Chart/Report Only Showing 500 Events
Hi, here is my search:| dbquery "MYDB" "SELECT lastuseraction FROM user" | eval lastuseraction=strftime(lastuseraction,"%Y-%m-%d") | stats count by lastuseraction | rename lastuseraction as "Date",...
View Articlewith search-head pooling my jobs get canceled or expired
I have a search-head pooling and shared storage. Sometimes things get crazy and the clocks are completely drifting. This causes my searches to fail immediately "cancelled or expired"see...
View ArticleUsing eventtype in props.conf to extract fields in windows event log to flip...
The Windows Technology Add-on uses a transform file to extract the source domain and destination domain based on the SOURCE_KEY Account_Domain. In the props.conf file, it has a REPORT line for both the...
View ArticleHTML sideview module with nested search modules
Now I have about 30 searches with single value results that I would like to include in one sideview HTML panel.Is there a way to have nested searches and one HTML panel which can pull data from each...
View ArticleCisco IPS Issue
Hello,I've installed the Cisco Security Suite 2.0, Cisco IPS 2.0.0 and Cisco MARS 1.0.0 apps.MARS works fine.The IPS app however won't pull any data.running the search: index="_internal"...
View ArticleSplunk repeatedly re-index data after system time change
It is a problem we observed with splunk.Steps: 1. Install and start splunk 2. Let it index some data 3. Stop Splunk 4. Move the system time back to , say 12 hours. 5. Restart splunk 6. Splunk will...
View ArticleSplunk for Symantec-Dashboard is Blank
Hi: I've got Splunk for Symantec App installed, and the input.conf files pushed to the SEPM server with the Splunk Universal Forwarder forwarding the SEPM logs to Splunk with the default input.conf. I...
View ArticleWhich search is faster, reusing a calculation in an if clause or using the...
This is more of a question of curiosity -- we have a search that collects data and calculates the mean and the "mrbar" (a statistical value) then uses these values to calculate the upper and lower...
View ArticleProblem Blacklisting Log File
I have a directory in which there are several log files I do not wish to monitor. I have setup a blacklist for them in the inputs.conf file and deployed it to the relevant Forwarders. One of these...
View ArticleDNS Perfmon
I'm trying to get all the Active Directory stuff working, and almost everything is (thanks to the nice folks on here). The only part that isn't working so far is the DNS performance monitoring. For...
View Articleequivalent of "cut -d"," -f1,3 in splunk
Hi,I'm trying to extract the unique values for specific fields. You would use the following command in unix:cut -d"," -f1 <file> | sort -uHow would do it in splunk search bar?Thanks!
View Articlesyslog is not working
I configure syslog on my cisco router and switch, and I am no receiving any data into my splunk server. Yes I enable syslog on my devices and i enable port 514 on splunk serverthanks
View Articleactive directory - how to map user to role ?
Hi Gurus, I have connected Splunk server to my Active Directory server. I see LDAP groups and everything seems to be fine... but I cant login as user from selected Active Directory group. In the...
View ArticleSearch to view day by day count of events by host name
New to Splunk and am working with the search tool. I can pull the total counts by host no problem but am trying to figure out the most efficient way to accomplish the following:I want to compare the...
View ArticleSplunk Java SDK -> com.splunk.ResultsReaderJson -> Is this a Bug in the SDK...
I have the following function that fails when there is not any results returned from the saved search:Saved search results: Stats: { "preview": false, "init_offset": 0, "messages": [], "fields": [],...
View ArticleConvert string to decimal number
Hello,i have a field extraction where i have values who are like 21,3splunk recognizes them as string. but that are temprature data and i like to have tham as decimal numbers so i fan calculate...
View ArticleResolve IP to Host
I am creating a failed login report from WMI security log entires. My temporary search command looks like:sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* | stats values(Account_Name)...
View ArticleHow does Splunk PCI Compliance Suite Compare to QRadar?
I am curious if anyone has done a comparison of Splunk PCI Compliance Suite to QRadar for PCI compliance and intrusion detection. If so, what was your experience? Did you do this comparison to choose...
View ArticleHow do I set up the S.o.S app to monitor Splunk's system resource consumption?
I would like to set up the Splunk on Splunk app to monitor the resource usage (CPU and memory) of Splunk on my search-head and on my search peers.How would I go about doing that?
View ArticleConvert to PST Time
Hello:My system log files are in GMT, as well as the Splunk forwarder and Splunk server. They are all in GMT (or UTC)However, my Splunk users are in PST time zone. So, I would like the splunk searches,...
View Article