summary_forwarders and summary_indexers no longer have data
I noticed that when doing a search on index=summary* I am no longer getting any data returned. This was working up until about a week ago and I'm not entirely sure why it stopped working. The...
View Articlesplunk with s3 add-on - monitor a s3 directory
Hi, I have installed splunk w/ s3 add-on. I can add data for s3 bucket, but I can't add data for a s3 bucket/directory. I will get the error saying no objects found under the directory whereas the...
View ArticleHow to see all source and sourcetype list
Hi,In splunk UI, I am seeing only top 10 source and sourcetype list.But I want to see all of them. Please suggest me on this.
View Articlemulti_threaded_setup parameter in limits.conf
We are currently looking at improving CPU optimization on the Splunk environment. We have found that the limits.conf contain the following option : multi_threaded_setup = [0|1] Flag indicating whether...
View ArticleFunction to fetch a part of a field value
A field called username has values INPUT: kesia@abc.bgf.hf:123 gefuf@ef.eff.gre:872 .I want to take the string before the @ symbol alone like OUTPUT: kesis gefufHow can this be done in splunk and Which...
View ArticleFirewall Indexing Latency
I have my firewall sending UDP to a syslog-ng folder and Splunk is watching the file in the folderI can see a latency for the latency like this | eval diff_sec=(_indextime - _time)| where diff_sec >...
View Articlehadoop connection question
Hi,I'm testing out Hadoop Connect (and, hopefully, Shuttl). In Hadoop Connect, I get an error when attempting to add a hdfs cluster. It says "nvalid HADOOP_HOME. Cannot find Hadoop command under bin...
View ArticleSubsearch with stats first not working as expected
My dataset has multiple events for a single _time. Batches get loaded whenever it's sent by a 3rd party. I have 25 unique sites that gets data sent. I have a query which finds the most recent _time for...
View ArticleHow can i index the log file from a windows smtp service?
Hi,After a lot of searching, trying and bashing my head, i will drop my problem here. I would like to index the logfiles of a windows smtp service. I thought this would be easy, however I can't get it...
View Articlechaining events together
I am trying to figure out the query that would allow me to chain a series of events together. The issue here is that its an order system where the modification generates a new_id and puts the original...
View ArticleSavedsearch ID's and stash file ID's. Is there a direct link between the two...
Does anyone know how to track a summary index job using the sid from the scheduler.log down to the actual stash batchreader file deletion event in splunkd.log?Example: Scheduler.log01-29-2014...
View ArticleHow to delete a huge number of old events from the test data that has slipped in
Unfortunately our production Splunk was connected to a test system splunkforwarder by mistake and according to the Summary 9.5 million test events were uploaded into our main index.Unfortunately every...
View ArticleHow to remove duplicate events in search results without using DEDUP
I'm using *NIX app 4.6, and for auditd logs I have a duplication problem of events. I also checked the raw logs and they are unique. Is it possible to remove this problem at the source (i.e. with a...
View ArticleSplunk and Cisco ASA No Event Data
Hello,I have DL'd and installed the following:Splunk App for Cisco ASA ver 1.0 Splunk for Cisco ASA Technology Add-on ver 1.1 Google Maps Sideview UtilsMy Splunk server is receiving SYSLOG from my ASA...
View ArticleCustom alert condition
I want to compare the results from latest 4 hrs today with the results from the same time yesterday and want to set an alert if today's result drops by 20 percent.My search string is:index="abcd"...
View ArticleSplunk arbitrarily deletes index on restart
I have one particular index whose data gets deleted any time Splunk is restarted. I see this in the splunkd.log:idx=my_index Removing; IP::deleteIndex idx=my_index Removing; wait for in-flights...
View ArticleNo indexers have reported into this pool today
On Monday, I applied a reset license, as the indexing got out of hand last week and seemed to be indexing duplicate logs files. Now today, when I check the pool, it says this:No indexers have reported...
View ArticleHow can I plot bounce rate over time?
Hi :)I have a search that calculates the Bounce Rate for a web site:source="web" configuration.client.company=foo event.type=page_view | stats dc(event.id) as eid_dc, c(event.id) as eid_c by session.id...
View Articleappendpipe
I have the following in my query index=_internal source=license_usage.log | eval sizemb=b/1024/1024 timechart span=1d sum(sizemb) by host limit= 10 | appendpipe [stats avg() as *]The last bit as we...
View ArticleHosting Dashboard on a website
Is there a way to host a dashboard on a website so that users can see it without logging in?
View Article