Add a field that includes the length of the field values
I am using eval foo = mvcount(split(field,"")) to count the number of characters in a field at search time. Is there a place to put such a statement so that the field foo gets created for all events...
View ArticleClik here to view.
Timestamp different than log time
I have a strange situation where the timestamp does not match the IIS time. But only in a certain time range. My clients are all set to UTC while my forwarder, search head and indexer are in CDT. The...
View ArticleField in field
I have following message format.2013-06-17 15:33:01+0200 appid="myapplication" responsetimems="155" message="Calling method="calculate" class="math" data="size="98123" rows="9811"...
View ArticleWindows Security Log Formatting
I'm looking to create a view of the number of user accounts that have been created in the domain in the past 24 hours. Here is my query, and my timeframe is last 24hrs.sourcetype="WinEventLog:Security"...
View ArticleSelect Statements
I want to run 2 select statements in one search. something likeselect * from my_table; select * from your_table;When I use the ; it gives me an error A database error occurred: ORA-00911: invalid...
View ArticleReal time window'd search doesnt work correctly
I am having an issue querying with real time search with sliding window. Using the query: index=main source="Perfmon:CPU Load"With the real time window view (1 minute window), I get a number of events...
View ArticleHow to search for which user has access to what index?
Does anyone know how to:1) search for which user has what access to the index? 2) who has accessed to what index within like the last 24 hours?
View ArticleSplunk 5.0 Error - An error occurred while rendering the page template. See...
I keep getting this error "An error occurred while rendering the page template. See web_service.log for more details" appear when I try to click on a saved search in manager in Splunk Web. After I...
View ArticleUsing join statement with count and dedup
I have the current statement using append:search_term1 | stats count by ip_address | table ip_address count | append [search search_term1 | dedup ip_address | table ipaddress _raw] which makes a table...
View ArticleRolling Distinct Counts
We have a table with the following columns:SESSION_ID USER_ID CONNECT_TS -------------- --------------- --------------- 1 99 2013-01-01 2:23:33 2 101 2013-01-01 2:23:55 3 104 2013-01-01 2:24:41 4 101...
View Articlehow to filter events grouped by the transaction command by a keyword in the...
I can group the correct events into a transaction using the transaction command but now I need to be able to narrow the result by a keywork in the group but I cannot get that right.examplehost=***...
View Articlemuntiple searches in one panel
I have 3 simple table type panels that just show one number, a count number, in the panelI would like to combine all three of these count searches into one panel.I can't seem to find the documentation...
View ArticlePulldown and static select in view
Hello all, i need to create a view with multiple forms ( pulldowns, SearchSelectLister,StaticSelectListers and etc). Search consists of 2 indexes and join command, in first index i select depatment and...
View ArticleUpgrading to new cluster
We currently have a single Splunk server with a large storage array. We're in the process of building out a new Splunk 5 cluster. What's the best process for getting my old data into the new cluster?...
View ArticleComplex search overlaying with different time frames
hey all, I'm working on two saved searches, the first counts the total firewall denies per hour for the last month then averages them by weekday/hour. the second search is just the count of firewall...
View ArticleLookups in a distributed search environment
I have configured a field lookup on our test server to return a readable name for event codes in our logs. Doing so with a TA app, so I have a folder with the proper subfolders containing my confs, the...
View ArticleDate Format
I have a field called DATE and it is returning values yyyy-mm-dd HH:MM:SS. I am trying to chop off the hours, min, seconds so I only have yyyy-mm-dd. I have tried to use the convert command but I would...
View ArticleTCP Cooked connection ?
Why is this happening?11-13-2012 16:40:04.778 +0000 WARN TcpOutputProc - Cooked connection to ip=IPADDRESS timed out 11-13-2012 16:40:12.778 +0000 WARN TcpOutputProc - Cooked connection to ip=IPADDRESS...
View ArticleExclusion Not Working In Transforms.Conf File
I have four Windows 2008 R2 servers each running a Splunk Univerisal Forwarder. On the Splunk server in the transforms.Conf file which resides in C:Program FilesSplunketcsystemlocal I have the...
View ArticleCorrelation between 3 sources with 2 IDs
I have 3 sourcetypes, and am trying to correlate them based off of 2 IDs. Here is an oversimplified example of the data and what I am trying to achive:index=books sourcetype=titles fields: title...
View Article