Splunk Enterprise

walklex: what is it telling me?

charlesmeo
Explorer

Given this search:

| walklex index=web prefix=host

what is the value contained in 'source'?

source = web~22~F3E2588C-834C-4B2A-B12B-3845A69B5304

I thought this might be a bucket id but it doesn't seem to be. First bit is the index name--what's the rest of it?

walklex documentation doesn't explain what is actually returned by this command, or how to use it.

Charles

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @charlesmeo,

It is the bucket name, a string composed of <index>~<id>~<guId>, where the delimiters are tilde characters. 

index = index name

id = bucket local id number

guid = guid of the indexer that host that index

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

charlesmeo
Explorer

Thanks @scelikok answer accepted. Still leaves the larger issue--documentation in this area (walklex, lispy) is pretty sketchy or non-existent.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @charlesmeo,

It is the bucket name, a string composed of <index>~<id>~<guId>, where the delimiters are tilde characters. 

index = index name

id = bucket local id number

guid = guid of the indexer that host that index

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...