Knowledge Management

Discussions

Thread Info

How to delete data older than 90 days except summary index

We have multiple indexes to separate the access / role limit due to data privacy/security (like index1, index2, index...

by Builder in

Is it possible to generate a "Data Summary" for indexes other than the default index?

Splunk's default search screen features a convenient "Data Summary" button which users can click to show a summary fo...

by New Member in

Is it usual to have multiple tags that appear the same

Forgive me if this is a naive question. We seem to have multiple tags that have the same name. They contain dif...

by Path Finder in

eventtype with Russian text causes "| stats count by tag" to return no results

If I run the search: tag=S100 | stats count it returns the correct results. So the tag can be searched, but the...

by Splunk Employee in

Any good knowledge object/dependency management techiques out there?

So.. With a lot of reports that are dependent on lookup tables.. Dashboards dependent on saved reports, and so on, it...

by Builder in

Splunk_TA_nix 5.0.2 Eventtype does not exist or is disabled

I am getting the following when using the following search: index=juniperfirewall tag=* |search tag=ids The tag=* ...

by Motivator in

fill_summary_index.py error backfilling 5-minute CPU utilization summary index

Here is the search (name = CPU-Summery-WMI): sourcetype="WMI:CPUTime" earliest=-5m@m | stats avg(PercentProcessor...

by Contributor in

How to reindex a folder with a FTP log

For some reason I did get a hang or something while I added a folder of FTP log to the Splunk server. This made th...

by Builder in

macro with DBquery

Hi I used macro and its return some results, I want to run dbquery to passing parameter using the macro results How...

by Engager in

Error when creating database lookup

Each time I try to create a new or save and existing database lookup I get the following error: {"msg": "Encounter...

by Engager in

What capabilities and permissions get applied to the nobody user?

I'm seeing searches running with user 'nobody' what quota will be applied? I can't seem to apply any role to nobody?

by Splunk Employee in

How save the extracted fields into another Index

Hi From the complex log, I have extracted all the fields, which is about 60+ fields. I want to save these fields i...

by Path Finder in

Duplicate entries produced by saved search in summary index

I have 28 saved searches and each one of the searches is executed in 5 mins gaps. Even though I have dispersed the sc...

by Explorer in

Does the summary index data expire?

Do we have an expiration on summary indexed data, if yes how long we can keep that data and where can we find this de...

by Engager in

How do I specify a time resolution?

Normally, the time resolution adjusts itself, seemingly trying to keep the number of bars shown below some "reasonabl...

by Engager in

international site best practices

WE have two small international sites. What's the best practice for getting that data into our main SPlunk here in th...

by Engager in

Free up space on the index

I have quite a few hot db and warm in one of my index - sharp. Can I delete the files under the rawdata directory lik...

by New Member in

bulletin message path

Where is the path of the file created when creating a bulletin message? Manager->User interface->Bulletin Messages

by Builder in

How to compare index usage for specific day within last 4 weeks?

Hello this search query is very neat and I want to know how I can compare it with last 4 weeks based on the day of we...

by Explorer in

Summary Index -nolocal

Hello! I've got a distributed Splunk setup where the indexers and search heads live on separate hosts. (The indexe...

by Motivator in

Ideas on how to handle event flood/storm

We occasionally receive hundreds of thousands of events (sometimes millions) from one or two hosts and if not acted q...

by Explorer in

XMLでAttributeを指定して検索する方法について

props.confに以下の設定をして、XMLを取り込んでいます。　KV_MODE = xml 　pulldown_type = 1 　NO_BINARY_CHECK = 1 　SHOULD_LINEMERGE = true このと...

by New Member in

How to subtract outcome of count

I have two saved searches, saved them as macros. 1: [search sourcetype="brem" sanl31 eham Successfully completed (...

by Explorer in

How to extend the Event Options Menu

I want to extend the Event Options Menu which is located beside the result records. The idea is to add a link contain...

by Path Finder in

How can I forward Windows events without the Splunk forwarder software?

Anyone here got some recommendations for forwarding Windows event logs to Splunk without installing the Splunk forwar...

by Path Finder in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

How to delete data older than 90 days except summary index

Is it possible to generate a "Data Summary" for indexes other than the default index?

Is it usual to have multiple tags that appear the same

eventtype with Russian text causes "| stats count by tag" to return no results

Any good knowledge object/dependency management techiques out there?

Splunk_TA_nix 5.0.2 Eventtype does not exist or is disabled

fill_summary_index.py error backfilling 5-minute CPU utilization summary index

How to reindex a folder with a FTP log

macro with DBquery

Error when creating database lookup

What capabilities and permissions get applied to the nobody user?

How save the extracted fields into another Index

Duplicate entries produced by saved search in summary index

Does the summary index data expire?

How do I specify a time resolution?

international site best practices

Free up space on the index

bulletin message path

How to compare index usage for specific day within last 4 weeks?

Summary Index -nolocal

Ideas on how to handle event flood/storm

XMLでAttributeを指定して検索する方法について

How to subtract outcome of count

How to extend the Event Options Menu

How can I forward Windows events without the Splunk forwarder software?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

New Splunk TcpOutput persistent queue

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...

Routing events on UF for sourcetypes with INDEXED_...

Knowledge Management

Are you a member of the Splunk Community?

Discussions