Unable to perform the following search provided by Splunk to check forwarder certificate package version:
index=_internal source=*metrics.log group=tcpout_connections
name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),“new”,“legacy”)
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config
No errors are displayed after running the search, yet I receive no returned results.
Hi
you are running this towards Splunk Cloud environment (UFs' send data to SC) and you haven't change output_group names from what they have provided with UF configuration packages?
One change what you can do is
index=_internal source=*metrics.log group=tcpout_connections name=splunkcloud*
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>splunkcloud_202[23456789]\d+)\_"
| eval fwd_config=if(isnotnull(output_group),"new","legacy")
| fillnull value="N/A" output_group
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config
So update output_group name to "N/A" if it's null (shouldn't be) after fwd_config has set.
Have you gotten any events when you runs only 1st line?
r. Ismo