search for a sequence of events in a transaction
I have a log file that I am grouping the events using transaction command based on session ID. Within each transaction i need to find two events (event A and event B)that occur in a sequence and the...
View ArticleChart by selected fields
Hi I am trying to structure some data from an outside source. In the data I get a lot of fields for each event, I want to work by selected field as below: Field 1 Count Sparkline(Value) Field 2 Count...
View ArticleVariable group widths in single-column dashboard panels (using CSS?)
Hey Splunk community!I currently have a dashboard with a number of panels, and each panel has 5 groups:panel 1: | grp1 | grp2 | grp3 | grp4 | grp5 |panel 2: | grp1 | grp2 | grp3 | grp4 | grp5 |panel 3:...
View ArticleUsing earliest and latest variables in a form
(Using Splunk6) Does any one know if Splunk can do something similar to this <fieldset autoRun="false" submitButton="true"> <input type="text" token="earliest"> <label>earliest...
View ArticleLookup cidr performance
We have a need to identify the country of origin of IPs that are hitting our firewalls, notably from "unfriendly" countries. To that end, I have collected a list of IPs in CIDR notation for each of...
View ArticleAny reason for only some forwarders to show on Forwarder Management screen
On 6.0 when I view the Forwarder Management screen I see entries such as:MA123XAPPA11 deploymentClient 11.22.33.44 Delete Record windows-x64 0 deployed a few seconds agoHowever there are forwarders for...
View ArticleCan I point a forwarder to my Splunk Storm project on port 443?
Can a forwarder be configured to use port 443 to talk to Splunk Storm and/or can a forwarder be configured to use the REST API? I'd like to stick with port 443 as opening other ports at customer sites,...
View ArticleHow to display a different error message than "No results Found" when user is...
Sometimes users who get access via general role do not have access to indexes for all applications in our deployment. When such a user tries to search on an index he/she does not have access to, they...
View ArticleCisco Firewall Add-On 2.0 w/ Splunk for Cisco Security - summary indexing
I recently downloaded and installed both the Splunk for Cisco Firewalls Add-on and the Splunk for Cisco Security app. I noticed while reading the Splunk for Cisco Firewalls README that I could enable...
View ArticleConfigure heavy forwarder to send data periodically
Hi Guys,I set-up Heavy forwarder at Machine-1 and wants to send data on Machine-2, since network in involve in between so i want to minimize the network traffic to prevent certain type of events and...
View Articleunable to forward only one selected index in output.conf
I'm trying to disactivate all index for forwaring, and only forward those on the white list, but it doesn't work.My output.conf [tcpout] disabled = false indexAndForward = false defaultGroup =...
View Articledf by host,mount
I'm trying to set up a timechart of disk free by host and mountpoint and this is proving difficult, because timechart will only accept one field for a by clause. This doesn't work because the level of...
View ArticleInvalid Arugment in Case Expression?
Can someone see what is invalid about this? I have tried it each of the following ways with the same result each time. "Error in 'eval' command: The arguments to the 'case' function are invalid. "eval...
View ArticleSplunk multiple monitering stanza issue
Hi ,I am adding here multiple monitoring stanza to filter out different log files and give them source type.But I am seeing in indexer's search that source SystemErr.log with two different source type...
View Articleindexers pool - two indexers, one fully loaded but the other empty
we have a s.o.s app to check the health of the indexer pool, i recently find out that one indexer is fully loaded on parsing, aggregation and queue for indexing but the other one is almost empty. it...
View Articleaccelerated search with specific week day
I have an accelerated search which is set for a 3 months time range. The acceleration works, I can get a whole day's logs in the past in an average of 10 seconds, where it would take forever otherwise....
View ArticleFind closest events in 2 indexes
Hi.We have distributed production environment with IHS as a HTTP server (3 hosts). Access logs from those hosts joined into index="app-prd-web". Then we have J2EE application deployed to cluster of...
View ArticleAverage line in area graph
I want to show an area graph with an average line trough it. This is the search I'm using:eventtype=windows_performance object=Process | timechart span=5m count as Alerts | appendcols [search...
View Articlehelp with sum time between event from other sourcetypes
Hi, I have some events that can be transfered from one crew to anothe, and their status also can be changed. I have 3 sourcetypes (1 sourcetype (ALL_EVENTS) is dump and the othe two are tails) The...
View Article