How to forward WMI:WinEventLog:Security data from a Windows universal...
Hello, I am trying to set up WMI on a universal forwarder, however, I am only getting WMI:CPUTime. The WMI:WinEventLog:Security is not working though. I tried following...
View ArticleDoes Splunk and Elastic Map Reduce work Together?
I have a few indexes which have around 2.5 billion events each. Unfortunately we don't have a lot of CPU to sort through this massive data and make it meaningful in a dashboard. We're currently in the...
View ArticleThrottle alerts based on field value
Is it possible to throttle alerts by field value? For example: I want to alert when the value of field "action" is "delete" and throttle any subsequent results for 10 minutes unless the value of the...
View Articlehow to format date and time in searches
In my logs that is pulled into Splunk the time is recorded as datetime="2015-08-13 01:43:38" . So when I do a search and go to the statistics tab, the date and time is displayed with the year first,...
View ArticleWhat kind of visualization or dashboard should I use to represent my data?
The final data from Splunk I have is in the form of a CSV file with about 180 rows (product) and columns that records the change in sale. Product mean variance Apples increase no change Oranges...
View ArticleHow to customize the UI of an app?
Hi, I've created a sample application using Splunk Web. I would like to customize a top level navigation bar (AccountBar) "Admonistrator | Messages | ...". My investigations led me to the Master.html,...
View ArticleAfter defining an automatic lookup in Splunk Web on the search head, why is...
Hi I have separate machines for a Search Head and Indexer. In Splunk Web on the Search Head, I went through the different steps as shown in the Splunk tutorial to define automatic lookup based on a...
View ArticleHow to find the difference between timestamps in a number format that isn't...
Hi all, I'm trying to calculate the difference between two dates my search regarding this looks as follows (forgive the messiness, i know it seems a bit redundant)- | eval it = strptime(Load_Time,...
View ArticleXML tag extraction
I have a datasource that reads in events in XML format. Could someone please help me build a props.conf that will extract all fields and show the events in treeview. Sample event below: Fri Aug 07...
View ArticleUsing a checkbox to add to the search
Hello, I have a working dash that searches our web logs returns the results based off of a Category, which is chosen from a drop down. The search results should not include any URL's that end in image...
View ArticleTimewrap: How to reverse results to show oldest to newest from left to right,...
Timewrap is reading oldest to newest from right to left. I want it to be the opposite newest to oldest from left to right. The pic below shows that may 7th is the oldest but it is showing on the right...
View ArticleSearch Head Clustering: Why is the Deployer not deploying my email settings...
I've got an app called configuration. This app pushes authentication, outputs, and web conf files successfully to the 3 search heads. However alert_actions.conf, when deployed with the deployer in the...
View ArticleHow to backfill a summary index with a restricted time for each day?
I would like to backfill my index up by 2 months. The query however, is time sensitive and requires the day span to be only between 7am-9pm. Currently, my only method is to manually change the earliest...
View Articlei want to have inputs in their own seperate row in a dashboard
this is my skeleton of a dashboard with a fieldset with a sample input followed by some panels with chartsdashboard namelabelNAME:label1label2label1 ... ... ... so this looks like: input row with chart...
View ArticleSPLICE Preloaded feeds - config error
Hi there, I may have noticed an error / typo with one of the preloaded feeds in Splunk and in the app documentation and just wanted to check with the author. The feed is configured as...
View ArticleHow do I fix "Error in 'rex' command: Invalid argument: '(' The search job...
Why does this rex query work fine in a simple search, but then fail when used in both a primary and a subsearch? I need to parse fields in both places. I built an initial query that worked fine alone,...
View Articlemaps visualisation + getting started + format accepted? + adding lookups
Some sample data for creating a maps visualisation in splunk countries_lat_long_int_code.csv code,name,country,latitude,longitude 61,Australia,AU,-25.274398,133.775136 86,China,CN,35.86166,104.195397...
View Articlelookups in splunk + can you lookup a value and use the corresponding value to...
How do lookups in splunk work I presume it works like this, `lookupA` is the value you are looking for and `ValueToReplaceLookup` is the value that is returned. lookupA,ValueToReplaceLookup A,America...
View ArticleCan I set an app automatically install addon
Hi, So I have an app version1 with sourcetype definitions and eventypes etc, later on in version2 I moved those definition to a separate addon, so now without the addon, version2 won't work can I do...
View ArticleWhy am I getting "Error connecting to...
I am getting this error: Timed out while waiting for splunkd daemon to respond (Splunkd daemon is not responding: ('Error connecting to /servicesNS/-/system/authentication/users: The read operation...
View Article