Knowledge Management

Start a Conversation

Discussions

Start a Conversation

Thread Info

Why can't you use a wildcard when searching for tags (tag=*)?

I've always known that you can't search tag=* but I never knew why. Maybe the old-time splunkers can elighten me?

by Splunk Employee in

Double backslash in a field value becomes single backslash in accelerated data model. How to retain the original field data with two backslashes?

One of our fields stores the name of a Windows UNC path, e.g.: \\server\share (two backslashes followed by ser...

by Builder in

How to update events with new key/value pairs on a per event basis?

Hi Splunkers, I was wondering if someone could shed some insight on whether this is even possible with Splunk, if ...

by Path Finder in

How to and where can I add the timeformat string to a saved macro?

Splunk version: 6.4 Localization specifier in the URL : en_US search 1: earliest="01/08/2016:00:00:01" late...

by Builder in

Solve the scenario by creating a macro or through macros.conf?

when any splunk search runs with the word "getABCsWin"(in any dashboard or alert etc etc). I want the string timeform...

by Builder in

What is the purpose of macros.conf, and what is the path for it?

What is macros.conf and what is its use? What could be the path for macros.conf?

by Builder in

Can I have multiple searches collecting (using the collect command) to the same index?

Can I have multiple searches collecting (using the collect command) to the same index? The number of searches can be ...

by Splunk Employee in

Too complex for tags?

I want to create a tag that involves two extracted fields and a combination of AND/OR statements, see example below. ...

by Builder in

How can I periodically update KV store collection programmatically from TA input?

Up till now, I am using csv file lookup. An input runs every day, and updates this CSV file. This must happen in orde...

by Communicator in

doing a summary index - getting started - my first time

I have a search ...|timechart span=d sum(kpi1) sum(kpi2) max(kpi3) max(kpi4) | foreach * [eval <<FIELD>>=round('...

by Motivator in

Eventtype style color only displays while in current session

I created 3 eventtypes, at creation I chose a different color for each one. Everything worked fine, colors were displ...

by Explorer in

Routing summary indexes to specific indexer based on summary index name

Hi, Could anyone help me with configuration for the following? summary indexes created on search head laye...

by Motivator in

Is there any way to do calculated fields before search time?

I was using calculated fields, but then I started reading the documentation and saw that calculated fields are done d...

by Engager in

Data Model Query

Dear Experts, Kindly help to modify Query on Data Model, I have built the query. | tstats summariesonly dc(All...

by Explorer in

Schedule automatic summary backfill?

I'd like to have summary backfill run on a scheduled basis to fill in the gaps automatically. I'd probably run this d...

by Champion in

Can a search that populates a summary index add a field to the raw data?

Hello, I am populating a summary index with a search: index=index1 | addinfo | collect index=summary I want to ...

by Engager in

Scaling kv store performance

I am encountering an issue with the kvstore (6.4.1/6.4.2) where i am hitting a relative performance limit with update...

by Motivator in

How to collect Slack logs

Hi, I created an app with an inputs.conf file to collect syslog data (udp 514) from a particular host and send it to...

by Engager in

What is your best practice for search slicing by host environment/role?

Hey there! I did not find an optimal solution for myself yet. But I guess many of you have similar use cases, so m...

by Explorer in

Is it possible to connect directly to MongoDB?

I want to maintain a lot of data in my KV Store, but in order to do so I have to keep it clean; but aging out old dat...

by Path Finder in

Knowledge Management

Discussions

Why can't you use a wildcard when searching for tags (tag=*)?

Double backslash in a field value becomes single backslash in accelerated data model. How to retain the original field data with two backslashes?

How to update events with new key/value pairs on a per event basis?

How to and where can I add the timeformat string to a saved macro?

Solve the scenario by creating a macro or through macros.conf?

What is the purpose of macros.conf, and what is the path for it?

Can I have multiple searches collecting (using the collect command) to the same index?

Too complex for tags?

How can I periodically update KV store collection programmatically from TA input?

doing a summary index - getting started - my first time

Eventtype style color only displays while in current session

Routing summary indexes to specific indexer based on summary index name

Is there any way to do calculated fields before search time?

Data Model Query

Schedule automatic summary backfill?

Can a search that populates a summary index add a field to the raw data?

Scaling kv store performance

How to collect Slack logs

What is your best practice for search slicing by host environment/role?

Is it possible to connect directly to MongoDB?

Distsearch.conf and other config files overridden ...

Data model 'Cloud_Infrastructure' was not found

Advice on adapting the Ticket Management data mode...

How to nail it down The number of search artifacts...

Splunk for ISeries - AS400