SplunkForNagios - Live status dashboards empty
Hi,I've just installed SplunkForNagios and set it up to work with Livestatus. The Livestatus network health dashboard works great but none of the other dashboards seem to work. they all either come up...
View Articleextracting fields
Hi, I have the following log statements 1.Connected to [el2me@star-mf.grgk.com:22] 2.. Connected to [ftpsergr.gregn.com:41]. UserID [egwergrwe]From the above statements i have to exrtact userid in...
View ArticleJoining events by common fields in very big data volumes
Hello,I'm having performance and result-limit issues when trying to merge big data volumes from different sources with common key (foreign keys) fields. The scenario is as follows:We have 3 database...
View Articlesendemail turns dates into 0NaN-NaN-NaN NaN:NaN:NaN
If I enter "*|timechart count by host", my search returns _times like this: "2014-01-14 09:00:00".If I enter "*|timechart count by host|sendemail ...", all the _times become "0NaN-NaN-NaN...
View ArticleReplication factor significance
Hi,As we're moving to clustering for our indexing needs, I'm a bit unsure of what settings I should use. Basically, I'm setting up three peers for indexing and am going to retain two old indexers. At...
View ArticleHow to modify the retrun value of stats count by search using eval
I am running a search query like thisindex=w3c host=web-a OR host=web-b ASP_NET_SessionId=* c_ip=x.x.x.* | eval cur=if(_time>relative_time(now(),"-15m"),1,0) | stats dc(ASP_NET_SessionId) by cur |...
View ArticleStopping Indexing Limit approaching error
Hi ,I am using a free installation of splunk and I see the Indexing limit approaching error now and then . Is it any way I can limit the alerts to one per day .Thanks in advance
View ArticleOld searches still in jobs list - causing "maximum number of historical...
I'm getting the message "maximum number of historical concurrent system-wide searches has been reached current=10 maximum=8", and searches go to paused without running.When I navigate to...
View ArticleUniversalForwarder does not filter data
Hello. I would like sort the data from Windows Security log, but some reason still passed to all the data in Splunk server. In directory /splunk/etc/system/local/ I have created two...
View ArticleWinEventLog:Security HeavyForwarder (filter and send to indexer)
Hello,I trying to retrieve all login/off/fail on my inderxer from UniversalForwarder filtered by Heavy forwarder :UF v5.0.5 (All Security logs) > HF v5.0.5 (Filtering only 4642/4625/4634 events)...
View ArticleRefresh cache/rerun reports for dashboard
Hi,sometimes the scheduled reports fail and the dashboards tell me that no data is available. Is there an easy way to refresh the cache or to rerun the scheduled search? At the moment I change the...
View ArticleIPLocation: is there a state field?
Hello,The iplocation command has the City and Country fields, for example:sourcetype="IPS" | iplocation src_ip | table src_ip, City, Country Is there a way or a field to add the State (or province?) to...
View Articledoes universalforwarder support SEDCMD?
timeformat is not desired, I tried SEDCMD to correct it(12-hour format with 'am','pm')props.conf of INDEXER: SEDCMD-timechar=s/XXXXX/AM/g s/YYYYY/PM/g TIME_FORMAT=%d-%m-%y %I.%M.%S.%9N %pbut '%p' is...
View ArticleFilter by App when reporting on searches users are running
Our CTO is concerned about allowing ad hoc querying in Splunk through dbconnect due to some of the security commitments we've made to clients. He wants individual users database queries logged, so he...
View ArticleUpgrading from Splunk 6.0 to 6.0.1 in custom home directory
I have Splunk v6.0 installed under a custom directory "/splunk6". So my directory structure is something like this below:splunk6/binsplunk6/etcsplunk6/includesplunk6/libsplunk6/openssl...I understand...
View ArticleGetting an Error setting up Clustering
I am attempting to create a cluster but I am receiving an error when I attempt to add a peer (any peer for that matter). My setup looks like this 1 VM serving as the MasterNode and 2 physical indexers....
View ArticleRouting to 3rd party
Hi,I need to route specific messages that come into Splunk to another destination via syslog. I have the props/transforms, but need help with the REGEX. I need to send any event that has "Session...
View Articlesplnkd can't find libjemalloc.so.1
Hi All, I installed splunk enterprise in a RedHat Enterprise Linux x86_64 with rpm sucessfully.But when I run the splunkd, there is below error:bin/splunkd: error while loading shared libraries:...
View ArticleGeoIP works in Search but not in Enterprise Security?
Hello,I'm having a strange problem where geoip works fine in Splunk search but not within the Enterprise Security app. In ES, I get the error "unknown search command 'geoip'". I can't figure out why it...
View ArticleEnterprise Security 3.0 and Datamodels / Splunk_SA_CIM accelerations
I'm just trying to grok out how the Splunk_SA_CIM overlaps with the ES app in terms of data model accelerations. Out of the box it looks like it's set to accelerate a set of datamodels from the...
View Article