Configuring Time Zone of Source
Hello, I am indexing data from an MS SQL database using the DB Connect App. The time format is in Unix epoch and is being entered in the database wrong (instead of UTC, it is in UTC + 5:00). Splunk...
View Articlesum an unknown number of fields (with wildcards)
I have event like_time host1=1 host2=10 host3=20 _time host1=2 host3=12 host3=30The number of fields is not defined, I only know they begin with host*Is there a way to make an | eval sum=sum(host*) ?In...
View Articlesplunk monitor only single file not working
Hi experts,I have problem in monitoring only file. for example /var/log/messagesI added monitor,$./splunk add monitor /var/log/messages -index testindex -sourcetype linux_log But results are not...
View ArticleSplunk6 DB Connect 1.1.1 No handlers could be found for logger "spp.java"
Hi,I am having similar issue to that described herehttp://answers.splunk.com/answers/105605/the-java-bridge-server-is-not-running-dbx-110I am running Splunk6 and DB Connect 1.1.1 on a Linux VM. When I...
View Articlelocal limits.conf not working for the specified span would result in too many...
I have created a view for max transactions/second, I have a timechart with a 1 second span which counts transaction/second per day for given time range.host="*" | transaction "TxId"...
View Articleparse error : must be terminated by the matching end-tag
Hi,I downloaded the splunk sdk, and play with its examples. I am trying the "info" example. I got the error "must be terminated by the matching end-tag" during Service.connect. And when I look at the...
View ArticleReading RAW SQL
Hello,I have 1000 stored procedures that I need to extract table names and column names from.Keep in mind that the SQL in the SPs are manually written. So I can't expect much consistency. I would care...
View ArticleUniversal Forwarder on Windows 2012 R2 Server Core
Can the forwarder be installed on server core edition of Windows? Is thee any issues?
View ArticleSummarising Data for Reporting
I am wanting to summarise data so that it can be reported on by our management using a search form. This will tell us how often a particular service is being used, and what "options" are used with it....
View ArticleModifying the All Indexed Data dashboard for custom indices
I have customized the Windows App to send perfmon and windows events to separate indices (named perfmon and winevents, respectively). As such, the "All Indexed Data" dashboard at the bottom of the...
View ArticleAccess Control for Clustered Deployments
Can someone direct me to a good resource that explains how role-based access control functions for clustered or distributed deployments and what the best practices are? All the documentation seems to...
View ArticleDetection of stealthy events
On security issues, there are high intensity events - scanning - and low-intensity (or stealthy) events - periodic or not - that take place say once every few days. The high intensity can be detected...
View ArticleSorting a list
Hi Splunkers!My data looks like this - it may be familiar from a recent high-profile data leak :)phone number, username, location 21209864XX, user001, londonMy hypothesis is to test wether a...
View ArticleRT Searches and the Dispatch Directory
Hello everyone,I'm having issues keeping my dispatch directory down to a manageable level. What I mean by that is for the past week, every two days I log in to do a manual search and I cannot because...
View Article"Viewstate object not found" error while cloning a search
This is Splunk 5.0.1. Fresh install, i.e. not an upgrade from a previous version.Sometimes, when trying to clone a search, I get an error like: "[HTTP 404] Viewstate object not found; view=*...
View ArticleMove indexed file!
How to do to move files indexed by splunk?[monitor:///var/log/teste/teste.log]
View ArticleCisco IPS addon, Splunk 6 and ssl errors
Have recently installed Splunk 6 Enterprise and realize that the Cisco IPS addon only states 5.0 support not 6.0 but was hoping I could get it to pull the SDEE data from my Cisco IPS.Running:...
View ArticleHow can I change the logging level for something I am trying to debug?
I am trying to figure out why a saved search does not seem to be running on a very busy splunk server, Is it possible to change the logging level only around saved searches to debug so I can get more...
View ArticleSplunk and SCOM 2012 integration
Hi all,I found an integration method for forwarding SCOM data into Splunk: http://splunk-base.splunk.com/apps/22380/scom-system-center-operations-manager-integrationUnfortunately this is still the SCOM...
View ArticleRealtime Cached Charts In Web Framework
I have caching turned on for my searches within a dashboard using Django and Web Framework and when I switched my time picker to realtime within an amount less than the cache time, it appears to...
View Article