Are delete events misflaged ?
I got quite some events coming in, so exemplarily I copied two, one with action=add and one with action=delete Interesting enough the add / update events are correctly classified and the sourcetype...
View ArticleCorrupt MetaData?
Somehow, Splunk MetaData has become corrupt. My event counts are all off. What do I do?
View ArticleFS Change keeps adding and deleting files from monitoring
I am monitoring /etc/hosts.allow and /etc/hosts.deny for change, with a poll period of 300 seconds.[fschange:/etc/hosts.allow] index = fschange_main pollPeriod = 300[fschange:/etc/hosts.deny] index =...
View ArticleCan't Setup App for InterMapper
I can't seem to get this app set up right. It keeps telling me "Unauthorized". Any help would be appreciated.
View ArticleWhat is migration.conf
I just created a new splunk install and I see a migration.conf with the following contents: [history] migrated_cluster_app_to_underscore_clusterWhat's this all about? I can't find any record of it on...
View Articleindexing, segmenting segments, pre-search
I am a splunk newbie, so some obvious explanations might need further clarification.What I have:Advanced medical imaging system of systems that produces a global output log of a specific format...
View ArticleHow to set a field value and leverage a lookup table?
I am attempting to use splunk to look up IP addresses that users punch in to our system. The reason for this is to find out what network they are on in correlation to our security policies. I am...
View Articleapp not deploying to client
1 Serverclass.conf in ~splunk/etc/system/local using clientName attributeplaceholder app in ~splunk/etc/deployment-apps/placeholder [global] whitelist.0=* stateOnClient = enabled [serverClass:base-xyz]...
View ArticleField extraction from information in field=source
My webserver logs are sent to my indexers through a Universal Forwarder.*Snippet from inputs.conf on the Universal Forwarder[monitor:///path/to/apache/2.2/web/.../logs/*access_log]disabled =...
View Articlemaking a chart
hi, by running this query in search field index="New" "Phase * ended" | table phaseinformation , phase_ended , datetime | rename datetime as DATE , phaseinformation as Phase_Info , phase_ended as...
View ArticleDashboard Template
Hello!I've created a Dashboard with many panels. These panels are create for FebLog.log. What i need to do now is to add in MarLog.log, and use the same Dashboard and panels to display the same...
View ArticleRegex in Field Transform not greedy?
Hi Base,could it be that Regexes in Field Transforms are not greedy?I am using this field transformation to extract sld.tld from hostnames:[hostname_query_sub1] CLEAN_KEYS = 1 MV_ADD = 0 SOURCE_KEY =...
View Articleupdated doc on how to handle csv's with headers
Is there any recent doc on how Splunk imports csv files with headers? I see a lot of questions, and the answers are all over the place. This shouldn't be difficult...
View Article"no_priority_stripping = true" is not working
I enabled "no_priority_stipping" in inputs.conf with restarting splunk, but still UDP syslog messages do not include priority level at the head of log.Does anyone know how to enable this?
View ArticleNot receiving data from Windows Forwarder
I've got a Linux based server I'm using as a receiver to get information from numerous servers. One of the servers is a Windows server, but I'm not receiving any data from that server. I've installed...
View ArticleExchange Powershell cmdlets not accessible to Splunk for Exchange Powershell...
Hi, I've installed the Splunk App for Exchange and it appears that none of the powershell modules are functioning correctly. I know that they are running, but none are returning data. On further...
View ArticleSome users unable to find cleared tag in Windows app
this tag in the windows app is for the windows_audit_log_cleared eventtypeBoth the tag and the eventtype are set to global and the permissions are read:all write:adminI have several users that can not...
View ArticleExchange App Distribution List Report not working
Hi there, Does anyone know where this data comes from? I can't see a sourcetype similar in my msexchange index.Cheers Andy
View Articlesplunk universal forwarder max events per second
Hello,We are looking to install a splunk universal forwarder to collect a debug log from an AD domain controller and the log can see peaks around events around 5,000 eps. Will the forwarder be able to...
View ArticleScheduled searches no longer running, showing Scheduled Time in the past.
We have numerous searches that are supposed to run every minute. They have run successfully for months now, but yesterday we found that they had suddenly stopped doing the Summary Indexing they are...
View Article