extract a field from event source filename
How can I configure Splunk to extract some fields from the source filename. I already specify a host_regex and that works great. Also I understand that if there is a date in the filename, splunk will...
View ArticleUsing fieldformat and rename
Hey there,I'm trying to do two things and it looks like I can't. I have some fields with ugly names like "Current_SuccessPercent" that I want to rename. I also want to format the data in the field to...
View ArticleOrder of fields in json java
For java sdk, output mode as json, I am getting fields sent from splunk and their values as json. But how ever is the order of fields in the table statement | table field1, field2 or | table field2,...
View ArticleCreated search with tags but does not work for other users
I have created several tags (on source), and use them in searches. The saved searches does not work for other users... is there a permission setting somewhere that I need to enable the saved search...
View ArticleNo Time Stamp for Event in Search Results
I am indexing some Windows performance events. This are being index at a 60s interval. When I perform a historical search I see the events that I want e.g. If I perform a search over the last 15m I see...
View ArticleGetting no events with Real Time searching vs getting events with Historical...
I have some Windows perfmon events being indexed every 60s. When I perform a 15min historical search I see all the events that I expect to see (15 events in total). However, If I perform a 15m Real...
View Articlesplunk java agent
I have downloaded SplunkJavaAgent and set it to run in eclipse by giving arguments for javaagent during Tomcat startup and am getting events in Splunk through TCP but not what I want.Following are the...
View ArticleHow do we specify same day last week
Hi,i want to compare the traffic from today to the traffic from the same day a week back. in the time range i have -7d@h in the from filed and left empty in the to field. Also my query is like this...
View ArticleHow to check the current number of my Scheduled Searches having queued up ?
Hi, I posted this new thread to be separately dealt with previous post of mine titled as follows: "Running Saved Searches with Default Index _internal." (Click on the following link:...
View ArticleRunning Saved Searches with Default Index _internal
HI, I did search query as follows: index=_internal sourcetype=schedulerAnd I get to see things in the resulting log that certain fields appears such as "run_time", "dispatch_time", and...
View ArticleComparing data from two log files and displaying results which are different .
Hi, My need is to compare two log files of same pattern . sometimes the log files will be entirely different because they can be the files of two different instance or they can be from same instance at...
View Articlehow to set multiple path in existing forwarder
Is it possible to set the multiple path in forwarder; if so please help. Coz our client is using splunk 5.2 server with 3 forwarder server. He want to include multiple path for similar kind of data...
View ArticleCisco Firewall Add-on - empty results
In Security Suite under Firewall > Overview search shows no results, viewing the Inspect shows search eventtype="cisco_firewall" | bin _time span=5m | stats count by eventtype, src_ip, dest_ip,...
View ArticleCreate New Informix Database Type
I keep getting an error while trying to validate my custom Informix database connection in Splunk. I have the ifxjdbc.jar in /apps/dbx/bin/lib/. I know I must be making an initial connection because I...
View Articleerror starting universal forwarder
I am getting the following error starting up a UF on Windows 2008 64-bit server:4-16-2013 15:57:26.770 -0400 FATAL loader - Timed out waiting for config lock; see splunkd_stderr.log for details. I...
View ArticleComma-separated data and multikv
I have multiline comma-separated data in the following format:2012-11-24 01:17:32.061 +0100...
View ArticleQuestion about timechart with odd earliest and latest values
Assuming my search string includes the "earliest=04/12/2013:07:45:00 latest=04/13/2013:09:45:00" values and I am using "timechart span=60m", the search results will be returned in three buckets (actual...
View ArticleKnowledge Bundle Cache?
I had two large apps causing my knowledge bundle to time out. I deleted both app folders in etc apps and in etc user admin. The knowledge bundle has not shrunk and the warnings and errors...
View ArticleCan't run a floor on a timechart column
I'm trying to run an floor command on a column in a timechart in order to get a whole number. ... | timechart span=10m eval(floor(count(LINE)/5)) as logins by USERNAMEThe search fails with Error in...
View Articleeventtype definition in a search
So I have a search that is searching for IP address information from 4 eventtypes.I am now trying to label these eventtypes, or define them, so upon searching the user will be able to see. "Connected...
View Article