Fraud detection - how to compare last weeks average count with todays count...
Basically I need to construct a search that compare last weeks average count for "successful authorizations" with today count and shows that in a chart. I also need to measure the gap between these to...
View ArticleSearch and Alert produce different results
When I type this search in the normal Splunk search app, I get normal expected results:"usb" | transaction host startswith="New USB device found" endswith="USB disconnect" | search NOT keyboard NOT...
View ArticleRole "restrict search terms" Performance Issue
Hi Everyone,Looks for a few best practices or suggestions. I have installed search term restrictions based on a users role. All my dashboards and views are being produced by summary index's. But even...
View ArticlewlsCollectJmxDataMinute.py Error in log
I used Splunk for weblogic monitor. When I test wlsCollectJmxDataMinute.py, I got some error.1.env can not be found Then I solve it. Add --sys.registry.setProperty( "python.os", "nt" )-- in .py...
View ArticleRunning jobs from Javascript SDK returns null values
I'm running customizable oneshot searches through the Splunk Javascript SDK, and sometimes I get back this - { preview: false, init_offset: 0, messages: [], fields: [], rows: [] } The same query other...
View ArticleJavaScript SDK Normal Search
Hello all, I am trying to create a JavaScript SDK search. I am getting the data I want thru the row and field like so:Async.chain([ function(done) { service.login(done); }, // Perform the search...
View ArticleHow to create a report with counts per column for one specific field?
I have a search that breaks down what files were accessed, how much data was retrieved and how many total requests for one particular field. Example search query below:index="my_index"...
View ArticleCan I get a count of distinct values in multivalue field?
What I'm looking for is a hybrid of the stats list() and values() functions. First, I'd like the list of unique values for a multivalue field, then alongside each unique value, I'd like the count of...
View ArticleIntentions in drilldown module
I am trying to append the click value to the drill down search, it is appending the value first search clause. but i want it to append to the sub search, is there any way to append the click value to...
View ArticleSearch is queued: The maximum number of historical concurrent system-wide...
I'm in search of the above tips on how to solve?
View Articlealerts related question
Hello there,is there a way to extract host(not the indexer) information from the generated alerts using search? i have tried belowindex=_audit action=alert_firedwhich gives me sid and then I used below...
View ArticleRedirect port 80 to port 443?
Hi everyone. I just installed a custom cert this afternoon on our development search head, and after some stumbling we were able to get it to work. We ended up having to set the httpport field to 443,...
View ArticleSPL-64308 workaround?
Has anyone figured out a workaround for this bug? I have changed permissions of scripted inputs in the peers themselves but no success. Also permissions change every time a bundle is applied.
View ArticleHow to have eval use results of accum
I have a chicken and egg issue here which I am having trouble resolving.I have a search which returns data for each month.[base_search] | eval monthlyCost = ((annualCost - totalPaid)/days_left_in_year)...
View ArticleConfiguring Alerts
Hello,I have been using splunk as a syslog server for a while now and have around 8 - 10 alerts tat I have created. I have recently had issues with creating any additional alerts and have pretty much...
View ArticleMetadata results from this peer are incomplete: the peer has over 100000 entries
When I go to the dashboard_live I get the following warning:Metadata results from this peer are incomplete: the peer has over 100000 entries (see parameter maxcount under the [metadata] stanza in...
View Article_time resolution in Summary Index
The following query construct populates a summary index: source=1.log OR source=2.log | eval _time = case(source == "1.log", _time)| stats first(_time) as _time ….other fileds…. dc(source) as dc by...
View ArticleGrouping the data and naming it as seprate field
Hi,Let me know how to achieve the below scenario,i have 4 alerts - a, b, c, d alerts and in that a,b alerts are from same issue but different timings. other c, d alerts are for different issues. now i...
View ArticleWebSphere logs and timezone set as EST for Australian user?
I am trying to index a WebSphere WAS log, where the time sone format is like this[24/11/11 10:49:57:538 EST] 0000004a ServletWrapper I SRVE0242I: [custom-webapp] [/app]The EST used here I think means...
View Article[solved] Splunk for *nix, configuration differences between two machines
I am trying to set up Splunk to effectively monitor changes to the filesystem, in particular the /etc/ directory. My goal is to have a search view that catches all these changes without many repeats or...
View Article