Splunk: Extract runtime search wildcards into key value pairs for analysis
I have a log4j server log with multiple lines formatted similar to the following:"10.1.1.1" "AUTH-USER" "22/Jul/2013:22:42:42 -0700" "GET /source1/resources/RESOURCE/ENDPOINT/1111/start HTTP/1.1" 200 4...
View ArticleSearch Head becomes unresponsive
Our search head becomes unresponsive after a few hours of operation. We then have to physically restart the server. restarting the Splunk service on the machine does not alleviate the issue. Had anyone...
View ArticleWhy are null characters ("\x00") appearing in events assigned a sourcetype by...
I have a forwarder (4.2, build 96430) set up on one server to forward logs to two indexers (4.3, build 115073). When I wasn't doing anything but forwarding the logs, everything was working normally....
View ArticleExclude Strings in reports
I'm just starting out with Splunk and had a question about the canned reports. In the *nix app, if you go to "Log Files" -> "Errors and Warnings", there are many false positives. It seems to be...
View ArticleGrouping the data and naming it as seprate field
Hi,Let me know how to achieve the below scenario,i have 4 alerts - a, b, c, d alerts and in that a,b alerts are from same issue but different timings. other c, d alerts are for different issues. now i...
View ArticleRedirect port 80 to port 443?
Hi everyone. I just installed a custom cert this afternoon on our development search head, and after some stumbling we were able to get it to work. We ended up having to set the httpport field to 443,...
View ArticleShow value for an empty record while grouping
We are trying to group by on a column A and showing the count of column B. But column A may contain null/empty string also. So after grouping, can we show another column which is grouped by all the...
View ArticleFlushing and writing to Socket using javasdk
HiI'm using the javasdk to create a Socket connection to a splunk index for posting events in a long running process.The socket connection is kept open for the time the process is running, but I'm not...
View ArticleWhat is Naming convention for files in dispatch folder?
From time to time, I would need to blast the folders in the dispatch folder. Can anyone shed some light on the naming convention? Here are the name prefixes I have found... Some are obvious, some......
View ArticleDropdown help
I am trying to pass a greater than to my search, but when it gets passed to the search the search looks like this:=">3"There are two problems, (1) the "=" and (2) the ""The "=" is part of my search,...
View ArticleTable creation without Unknown Users
This is my scenarioWhen I so a search on my event log there are 2 events for the same user. I have extracted the field as UserName1.The UserName1 field data looks like thisr3452(Unknown User)...
View ArticleSplunk DB connect compatiblity with Microsoft SQL Server 2012 - Parallel Data...
Documentation states that Splunk DB Connect supports SQL Server 2012 standard edition. SS2012 standard has the same connectivity drivers as PDW.
View ArticleProblem with search for field=value
Hi,When I'm indexing my logs, I extract a field called "file_date" from my source. The field is of the form 2013-07-31_01-05-08. I have some problems when I want to search for a specific file_date. Say...
View ArticleExclude regex results from a search
Hello,I'm trying to run the following search in order to list all the failed connection.In our parc we have computers that start with Q and immediately followed by a number. So I know the following...
View ArticleClik here to view.
Switcher ignoring labels - how can I present this correctly?
Hi everyone. I have an advanced XML dashboard using a pulldown switcher. The dash shows license burndowns for the majority of the modules, except for one which is supposed to show platform growth as a...
View ArticleWhy am I receiving these errors on startup of WAS Universal Forwarder
upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an example). App does start and execute.Possible typo in stanza [WebSphere:ActivityLog] in...
View ArticleOmitting zero values when calculating stats avg()?
What I want is: ... | stats avg(eval(MyValue!=0)) as Avg It doesn't work that way (Avg is always 1.0).Of course, the workaround is:... | stats sum(MyValue) as Sum, count(eval(MyValue!=0)) as Count |...
View ArticleStats count from different sources
Hello,I'm trying to show login stats from different sources by user. Those two sources d'on't show user with the same field (Nom_de_l_utilisateur and user).This search shows "No results". If I display...
View ArticleCalculate average number of calls by user
Here is our situation, we handle calls. Every call generates a record. We would like to find out, over the span of 1 month, what the average number of calls every customer makes. Logically you'd figure...
View ArticleStarting Splunk universal forwarder at runlevels 2 and 5 in AIX
Hi for starting splunk universal forwarder at runlevels 2 and 5 on AIX , does using splunk enable boot-start would help or do we need to add any other scripts in the rc.d folders
View Article