All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am also looking for a solution that supports parquet format
It is an Outlook question if you can enable it to send email using your credentials from Splunk or any other external service. As far as I remember, you can't just use user/password to authenticate t... See more...
It is an Outlook question if you can enable it to send email using your credentials from Splunk or any other external service. As far as I remember, you can't just use user/password to authenticate to Outlook's SMTP and Splunk doesn't support (at least not using built-in sendemail.py) alternative modes of authentication.  
Are you sure that splunk is running on your host? You could just check it by "splunk status" command in command line.
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<da... See more...
Hi all! I would like to create a no_msg_wait_time column here. This is my existing splunk search query:   index=index source="D:\\Temp\\logs\\Logpath\\examplelog.log" | rex field=_raw "^(?<date>\d{4}-\d{2}-\d{2})\s+(?<timestamp>\d{2}:\d{2}:\d{2},\d{3})" | rex field=_raw "Done Bulk saving messages, Count=(?<count>\d+), used (?<db_bulk_write_time>\d+) ms" | where isnotnull(count) | eval event_time=strptime(date . " " . timestamp, "%Y-%m-%d %H:%M:%S,%3N") | sort 0 event_time | streamstats current=f last(event_time) as prev_event_time | eval processing_time=if(isnull(prev_event_time), 0, event_time - prev_event_time) | fields date, timestamp, processing_time, count, db_bulk_write_time | eval processing_time = processing_time * 1000 | table date, timestamp, processing_time, count, db_bulk_write_time, _raw   This is an example of the log lines  I would like to create a no_msg_wait_time column with the following results: It would count how many No message to handle (noMessageHandleCounter=*), retry in 1000 ms there are between each "Done bulk saving messages"  So if there are like 4 in between then no_msg_wait_time will be 4000ms, if there are none or zero of those in between than no_msg_wait_time will be 0ms. So using my current example here: 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:07,710 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:08,742 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:09,757 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:10,773 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=7), retry in 1000 ms 2024-08-07 21:13:11,007 [15] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4504 2024-08-07 21:13:11,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:11,257 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:11,382 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:11,507 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:11,632 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:11,757 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:11,882 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:11,882 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms 2024-08-07 21:13:12,007 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:12,054 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,132 [15] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:12,179 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:12,257 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,398 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,528 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:12,778 [33] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:4668 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:12,809 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms 2024-08-07 21:13:12,841 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:12,934 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:12,966 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:13,059 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:13,059 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,184 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:13,200 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,325 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:13,341 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:13,466 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:13,591 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:13,716 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:13,841 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:13,966 [33] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:14,481 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:15,497 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:15,731 [20] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:7648 2024-08-07 21:13:15,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:15,981 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:16,106 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:16,231 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:16,356 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:16,481 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:16,606 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:16,606 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms 2024-08-07 21:13:16,637 [39] INFO DistributorCommon.WMQClient [(null)] - Saved messages to DB, Q Manager to Commit (Remove messages from Queue) 2024-08-07 21:13:16,731 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=8), retry in 10 ms. 2024-08-07 21:13:16,762 [39] INFO DistributorCommon.WMQClient [(null)] - Clear Write Buffer 2024-08-07 21:13:16,856 [20] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=9), retry in 10 ms. 2024-08-07 21:13:16,856 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:16,997 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,137 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:17,278 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=4), retry in 1000 ms 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:18,294 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=5), retry in 1000 ms 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 0 2024-08-07 21:13:19,309 [39] INFO DistributorCommon.WMQClient [(null)] - No message to handle (noMessageHandleCounter=6), retry in 1000 ms 2024-08-07 21:13:19,544 [28] INFO DistributorCommon.WMQClient [(null)] - Message Read from Queue, Message Length:13568 2024-08-07 21:13:19,669 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=1), retry in 10 ms. 2024-08-07 21:13:19,794 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=2), retry in 10 ms. 2024-08-07 21:13:19,919 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=3), retry in 10 ms. 2024-08-07 21:13:20,044 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=4), retry in 10 ms. 2024-08-07 21:13:20,169 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=5), retry in 10 ms. 2024-08-07 21:13:20,294 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=6), retry in 10 ms. 2024-08-07 21:13:20,419 [28] INFO DistributorCommon.WMQClient [(null)] - No msg in the queue (NoMessageCounter=7), retry in 10 ms. 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - All Read threads finished flush the messages, total messages: 1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Processing messages, Count=1 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.WMQClient [(null)] - Done Processing messages, Count=1, IsBufferedEvent=True 2024-08-07 21:13:20,419 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Bulk saving messages, Count=1 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms And my current results are as follow (i manually added expected no_msg_wait_time) date timestamp processing_time count db_bulk_write_time no_msg_wait_time _raw 2024-08-07 21:13:07,070 0.00 ms 1 13.00 ms this one should be zero as i dont have one log line before to calculate (assume this is the start of log line) 2024-08-07 21:13:07,070 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 13 ms   21:13:12,007 4,937.00 ms 1 113.00 ms 4000ms (as there are 4 no message to handle, ... 1000ms) 2024-08-07 21:13:12,007 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 113 ms   21:13:12,825 818.00 ms 1 24.00 ms 3000ms 2024-08-07 21:13:12,825 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 24 ms   21:13:16,622 3,797.00 ms 1 11.00 ms 10,000ms 2024-08-07 21:13:16,622 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 11 ms   21:13:20,434 3,812.00 ms 1 12.00 ms and so on so forth 2024-08-07 21:13:20,434 [39] INFO DistributorCommon.DBHandlerBase [(null)] - Done Bulk saving messages, Count=1, used 12 ms
Did it a Splunk's support or some other? @richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by ... See more...
