Avg Counts in the Last Month
hey all, im working on a network overview dashboard. what i currently have is a saved search showing the last 7 days (per hour) of firewall denies but that information is useless without a baseline. so...
View ArticleImplementing a Incident management system
We are planning to implement INCIDENT MANAGEMENT system in Splunk. For that we need to integrate a ticketing tool with Splunk. I have seen the Splunk Enterprise Security app which is similar to what we...
View ArticleSideview if statement to assign a new token
so here's my problem, i have timecharts of failed authentications for the past hour. i drilldown off of that with a sideview Pulldown list to show either users or hosts at the selected time window. at...
View ArticleMissing forwarders alert format
I've set up alerting for missing forwarders in Deployment Monitor. Works fine, but I've noticed that the "Last connected" field is not formatted, I just get the raw seconds value, in the e-mail alert...
View Articleunused Vms/PCs
Hello,If I wanted to find certain machines (virtual or not) that have no been logged into BY ANYONE in, lets say, the past 30 days, could you assist with a query/statement?Or the easiest method to use...
View ArticleHow to correlate two different sourcetypes.
I have two sourcetypessrc_type_data and src_type_scale.src_type_data contains two fields--------------------------- User_Type | amount spent | --------------------------- 0 | 30 | 0 | 12 | 0 | 32 | 0 |...
View ArticleFind earliest events by category
I'd like to select the earliest events broken down by category.i.e. I would like to see something like this:error | stats earliest(_raw) as earliest_raw by error_category | ... That pretty much gives...
View ArticleSoS and clusters
The forwarder points to the peer in the cluster per the instructions. How does the SoS technology add-on point itself to the search head?
View Articlenot getting universal forwarder to load up correctly
I'm completely confused. After reading thru the many Q/A on universal forwarder and installing on WAS, didn't help I want the Universal forwarder on a WAS box to send to Indexer on UNIX box. I loaded...
View Articledifferent windows add-on and universal forwarder
Hi expert: Universal forwarder on windows can collect data from windows Server. Technology Add-on for Windows run on universal forwarder. They can collect data from system both. What is the different...
View ArticleHow to Blacklist Hosts at the Indexer
Let's say, I have 5 forwarders. 4 of them are allowed to forward events to the indexer but one of them is not. How can I Blacklist this host at the indexer not at the forwarder or network (eg.,...
View ArticleUniveral forwarder not forwarding
I have a problem with a universal forwarder as i configured on a domain controller to use with splunk app for active directory. The forwarder is not forwarding anything. what i have done so far: 1....
View ArticleiOS Crash logs - Indexing
Hi,Newbie to Splunk and trying to use Splunk to arrive at a trend of the iOS Crashes which have been collected for the app. My Crashes have been symbolicated and would like to understand how can i set...
View ArticleHow to assign/tag severity to an eventtype without using lookup tables
Is it possible to define a severity level to an eventtype without using a lookup table? The purpose would be so that, when I run a single, generic searches that provides the ability to report/alert on...
View Articlefield extraction help
I'm fairly new to Splunk so forgive me if I'm asking the obvious. I'm creating an app for my RabbitMQ server and I'm having a few issues with one of my field extractions. I've got a script...
View ArticleCan Splunk search client machines System log that has Event ID 7?
Hello, Can Splunk search client machines System log that has Event ID 7? We need to scan and retrieve hostnames that have this event ID which is a disk errorThanks,
View ArticleActive Directory Security Events
Guys, apologies if this has already been asked before and there is a KB article for this. We are looking to archive Logon/Logoff events that occur in our Windows domain controller security log. Is this...
View ArticleWindows Event logs in syslog format
All our windows servers are sending security event logs to a central syslog server - they are not in Windows event log format, they are converted to syslog (by Corelog).Our central syslog server...
View ArticleHow can I filter the top / head values by a summed field (e.g. day)?
I have a search that returns the number of 'views' of a product by day using a 'search xyz |bucket _time span=1d |stats sum(product_views) by _time,product_name' search.I'd like to limit the search to...
View ArticleDisplaying count as label in pie graph
Hi, I have a pie graph which shows slices based on the count in each category. On splunk interface, I can see the actual count on each slice using tooltip. But when I export to a pdf, tooltip option...
View Article