Clik here to view.
Rolling time duration between events
Hello we are trying to calculate the realtime elapsed time since the last event in splunk and setup an alert if this duration exceeds a threshold but are having issues. We current have this search...
View ArticleLook up table question
Hi,i have individual IPs and then CIDR blocks that i want to look up and group them using a look up table. I am assuming i cannot have both in the same .csv file as i have to add match_type =...
View Articlebtool app name length limit
It looks as if btool, when run with --debug, only shows the first 10 characters of the app name. Unfortunately the first 10 characters of of our app names are often the same.Is there any way around...
View ArticleCan I use frozenTimePeriodInSecs in a volume config?
Subject says it all; I want to have all of the contents of my home volume (hot / warm) expire after 45 days and the cold expire after 180 days. Can I put frozenTimePeriodInSecs in a volume config?
View ArticleCurrently logged on username in search
Hi there,I'd like to build individual Dashboards per Splunk-User (LDAP mapped). As there is a huge number of employes I'd like to build an dynamic dashboard which allows a user to see reports regarding...
View ArticleDoes maxVolumeDataSizeMB apply to all indexes in the volume's path?
Is Splunk smart enough to recognize that main and others are included under the primary volume even when main's path doesn't reference the volume name?In other words, is it necessary to re-define the...
View ArticleMod_proxy SSO Slow After a Week
Greetz,We have: Apache 2.2.3 CentOS 5.5 x86_64 Splunk 5.0.2I only know the basics but Apache has been serving us very well with the below config and only after about a week did pages refresh very...
View ArticleSplunk REST Modular Input - POST requests?
Hi,The new Splunk REST modular input (which is still beta) is very nice and usefull. I'm using it to poll jmx via Jolokia webapp, and it works great.But, there are some cases you want to poll the REST...
View ArticleIndex Size varies between master dashoboard and peers
Hello facing some issues with indexes size:I have a Factor2 splunk cluster configured, and I'm facing this issue.Master's node dashboard RepFactor SearchFactor Size index 2 2 282 56.05 GBIndex peer...
View Articlemultiple Y axis results in same graph
Hello to you allI need your helpI´m performing a MySQL query and getting the following results:TIME || RESULTS || URL2013-06-23 || 22 || www.youtube.com2013-06-23 || 22 || www.youtube.com2013-06-23 ||...
View ArticleClik here to view.
Delta on serveral fields, separate by id
I have multiple events like :field 1; otherTimestamp; field2;field3;field4 test;1371481920.000000,value2,valeu3... test,1371481980.000000,value4,value5... otherttest,1371481920.000000,value...I want to...
View ArticleField extraction using regex from CSV with optional quotes
I have a .csv file that could look like this:field 1,field 2,field 3,field 4 value,"value",,"val,ue" "value","","val,ue",value As you probably understand, I want to ignore the commas inside the quotes,...
View ArticleLdapsearch / ActiveDriectory app issue
I am having an issue with the ldapsearch functionality under the Active directory app in Splunk.I have been trying to get it to enumerate groups correctly. In certain circumstances I can get it to...
View ArticleIndex time based retention - based on indexed time or event time?
This information is probably located in one of the docs but didn't find it in anything I've read just now. Under normal circumstances current data rolls in and rolls out based on any number of...
View ArticleForwarder Output Compression Ratio
Hello,i can activate compression on the universal forwarder to the indexer. as i understand from the documentation and some answers entries the compression is different between ssl encryption and...
View ArticlemaxTotalDataSizeMB max value or 0
Can you set maxTotalDataSizeMB to 0, or optionally set it to an incredibly high number (90000000, or 90TB) in order to hopefully make the cold-to-frozen process only happen based on...
View ArticleSymantec EndPoint version
Hi, anyone here collecting Symantec Endpoint (SEP) logs? I've been trying out the Symantec App but I don't find any of the logs showing me the version of the SEP agent of a certain device. Any tweaking...
View ArticleCan you uninstall the universal forwarder from a script?
Sorry for the noob questions, but I am a Linux guy only recently forced back into the world of Windows.What options there are for uninstall of the universal forwarder on windows?I know you can do it...
View ArticleHow to capture all entries in Windows Security Logs at first run
hi All, I've setup a heavy forwarder on Server B, and forward the entries in Windows Security log to Server A (Indexer). I configured the inputs.conf on Server B, let say at 9 AM in the morning, the...
View Articlehttp://splunk-base.splunk.com/ask/
I am working on enabling SSO on splunk using siteminder. I have worked with siteminder folks in my company and got apache and siteminder webagent installed and configured. Apache is installed on the...
View Article