Splunk for Palo Alto Networks causing disk io congestion on search head
We have a Splunk setup that has two indexers and a search head running Splunk 5.0.4 and SplunkforPaloAltoNetworks 3.3.1 (upgrades to both are planned "soon"). There is another machine configured as a...
View ArticleCreating a lookup from comma separated data...
I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something...
View ArticleSplunk V 6 error Search query is not fully resolved.
Good Afternoon, I am new to Splunk and have a query that is working fine in the search but once saved in the Dashboard it errors out with "Search Query is not Fully Resolved." Anyone have any ideas on...
View ArticleDBX DB Connect Issue - Duplication, Non-Historical Function, Overwrite...
All,Forgive the lengthy post, I'm trying to be thorough. I believe our issue is with the fundamental feature or intended use of this application. It appears that DBX follows Splunk in the mindset that...
View ArticleWhat is required to use Forwarder Management?
I have a Splunk 6 instance running on Windows. I have no file system access, only access via Splunk Web. The instance was installed using the installer, no extra configuration done.We have a bunch of...
View ArticleExamples: How do I edit the resulting value in search query?
I have dates that look like "01/09/2014 00:00:00" that I want to chart. The dates take up too much real estate so I want to edit them so they are just:01/09, 01/08, 01/07, etc.
View ArticleLicense usage previous 30 days doesn't work
Hello,i have an alert because of the limitation of 500 mb per day, i want to know which host is spamming me to shut it but the licence previous 30 days doesn't work, but licence usage today is working...
View ArticleHalp! My data is being rolled to frozen and I don't know why!
I need to know why my data is being rolled to frozen - is it because of time or disk space?
View ArticleREST service endpoint for licenser used in a period time
I used the REST endpoint /services/licenser/pools to get current usage data for licenser, however I need to report the usage in 1 month or 1 week, does Splunk has any endpoints that support that?
View ArticleNo data in License Usage report
We are having an issue viewing the License Usage report in Splunk 6.0 - no data is being displayed when trying to view the "License Usage" graphs when going to Activity -> System Activity ->...
View ArticleWhy is my log quota being eaten up by "invisible" files?
Using the following search, I find that in the hour after midnight there is a spike in indexing activity:index="_internal" source="*license_usage.log" | eval...
View ArticleLicense Usage past 30 days don't work
There is no results found when i use this dashboard in splunk 6.0 but the first one (today) is working.How can i fix that ?Thanks you.
View ArticleTransaction using timestamp
I have the following query. index="someindex" | sort +evnt_ts | transaction dcn,evnt_ts keepevicted="t"| table dcn,_time,evnt_tsThere are 15 events for each dcn. When I do 'transaction dcn', I get the...
View ArticleFiltering events from Hadoop unstructured data
I am trying to read log files from Hadoop cluster. These are unstructured files which otherwise can be filtered after indexing using Regex searches. But my input data is huge and the throughput...
View ArticleCluster manager says an index is unsearchable and not replicated, but...
We've just deployed a new Splunk 5 cluster. The cluster master claims that the netflow, _audit, and _internal indexes have problems. It says they aren't searchable and there aren't any replicated...
View Articlesubsearch help
i have a two tables one is rating user_id=xxxx movie_id = zzzz rating = yyyy second is movie movie_id = kkkk name = ppppusing this field i want to find the 20 top rated moive name
View ArticleIssue with REST API Modular Input and Streaming Twitter API
I have recently been playing around with the REST API application and the streaming twitter feed and have come across an odd issue. After a lot of troubleshooting, it appears that everything works...
View ArticleSplunk Single Sign-On With F5 Big-IP
I am curious if anyone has attempted to or is currently using an F5 Big-IP LTM as a reverse proxy for Splunk web. I've consulted Google U, but haven't been successful.
View Articlewhat does an empty line represent in a regular expression?
I am looking to find a character (regular expression) in Splunk that searches for and returns values (from a file) starting with a word (ex.Total) and ending with a new empty line (representing a new...
View ArticleIndex only the first line and ignore the rest.
HelloI have few files for which I want to index just the first line and ignore everything else as its purely being used for information. All of them have the same pattern so I guess I cannot use the...
View Article