transaction startswith match not exact
I noticed that the "startswith" expression does not match exactly.startswith="Sophos Anti-Virus service entered the stopped" The statement above created transactions containing this string:Message=The...
View ArticleFSChange question
I am just getting this started and trying to figure out why it is not bringing in events. I have the inputs.conf file on the local box that splunk is running on just for a test.In that file I have...
View ArticleForwarding splunk'd logs to third party siem - McAfee ESM
I am told it is very simple to take already indexed events from splunk and send them over to a 3rd party SIEM appliance like McAfee ESM. Has anyone done this successfully? How hard was it to implement?...
View ArticleCalculated field in DB Connect
I have done testing the calculated fields for Splunk DB Connect in my local machine. Basically I added props.conf file to the following folder: %SPLUNK_HOM%etcappsdbxlocalIn the file, I have something...
View ArticleHow to see all discovered fields
Hi I have added a cisco syslog as a syslog type. I have field discovery on. It shows 59 fields. When I select pick fields in the UI, available fields are only 20 How do I see all fields?Thanks!
View ArticleHow delete an alert
Hi:I created an alert, for test of an error, but I want to delete this alert I look in the Alert manager but I can´t see, How I can delete my inbox is increasign.......
View ArticleDBConnect indexing
Greetings,Pure and simple question, how can I get DBConnect to index data? I followed the Deploy and Use DBConnect line by line but nothing I do seems to index the data. I guess the ideal would be to...
View ArticleCreate View with REST?
version 5.0.2Looking through the documentation, but nothing is jumping out at me as to how to create a View for an app dynamically via REST or C# SDK. I'll be creating the XML on the fly and would like...
View ArticleTransforms.conf SOURCE_KEY Questions
I run HAProxy and grab it via a universal forwarder and send it to our receiver/indexer (all on same host). I modified my props.conf as follows.props.conf [source::/var/log/*haproxy.log]...
View Articlerawdata restore possible?
I am attempting to recover from a hard crash, through no fault of Splunk's. Is it possible to unzip /rawdata/journal.gz and import that raw data back into a new index? I had multiple indexes, so there...
View ArticleJavaScript : savedsearch_Display some properties
var searchName = "test_s1"; var mySavedSearches = service.savedSearches(); mySavedSearches.fetch(function(err, mySavedSearches) { // Retrieve a specific saved search var mySavedSearch =...
View ArticleSMI error converting MIB to Python egg
Hello, new to Splunk here. Having some issues converting a SonicWall MIB to the python egg format. Here was my input: "#build-pysnmp-mib -o SONICWALL-FIREWALL-TRAP-MIB.py...
View Articleis it possible to call java(JVM) in a batch script for alter action?
I want to build a batch script which can call java command to start a JVM process to process the search result. I have tried that in "echo.bat" but nothing happened after the batch invoked.Anyone know...
View ArticleMulti series graph split by group clause
I have a question regarding graphs generated by stats/chart/timechart/etc. When the output has more than a single results set, the graphing options include separating each set to its own graph. I was...
View ArticleQuery for times
Hi,i would like to count how many uris that have response times greater than the 90th percentile times for response times greater than x secs..Say 30 secs and list them out. I tried this. But it is not...
View ArticleWhat sourcetypes or sources aren't being searched
Is there a way to determine what sources and/or sourcetypes AREN'T being searched? If data is coming into Splunk and nobody is really looking at that data then I don't need to keep bringing it in. I...
View ArticleHow to back up hot buckets ?
Hi Splunkers,I'm now considering of backing up Splunk indexes to prepare for recovery. I know that any buckets without hot are able to back up by copy. Hot buckets are not able to copy because it's...
View ArticleClik here to view.
Regex expression help!
I used regex (?i)Area>(?P<Message>[^<]+) to extract the whole field below. Originally <d:Message>(22/7)17:53 Accident on AYE (towards Tuas) after Jurong Port Rd Exit. Avoid lanes 2...
View Article[Help] Splunk Field Colors
Hi, I wanted to display the fields of column chart in different colors according to their occurrence, however the colors are not being displayed.My search:source="source.log" INBOUND | fields SRC |...
View ArticleSplunk Deployment Monitor Reporting Excessive GB Values for Licence Usage
I have installed the splunk deployment monitor app to attempt to pull some stats on what our license usage patterns are.One issue I see right off the bat is that in 'Licence Report' -> 'Daily...
View Article