Incorrect Results from Search on Named Value Pair?
I've got logs in a Named Value Pair Format. When the user runs a search on Status=PR, events like below are returned. This particular log did not have Status returned in the log, but it looks like...
View ArticleBottom 10 Results?
Trying to run a query for the bottom 10 results. I dont see a | bottom option. anyone have a creative way to do this?
View ArticleField Extraction help required
I want to create field extraction for the below sample event CIP9,05/12/13,0:15,S780,1,0.0011,1,0,0,0,0,0 CIP9,05/12/13,0:15,S780,1,0.0011,1,0,0,0,0,0Could anyone please help ?
View ArticleSplunk On Splunk version: Splunk (build )
Using the S.O.S app to view the versions of my splunk installationnoticed that one of my indexers is listed as version: Splunk (build ) which is not how the other 11 splunk servers are listed.how can I...
View Articlesave statistic
For example, I've extracted some large amount of useful information from my data. And I want to save it, because it's too expensive to perform it again and again. How can I do it in Splunk?
View ArticleUnknown source sending logs
Hi,I am in a weird situation. I have recently joined a new company. The guy who setup splunk left the company after upgrading the splunk and the PCI app "Splunk App for PCI Compliance" to latest...
View ArticleHow to cut timestamp from raw data
Hi,My timestamps come to SPLUNK within raw data like t=1035445567757 (UNIX timestamp). At indexing time, I tell in props.confTIME_PREFIX = t= great, timestamp is taken as metadata, now I don't need it...
View ArticleForwarder Data Input recommendations for Windows servers - different roles
Best recomended practices - Data Input config for Windows servers with the following roles IIS - SQL - Domain Controllers - Sharepoint - Exchnage
View ArticleUnknown search command 'dboutput'
After installing DB Connect 1.0.10 I now get the message "Unknown search command 'dboutput' " when I pipe my search results to dboutput. I reinstalled DB Connect 1.0.9, but still get the same response....
View ArticleApplication Icon did not appear
Hi everyone.I am in the midst of creating an app and I have been wanting to upload an App Icon (logo) so that it could appear in my Home page. However, it does not work. The method I used is as...
View Articlereturn command - exit (or return known value) if no results found
I have a search that is basically (there are actually 2 sub searches, but this makes it easier to understand):index="weblogs" [ SEARCH index="custcomplaintlogs" earliest=-1d | return 50 $custsession ]...
View ArticleVMware App adding customer dashboard
What is the best way to add a custom dashboard to the VMware App? Should I just edit $SPLUNK_HOME/etc/apps/vmware/local/data/ui/nav ?
View ArticleWMI for splunk wont querry servers.
When I goto inputs, try to add a host/ip address & hit "Find Logs" I get"This host may not be reachable or WMI may be misconfigured"If I run the command: splunk cmd splunk-wmi -wql "select * from...
View ArticleHow can I receive Splunk security announcements via email?
I see that Splunk 5.0.3 was released a few days ago to resolve some security issues. I was unaware of this security update until my security team informed me of a security notice passed on via...
View ArticleDatabase Lookups with Splunk DB Connect
Hi all,I am having some issues getting a lookup (or maybe I just can't wrap my head around lookups) to work properly with Db Connect. My indexed data in Splunk has a field called NETWORK which is a...
View ArticleCopying "Searches and reports" to the new search Head? Some of them are missing!
Hi All,So here is my scenario I had a Standalone search/indexer Splunk server (Physical box). I built a VM as a search head and trying to convert the standalone server to a dedicated indexer and add it...
View Articleearliest / latest not working with simple curl/Python query
Hi,the request below returns data from today while I specifically set it to return data from 27th of May to the 29th:curl -k -u user:pass...
View ArticleIs there a yum/rpm repo for Splunk?
I'm installing Splunk on an Enterprise Linux 6.1 machine. The Install on Linux instructions talk about a RPM, but don't explain where the RPM is. A Yum/RPM repository would be helpful in terms of...
View ArticleScripting Question
I am looking for some assistance to be able to script this lookup for windows systemstasklist /fo csv /vany input would be appreciated
View ArticleHelp Combining 2 regex searches
hi, i have been trying to combine these two searches together. can some one please help combine them.first search: index=pci_hpd_index device_id=FGT* | regex log_id="4454[4-7]"second search:...
View Article