Reduce fishbucket size
Hello folks, My forwarders monitor several thousand oracle logs daily that rotate out at a high frequency. As such, my fishbucket index is growing at a steady pace. Currently it sits at 200MB+ on my...
View ArticleTraffic getting to server, but not getting splunk'd.
I have an ASA firewall sending data to my splunk server (syslog port 514). When I run tcpdump...tcpdump -i eth1 host 172.28.8.234 > test.txtI get data dumped. It looks like...11:15:53.627144 IP...
View Articlematching multiple constraints in a transaction
I need to find hosts on which Event B occurred within three minutes of Event A. I'm trying to use transaction, but I seem to be running into the problem that a transaction is marked closed if either...
View ArticleWhy is my index disabled ?
First I saw this banner all the time "received event for unconfigured/disabled index=XXXX " for the indexes _internal and also for _audit.I found out that they were disabled (manager > indexes and...
View ArticleSplunk for Citrix XenApp Logoff times
Is there a way in the app to modify the user reports by time to include logoff time? I am looking to find out both logon and logoff times for users. ThanksJanet
View ArticleUsing searchPostProcess with input tokens
I need to drive 2 different searches from a form input. It's a very basic dashboard where I need a configurable timechart (where span and aggregation are chosen from input boxes)However, I need to also...
View ArticleAdd description text to Table
Hi Everyone,I have created a few dashboards and forms, but would like to add some type of text description of the different drill down options below the table label and before the actual table data....
View Articleadvanced xml title size and position
What is the syntax in splunk advanced xml to change the size and position of the panel label?
View ArticleSplunk DB Connect not indexing
Greetings Splunk Answers,I am having an issue with the Splunk DB Connect app where database inputs are not indexing. I'm using dbmon-dump and dbmon-tail to query my DB as data sources. I can see a...
View ArticleSetting useACK with CLI
Is there a way to set the useACK=true with a CLI? Can it be run as a remote command?Thanks Russ...
View Articletrim a zip code to 5 characters
This has to be an easy answer...I am just not seeing it or it is just a warm Friday and my brain is asleep.I have a column of results with zip codes e.g.94101 94102 941031514 941321600 I want to cut...
View ArticleFiltering Out Load Balancer Health Checks in IIS Logs
I'm in the process of evaluating the Splunk for Exchange app and am having a bit of trouble with the TA for IIS (via the vanilla Universal Forwarder install). We have a lot of noise in our logs related...
View ArticleInternet facing REST API
We're looking to automate the process of uploading and approving files for an application whitelisting solution.For machines that are outside the network, I would like them to periodically query a...
View ArticleSplunk-perfmon failing: InitQuery failed in PeriodicDataCollector::tick
Hi all, I'm pulling some logs in from Windows perfmon. All was going well, but now I am seeing the following error messages:05-03-2013 15:47:25.462 -0500 ERROR ExecProcessor - message from...
View ArticlePulldown cascade with a sometimes missing data value
Hi all, So here's a question. I'm taking over a Splunk app from a previous developer, and they're using a whole bunch of pulldowns to display some data, and the setup appears to be working something...
View ArticleSplunk for Exchange.
I have some "invalid key-value parser" warnings coming from the exchange app, I am pretty sure these are left over from the ForeFront bits that were removed. Is this correct?I see in...
View Articletransforms.conf – supporting alternatives in REGEX and numbering the...
In the transforms.conf file, how do I support the alternatives on the REGEX line with the corresponding FORMAT line group’s numbering? See the example attempt below: I can have either 4 groups or 6...
View ArticleCan one tell how much of the 16TB of my log data is being searched on any...
Can one tell how much of the 16TB of my log data is being searched on any regular basis?
View Articlepreventing format from being called on a subsearch
Hello,I have a macro (a subsearch enclosed in square brackets) that I use to filter my initial search. I would like to do some regex magic on the search string that format creates. Unfortunately, if I...
View ArticleLooking for a way to create better tables for large file
sourcetype="AAA_CDR" bob.com Total_Bytes > 0 | convert timeformat="%j" ctime(Event_Time) AS day | table User, day, Total_BytesMy Splunk search above is pulling the data that I need, but the table is...
View Article