Did it a Splunk's support or some other? @richgalloway is correct, you shouldn't never uninstall previous version (unless there is some compatibility issue or something else) before update. Time by time you should go through several UF version and not install directly over many versions. There could be some stuff e.g. for fishbucket etc. which UF must do to convert those from old version to new one. If/when you uninstall previous version it also means that you will reindex all events from that host as it haven't anymore information what it has previously indexed! With big nodes this could be even terabytes of duplicate events! r. Ismo 
I am encountering an issue with sending emails from Splunk. After some investigation, I discovered that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Details: I... See more...
I am encountering an issue with sending emails from Splunk. After some investigation, I discovered that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Details: I have configured Splunk to use my Outlook email address for sending alert notifications. The SMTP server settings in Splunk are correctly configured to use my Outlook credentials. However, when an alert is triggered, the emails are not sent. The error message indicates that my Outlook email address is not authorized to send emails as splunk@splunkubuntu. Steps Taken: Verified the SMTP server settings in Splunk (Settings -> Server settings -> Email settings). Tested sending emails directly from Outlook, which works fine. Checked the Splunk logs (splunkd.log) for any related errors and found the authorization issue. Questions: How can I configure my Outlook email address to be authorized to send emails from Splunk? Are there specific settings or permissions needed within Outlook or Splunk to resolve this issue? Has anyone faced a similar issue and found a solution ? Thank you in advance for your assistance!
There some limits how many fields and how many characters events can be to get automatic indexing extraction to work. I cannot recall the length, but those are not so big than someone can expect. Pro... See more...
There some limits how many fields and how many characters events can be to get automatic indexing extraction to work. I cannot recall the length, but those are not so big than someone can expect. Probably those was defined on limits.conf or some other conf file. If I recall right you can also find some discussions on answers about this issue? Also this conf presentation can help you with unindexed fields. https://conf.splunk.com/files/2023/slides/PLA1258C.pdf r. Ismo
Good morning! I am receiving the Error: Could not load lookup=LOOKUP-reply_code on multiple boxes.  Any similar situations?  Thanks in advance for any feedback.  
Hi it's depends are those fields defined on your raw data or not. If they are there then you could try how they have presented in this conf talk. There are some other presentations how to use TERM a... See more...
Hi it's depends are those fields defined on your raw data or not. If they are there then you could try how they have presented in this conf talk. There are some other presentations how to use TERM and PREFIX on your searches. https://conf.splunk.com/files/2023/slides/PLA1258C.pdf Another option is create Datamodel and use it. But is it reasonable solution or not depends your real use case. r. Ismo
I actually don't have the list of devices to create a lookup file. I am taking the reporting list of devices from splunk for compliance report
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pul... See more...
We pull change, incident and security incident tickets from servicenow into splunk using the addon app for servicenow. Since we have upgraded the service now add on app to 7.8.0, we are unable to pull security incidents. The other data set related to changes, incident etc is coming through. We see the below error:   2024-08-06 19:22:13,103 ERROR pid=663322 tid=MainThread _data:274 | Failure occurred while getting records for the input: securityincident from the table: sn_si_incident of the servicenow host: xxxx The reason for failure= {'message': 'Insufficient rights to query records', 'detail': 'Field(s) present in the query do not have permission to be read'}. Contact Splunk administrator for further information.     Anyone had this issue?
