Hunk sizing
HiI am doing an application in Splunk that processes that processes 200K records per second fetched from Hadoop. What is the sizing that I need to look at for the licensing. I could see in Hunk that...
View ArticleHow would I display the number of events on a pie chart?
I have a dashboard that displays a weekly summary of detected signatures, but I would like to be able to show the number of events per signature on the chart. Is this possible?Current simple...
View ArticleUA strings not captured in lookup
I have this running but it is returning "Unknown" for these http_user_agent values:1 "Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+Trident/5.0)" 2...
View ArticleFIELD_NAMES for Missing Headers of CSV
I have a comma separated csv file with missing headers. From the props.conf.spec below it has the configuration setting in your props.conf file: FIELD_NAMES = [ <string>,..., <string>] *...
View ArticlePlotting points on a Splunk 6 map
My data is already coming into splunk lat/lon encoded. I don't need to do any ip geo lookup or anything like that. Each event has a latitude and longitude field. I want to plot each event onto a map. I...
View ArticleHow to plot number of scheduled jobs on a hourly time scale by user
Hi,How do we list out all of the saved scheduled jobs on a Splunk setup by user, by day, by search, by tittle of the saved search?Also, I wanted to plot in a days view of scheduled jobs -- ie.. 0-23...
View ArticleIntermediate forwarder not forwarding _internal data
I am using Universal Forwarder as Intermediate forwarder, it is forwarding the monitored data without any issues but it is not forwarding any data _internal index or Splunk logs. Intermediate Forwarder...
View ArticleQuoted escape characters when searching a field
"2013-12-19 11:13:23", "[INFO]", "30927", "MainProcess", "SSMITH"My data is coming into Splunk in this format, and when I select to look at it in raw form this is an example of one of my logs. The...
View ArticleParsing mutlivalued field
I have two fields, say foo and bar. They both have the same format. An example of the fields could befoo="{a=3, b=4, c=11}" bar="{x=1, y=5, z=3}" I want to parse and use these multivalued fields. That...
View ArticleBundleArchiver - Filtered nothing out of local.meta, but size still changed
I keep getting this message every few minutes for the a specific app that I haven't changed in months."WARN BundleArchiver - Filtered nothing out of Splunketcappsmyappmetadatalocal.meta, but size still...
View ArticleWhat is the default port on Splunk Universal Forwarder for Deployment Server...
All configurations will be pushed by Deployment Server to Forwarder running on linux box.What is the default port opened on Forwarder which is used by Server to push the data to forwarder?Are there any...
View ArticleIIS log user count
My purpose is to count currently logged in user for a web siteEasiest way to get this is something like | stats dc(cs_username)However, that really does not reflect true numbers that I am after as...
View Article[indexer] Streamed search execute failed because: User 'nobody' could not act...
Can someone please tell me what this means, and where I can look to fix this? Thanks!
View ArticleSplunk is adding weird strings like "_linebreaker\x00\x00" to my events, what...
Before forwarding data I checked to see if it was indexing properly and it seemed to have no problems. However, once I turned on forwarding, the data shows up like so in the primary instance of...
View Articlesearch query - iterations of search criteria
I'm trying to search for multiple rule event hits in my historical data:Date 1, Rule A, NumAlerts 15 Date 1, Rule B, NumAlerts 0 Date 1, Rule C, NumAlerts 15000 Date 2, Rule A, NumAlerts 16000 Date 2,...
View ArticleInconsistent Predict results
HiWhen I compare the dashboard results for these two simultaneously executed searches below:(i) malware in last 60 minutes(ii) malware in last 4 hoursand view the count of occurrences for the same...
View ArticleREX SED Help, need to replace namespaces from xml field
Hi,I have a xml field which holds values like below. It contains namespaces for each element which I want to remove:...message="<h:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">...
View ArticleCan I run splunk on btrfs?
Hello,I just downloaded splunk today to try it out on a few of our servers, but found out very quickly that it doesn't support btrfs:Filesystem type is not supported: buf.f_type = 0x9123683e Why does...
View ArticleHow to track a specific user login and logoff the past 30 days
Please excuse my lack of knowledge with Splunk but I need to track a user by login/logoff for the past 30 days. I looked through some of the answers but can't seem to get this to work. Appreciate your...
View Article