but is it possible without...
View ArticleSummarising the values of each perfmon counter into 1 event per host...
I have a collection of perfmon events, each one is basically the host, counter, value for each of the counters that are collected for the perfmon.I have been asked to provide a table that contains a...
View ArticleCharting types in JS chart
This is my code,i want the pie chart to be displayed first and then the table to be displayed below. I am getting first table and then the pie chart.<module name="SimpleResultsHeader"> <param...
View ArticleIs there a limit on json arrays?
Hi, I import a json-file with a json-object that contains an array with another 50 json-objects. It looks like, that the (multiline) event is not read in till to the end, but my truncate and max_events...
View ArticleHow to filter the index by using mulitple stanzas with different sources in...
Hi, I would like to filter out some event logs coming from different forwarders. I have been able to filter out some specifics winevents coming from security log. Now I would like to optimize my...
View ArticleColorize SimpleResultsTable rows based on dynamic field values
I have a simple table on a dashboard which has various bits of info. In particular, there is a "dest" column. I'd like to colorize each row according to the dest value. Values of "dest" column are...
View ArticleHow to add timeline in dashboard
Hi All,I want to show the timeline in my dashboard how can i do that? PLease help me!Thanks in Advenced!
View ArticleClik here to view.
Colorize SimpleResultsTable rows based on field values
I have a simple table on a dashboard which has various bits of info. In particular, there is a "severity" column. I'd like to colorize each row according to the severity value.
View Articlepass $foo$ value to textfield default
![alt text][1]I have an Urlloader, and I'm unable to pass $foo$ value to the default value of a text field (I don't want a pulldown, because the user must be able to enter a value if nothing is coming...
View ArticleHow to set count of displayed events in Dashboard event view / simple XML?
I'm trying to add an event view to a dashboard, but Splunk seems to ignore the options set in the XML:<event> <searchName>Global AAA - Failed: bad password</searchName>...
View ArticleUnable to set autoRun on nested search
I have : URLloader Search autoRun=true Pulldown Pulldown Pulldown Button Searchthe first search is populating the pulldown with a |metadata searchthe second one is supposed to launch a real search, but...
View ArticleREST API oneshot blocking search
I'd like to query splunk via a single REST call. mostly because I'm trying to get data from excel via data > import external data > webqueryI've tried the following urls from my browser without...
View ArticleSideview-utils postprocess slow speed, SearchHead or indexer load ?
I had a view on my Test server. After installing Sideview on my PROD Machine, the postprocess that was displaying my xml flat, with an spath, became very slow.Is it because my searchHead and Indexer...
View ArticleHow to go to other panel on pressing view results in dashboard
Hi,In my dashboard one of my dashboard panel will show countries if i click on view results of that dashboard panel it should take me to states dashboard panel and so on. How to do this. If i press...
View Article