Extract fields fomr Python Dictionary text file
How do I create an extract that handles variable numbers of fields.I am generating events that are time stamped Python dictionaries. The list of items are emitted to the event using Python logging...
View Articleappending fields to events using splunk sdk Receiver, instead of writing to...
Hi.I have a huge number of requests getting logged & as part of our index queries, we need to do a external script lookup, basically from IP to (geo info) or others, Since the lookup script is...
View ArticleCertificate Authentication for C# splunk SDK ?
In C# Splunk SDK, is there any other option to connect to Splunk service without passing username and password (explicitly as text).. like using certificates?If so, how to create certificate for sdk...
View ArticleRunning Splunk on a VM - CPU contention
Let me preface this question by stating that we currently do not have any major performance issues at this time. Our Splunk environment is running on a VM with 8 cores and 16 GB of RAM, using iSCSI...
View ArticleGet list of session id's that did not get a response from web service.
We are having a problem where requests are being sent to webservices but never return. I want to get a list of session numbers that sent a request to the webservice (XML Sent to Service) but did not...
View ArticleForwarder Using 100%
All, Is there a way to tune down the Splunk for AD app? It seems to use WAY too much CPU. I have tried it on a few different DCs all Windows 208 R2 and once installed CPU usage goes from 10-20% to...
View ArticleTimeout error in ResultsReaderXML c# SDK example search program
When I invoke the C# SDK example search() program to retrieve the same test data I submitted, I get some of my results printed to the command window, but then an exception is thrown:Unhandled...
View Articleprops.conf fixed value using EXTRACT
I would like to take the following lines in my props.conf file, and at Search Time, use these Field Extractions to Set a fixed value for a new field depending on the rule that it...
View ArticleHow to perform nested if conditions in Splunk
Example 1:uatoken0=Linux uatoken1=U uatoken2=Android uatoken3=en-us Example 2:uatoken0=Linux uatoken1=Android 4.2.2 uatoken2=en-us Example 3: uatoken0=iPad uatoken1=CPU OS 6_1_3 like Mac OS X...
View ArticleRegex for source AND Type
Hi everyone, Been trying to get regex syntax to behave. What I have below works. It only shows events that are from the source "EMET".props.conf[WMI:WinEventLog:Application]...
View ArticleDistributed Deployment Environment all UNIX forwarders missing
We are trying to replace our current indexer with two new indexers. We made updates in outputs.conf to reflect the new servers. We ran a deployment to initiate the change and after the deployment all...
View ArticleSplunk App for Active Directory and CSV Files
Hi Folks,After to review all the AD App for Splunk set up using Splunk Blogs (http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/) and AD online manual...
View ArticleSplunk Apache %T %D
HiI have a plunk server and it reads the logs from our web servers. Weve recelty added on the end the %T %D time flag. Splunk just shows this as other. Ive tried a few things to add it to the...
View ArticleSplunkd fails after apply enterprise license
Since adding enterprise license Splunk periodically crashes with the following information from the kernel log:Jul 19 08:10:34 syslog-xgm kernel: [1554243.968186] splunkd[27276] general protection...
View ArticleVersion 3.3 of Splunk for Palo Alto Network app not progressing past setup
When setting up a new 3.3 instance of the application I get the following error:Encountered the following error while trying to update: In handler 'localapps': Password cannot contain all * charactersI...
View ArticleData in /opt/splunk/var/spool/splunk filling up disk
I'm seeing a number of very large files building up in /opt/splunk/var/spool/splunk:drwx------ 2 root root 4096 Feb 27 02:08 . drwx--x--x 4 root root 4096 Feb 7 23:12 .. -rw------- 1 root root...
View ArticleTimechart "yesterday" forced to display full 24 hours
I have a feeling there is a simple solution to this, I am just not seeing it. Possibly appending null data at the start and end of the time range. GOAL: I want to create a dashboard showing...
View Article[Help] Renaming field of a specific source
Hi,I am using multiple sources in a single search command and i want to rename the _raw field of one of the source type.My current search:sourcetype="blacklisted ip" OR sourcetype="log" | rename _raw...
View Articlexpath command splits the result string into single-character fields
Hixpath outfield=SOAPMSG "local-name(//*[local-name() = 'Body' and namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/']/*)" result:SOAPMSG=r | SOAPMSG=e | SOAPMSG=g | SOAPMSG=i | SOAPMSG=s |...
View Articlededup only 1 hr possible ?
I have a query that has a interval of few mins there are some duplicated results during that hour. When I use dedup it delete all the previous result and display the latest. Anyone met this problem?...
View Article