- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Installation
- :
- Compare puncts (logs) generated before and after u...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We had an upgrade of a system and it is definitely generating different logs. I was trying to use the following search to tell me what logs (puncts) were generated before the upgrade (late at night on 3/21) that were not generated after the upgrade. I decided to go 1 week on either side but it keeps timing out so I dropped it to 1 day and the same thing. Each subsearch works just fine as an individual (non-setted) search and gives punct data so I don't get it. This should work on any deployment so I am sure somebody out there will see what is wrong and help me out; give it a try:
| set intersect [search index=xxx earliest=3/14/2012:0:0:0 latest=3/22/2012:0:0:0 | stats count by punct | fields punct | fields - _*] [search index=xxx earliest=3/22/2012:0:0:0 latest=3/29/2012:0:0:0 | stats count by punct | fields punct | fields - _*]
Timed out waiting for status to become available on job=1334683581.8709746
Timed out waiting for status to become available on job=1334683408.8709536
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem really is non-backgrounded timeouts so I sent it to the background to see if I can get it to run to completion. I also slightly modified the search to what I believe will be more efficient:
|set intersect [ search index=xxx earliest=3/14/2012:0:0:0 latest=3/22/2012:0:0:0 | stats values(punct) as puncts | mvexpand puncts ] [ search index=xxx earliest=3/22/2012:0:0:0 latest=3/29/2012:0:0:0 | stats values(punct) as puncts | mvexpand puncts ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the problem really is non-backgrounded timeouts so I sent it to the background to see if I can get it to run to completion. I also slightly modified the search to what I believe will be more efficient:
|set intersect [ search index=xxx earliest=3/14/2012:0:0:0 latest=3/22/2012:0:0:0 | stats values(punct) as puncts | mvexpand puncts ] [ search index=xxx earliest=3/22/2012:0:0:0 latest=3/29/2012:0:0:0 | stats values(punct) as puncts | mvexpand puncts ]
Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!
Preparing your Splunk Environment for OpenSSL3
Incident Response: Reduce Incident Recurrence with Automated Ticket Creation
