Knowledge Management

Discussions

Thread Info

The macro delimiter is the grave accent/back tick. Is there a way to change this to another character?

On a non-US keyboard (Norway for instance) the back tick is very difficult to use. We would like to know if we can ch...

by New Member in

How do I populate a summary index with the collect command if a field value is an empty string and will become a null value?

In order to create a timestamp with a specific field, my search is like search xxx| eval _raw=FIELD_TIME.", FIELD_...

by Path Finder in

Why does realtime_schedule keep changing back to default after I make changes in GUI on Splunk 6.2?

I use Splunk 6.2. I have few scheduled searches that creates summary index. I need them to run on time (Not continued...

by Path Finder in

Best Practice for Large Directory of Files

Hi, I have some very large directorys. Here is my input.conf [monitor://\\server\folder] disabled = false host ...

by Contributor in

How to optimize search head performance?

My search head is getting very slow. How to reduce the response time of search head?

by Path Finder in

An instance of fill_summary_index is already running for app=search

I had the Admin of our Splunk Inder run a fill_summary_index.py job. The first time he ran it, it worked but quit aft...

by Explorer in

Are there any plans for data signing in splunk since this functionality was removed in 6.2?

Hi, Are there any plans for Signing data in splunk? As i can see, the last release removed this functionality R...

by Builder in

How to backfill a summary index with a restricted time for each day?

I would like to backfill my index up by 2 months. The query however, is time sensitive and requires the day span to b...

by Explorer in

Summary Index Reports

Hi, I wonder whether someone could help me please. I've put together the search below to create a Summary Index ...

by Motivator in

What percentage of time do you have to spend outside of Splunk to find the root cause?

Our organization is evaluating Splunk. When getting to the root cause, we'd like to understand examples of where your...

by New Member in

Why is summary indexing creating duplicate records in the summary index?

Hi, I am have the following definition for summary indexing: [Test_Summary_Index] action.summary_index = 1 acti...

by Builder in

Rrealtime_schedule in SavedSearches.conf, is this what I'm looking for?

I would like the savedsearch to run in real time, basically populate the saved search I have set in savedsearches.con...

by Builder in

How to use macros to set time variable

Hi, I'm trying to configure macros to use as a variable in my source. In my macro, I use strftime(relative_time(ti...

by Explorer in

Automatic Lookups on Internal Index

Is the _internal index exempt from automatic lookups? I can't get any automatic lookups working on the index even wit...

by Explorer in

Why should I continue trying to evaluate Splunk?

Hello, Monday I signed up for a cloud trial and it still isn't working for me. When a sales person called and we talk...

by New Member in

If my coldToFrozenDir is full or unavailable, do I lose my old data?

From can I see, Splunk continues to run but I would like to know what happens to the cold data which meets the criter...

by Explorer in

Collecting to a summary index not working

am unable to collect data into a summary index. Getting odd behavior. This works: index=security sourcetype=dbx...

by Path Finder in

Storing Calculated Data for Later Use

I am trying to essentially gather information of a pretty large query and count it every day, and then display this t...

by Explorer in

eventtype from an inputlookup

I am making an app and wanted to have some dummy data tagged as an example to the end user. So I have eventtypes.c...

by Builder in

Can I specify a tag that logically ANDs the field value pairs?

I'd like to setup a tag that is restrictive (AND) in its query rather than inclusive (OR). For example, if you specif...

by Explorer in

Will summarizing already-summarized data with sistats yield accurate results?

Suppose I have a summary index storing summarized minute-ly data populated from sistats. Suppose each minute contains...

by Communicator in

Is there a tsistats or something similar for summarizing accelerated data model data?

We would like to benefit from the performance benefit of an accelerated data model, however, we also need to summariz...

by Communicator in

Not result get from collect

I schedule below search, search name is "TransactionResult" sourcetype="ims*" host="chi*" ActivityId!="(null)" (Ac...

by New Member in

Do we need to enable counter in client sytem to collect in the splunk server?

Hi all, Do we need to enable counter in client sytem to collect in the splunk server? Thanks Sathish R

by Contributor in

How to disable update checking in Splunk server / where to locate app.conf?

Splunk 6.0.2 (build 196940), Ubuntu 12.04 I have seen http://answers.splunk.com/answers/28616/how-can-automatic-u...

by Path Finder in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

The macro delimiter is the grave accent/back tick. Is there a way to change this to another character?

How do I populate a summary index with the collect command if a field value is an empty string and will become a null value?

Why does realtime_schedule keep changing back to default after I make changes in GUI on Splunk 6.2?

Best Practice for Large Directory of Files

How to optimize search head performance?

An instance of fill_summary_index is already running for app=search

Are there any plans for data signing in splunk since this functionality was removed in 6.2?

How to backfill a summary index with a restricted time for each day?

Summary Index Reports

What percentage of time do you have to spend outside of Splunk to find the root cause?

Why is summary indexing creating duplicate records in the summary index?

Rrealtime_schedule in SavedSearches.conf, is this what I'm looking for?

How to use macros to set time variable

Automatic Lookups on Internal Index

Why should I continue trying to evaluate Splunk?

If my coldToFrozenDir is full or unavailable, do I lose my old data?

Collecting to a summary index not working

Storing Calculated Data for Later Use

eventtype from an inputlookup

Can I specify a tag that logically ANDs the field value pairs?

Will summarizing already-summarized data with sistats yield accurate results?

Is there a tsistats or something similar for summarizing accelerated data model data?

Not result get from collect

Do we need to enable counter in client sytem to collect in the splunk server?

How to disable update checking in Splunk server / where to locate app.conf?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions

Can’t make it to .conf25? Join us online!