I'm trying to convert this search to use accelerated data from a data model.
index=dns | chart sparkline AS Activity count AS "Number Transaction" by host | sort 10 -"Number Transaction" | rename host AS "Server IP" This is what I have come up with so far... | tstats...
View ArticleSplunk App for Enterprise Security: Is it possible to tag Contributing Events...
Hello all, Does anyone know if it is possible to somehow tag or otherwise flag the raw events of a Notable Event (the raw events from clicking on the "Contributing Events" drilldown) for usage in a...
View ArticlePalo Alto Networks app data model is extremely large. Why?
The Splunk UI reports that the data model is many terabytes in size. Why is it so large? The size is such that I am concerned about the space allocated for my actual data is being consumed.
View ArticleCommon information model
Hi, I developed splunk app and addon to monitor one infrastructure. While filling out app certification template, I found common information model term. Can anyone tell me what it is? How I should...
View ArticleDatamodel with spaces in field names?
I created a datamodel from a source, which had spaces in the field names, but field were automatically created with the same names, just omitting the spaces. Both were shown when at the Add...
View ArticleWhere and when do we use summariesonly=t with datamodel?
I am using the Splunk App for Web Analytics where each app searches using data models with summariesonly=t by default. However, it's not working as it is. However, when I remove summariesonly=t from...
View ArticleSplunk App for Enterprise Security: Is it possible to restrict a tstats...
I would like to restrict the tstats search below to a specific index. The search uses the IDS_Attacks datamodel in ES. Is this possible? |`tstats` count from datamodel=Intrusion_Detection where *...
View ArticleSplunk App for Enterprise Security: Is it possible to limit my search of the...
I want to create a single value chart to illustrate total intrusion detection events, however, I want to limit the results to our IPS threat events and exclude our firewall threat events. Is this...
View ArticleIs it possible to use dedup or "|" commands in the base search of a data model?
I have an instance using ServiceNow data where I want to dedup the data based on sys_updated_on to get the last update and status of the incident. sourcetype="snow:pm_project" | dedup number sortby...
View ArticleIs data model acceleration available for Hunk 6.2.4?
I'm having trouble setting up datamodel acceleration on our Hunk 6.2.4 instance. All I could find was a Hunk 6.0 mention about datamodel acceleration not being available for virtual indexes. Is this...
View ArticleSplunk App for Web Analytics: Why can't I enable acceleration for the data...
I simply can't enable acceleration for the data model "Web" while setting up the Splunk App for Web Analytics? I'm clearly missing something because all documentation points to either a list box with...
View ArticleSplunk App for Enterprise Security: Network Resolution (DNS) datamodel not...
The dns datamodel is not populating because out of the box neither ES or the Windows Infrastructure app have the tag constraints defined. The datamodel is looking for the following three tags...
View ArticleIs there a way to override existing fields in a data model?
Hi, Is there a way to override existing fields in a data model? In a regular search I can do | rex field=_raw ".*something:\s+(?.*)\s+.*" | eval foo=upper(foo) Doing so I can apply multiple commands to...
View ArticleIs there a bug in Splunk 6 with adding an attribute of an object in data...
I'm trying to create an object and add some auto-extracted attributes. Some field names contain curly braces because our JSON data contains array structures. As the screenshot shows, the field name is...
View ArticleSplunk ES Datamodel Constantly Rebuilding
Hi All, I have a problem that has been giving me a bit of grief with ES. Essentially my larger datamodels (Authentication / Network) never seem to get over 10% before restarting at 0%. I am running 2...
View ArticleSplunk App for Enterprise Security: Is it possible to tag Contributing Events...
Hello all, Does anyone know if it is possible to somehow tag or otherwise flag the raw events of a Notable Event (the raw events from clicking on the "Contributing Events" drilldown) for usage in a...
View ArticlePalo Alto Networks app data model is extremely large. Why?
The Splunk UI reports that the data model is many terabytes in size. Why is it so large? The size is such that I am concerned about the space allocated for my actual data is being consumed.
View ArticleCommon information model
Hi, I developed splunk app and addon to monitor one infrastructure. While filling out app certification template, I found common information model term. Can anyone tell me what it is? How I should...
View ArticleDatamodel with spaces in field names?
I created a datamodel from a source, which had spaces in the field names, but field were automatically created with the same names, just omitting the spaces. Both were shown when at the Add...
View ArticleWhere and when do we use summariesonly=t with datamodel?
I am using the Splunk App for Web Analytics where each app searches using data models with summariesonly=t by default. However, it's not working as it is. However, when I remove summariesonly=t from...
View Article