Hi you can use virtual server as a CM. Just allocate enough CPU + Mem for it. There are still some part of splunk CM code which are single thread restrictions. For that reason it's more important to... See more...
Hi you can use virtual server as a CM. Just allocate enough CPU + Mem for it. There are still some part of splunk CM code which are single thread restrictions. For that reason it's more important to have enough fast cpu and also enough memory to run it. Also you should keep care that you don't allocate two much resources for VM vs. what you have in your real virtualization host. Also over allocation mem or cpu is not good for splunk. Also all your indexers must (should) have identical, otherwise there will be some issues later or you will not use their all resources. When you take indexer cluster into use you can also take indexer discovery. This handling what are indexers where to send events from UFs. I propose that you look at least the next docs: https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Aboutclusters https://lantern.splunk.com/Splunk_Success_Framework/Platform_Management/Indexing_and_search_architecture https://docs.splunk.com/Documentation/SVA/current/Architectures/About? Personally I prefer linux over Windows for splunk especially when you have more than one splunk server. Also if you have any doubt that you need scale this over two site then you could/should create multisite cluster into one site. This will be easier to expand another site if/when you need that kind of HA / disaster recovery capabilities. r. Ismo
Hi @haleyh44 , Yes, you can use a VM as Cluster Manager, you should give it the minimal CPU and RAM requirements and it's preferable if you could give them, if you haven't you could also try with le... See more...
Hi @haleyh44 , Yes, you can use a VM as Cluster Manager, you should give it the minimal CPU and RAM requirements and it's preferable if you could give them, if you haven't you could also try with less configuration (8CPUs and 8 GB RAM). old data cannot be replicated between Indexers, even if you have a cluster, only new data. If you want to have two copies of the old data, you must manually copy them in both the Indexers, in a different not replicated index. For new data, remember that you have to add to each stanza of your indexes.conf the option  repFactor = auto otherwise indexes aren't replicated You must update all your Forwarders to send data in autoLoadBalancing to all your Indexers, you also could configure indexers_discovery (https://docs.splunk.com/Documentation/Splunk/9.3.0/Indexer/indexerdiscovery) Ciao. Giuseppe
You could create a lookup file to map the host name to the device and then use the lookup command to get the device name.
Check _internal index for events related to sendemail.py index=_internal sendemail.py  
Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device... See more...
Hi, thanks for your response. devicename is the hostname. eg: I have configured list of linux servers to send logs to splunk. the servername is shown in the field "host" which is actually the device name (server name). Similarly for windows servers, firewalls, etc Linux servers: ab, dd, xy ( configuring those devices under index called 'linux') windows servers: wndw1, wndw2, wndw3 (configuring those devices under index called 'windows') Fortinet devices: frt1, frt2, frt3 (configuring those devices under index called 'fortinet') Now, I am using this tstats query |tstats count where index=* by host,index The result will be:  host index count ab linux 10  dd linux 20  xy linux 30 wndw1 windows 10  wndw2 windows 20  wndw3 windows 30 frt1 fortinet 10  frt2 fortinet 20  frt3 fortinet 30   Now, I have another set of devices (eg: network devices - ntwk1, ntwk2, ntwk3) but the name of the device is under the field called 'asset' My tstats query wont pick these network devices list. So need your suggestion how to include those
Hey Giuseppe   Thanks for your response this is exactly what i was looking for. Can a virtual machine suffice for an cluster manager? I was wanting to cluster my environment for HA. If I enable cl... See more...
Hey Giuseppe   Thanks for your response this is exactly what i was looking for. Can a virtual machine suffice for an cluster manager? I was wanting to cluster my environment for HA. If I enable clustering do I still need to copy all of my data from the original indexer and copy onto my new indexer? Or if i enable clustering what do i need to do to replicate my data from my original indexer to my new indexer? Another question, if I am deploying a new indexer should I update all my forwarders to send to both indexers or should i leave it to where its sending its data to the original indexer?
That's how case works - it returns the value for the first matching condition. If you want to evaluate all conditions, you have to do three separate evals and assign values to three separate fields.
True, you can't use tstats with search-time extracted fields. There are other techniques to accelerate working with data. Which one will be appropriate for you depends on your data and use case.
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad