All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Have you tried it this way: | tstats count where index=_internal OR index=* [ search index=db_cloud sourcetype="azure:compute:vm:instanceView" | stats count by host | table host ] NOT [search index=... See more...
Have you tried it this way: | tstats count where index=_internal OR index=* [ search index=db_cloud sourcetype="azure:compute:vm:instanceView" | stats count by host | table host ] NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host
Thanks! I tried different ways but am unable to get this, if I want to add a line to check if the device is an azure VM how would I do this? | tstats count where index=_internal OR index=* N... See more...
Thanks! I tried different ways but am unable to get this, if I want to add a line to check if the device is an azure VM how would I do this? | tstats count where index=_internal OR index=* NOT [search index="_internal" source="*metrics.log*" group=tcpin_connections | stats count by hostname | rename hostname as host | table host] BY host AND [ search index=db_cloud sourcetype="azure:compute:vm:instanceView" | rename host as host_changed | table host_changed] BY host I tried this but it does not work  
Hi All Has anyone managed to solve this issue without reinstalling UF? We have this problem only on certain Window Servers 2022. Other windows versions are not affected. Also not all Win2022 are af... See more...
Hi All Has anyone managed to solve this issue without reinstalling UF? We have this problem only on certain Window Servers 2022. Other windows versions are not affected. Also not all Win2022 are affected, only certain machines Command "Get-counter -ListSet *" returns the following error. Could not find any performance counter sets on the computer: error c0000bc8. Verify that the computer exists, that it is discoverable, and that you have sufficient privileges to view performance counter data on that computer Perfmon counters are available for other users on this machine, so there is problem for SplunkForwarder user.  I've used the "lodctr /R" command but issue still persists. The issue occurred immediately after the upgrade to version 9.1.5, so it's definitely Splunk problem
Can you do the same but scroll the view to the right to show the fields beginning with "p"
Its showing most of the values but there is no path and responsetime    
Try this index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod" | spath input=event | table *
HFs typically run with the forwarder license. It doesn't allow local indexing and I suppose it might be time-unlimited. For DS there can be that funky "no ingest volume" license meant for running suc... See more...
HFs typically run with the forwarder license. It doesn't allow local indexing and I suppose it might be time-unlimited. For DS there can be that funky "no ingest volume" license meant for running such on-prem components when you're flying Cloud. And they indeed might not have anything to do with the Cloud license in terms of expiration date.
 
The default (trial) Splunk license expires after 60 days so would not have a 2038 expiration date. The free license, which is what the trial license becomes after the trial ends, has a 2038 expirati... See more...
The default (trial) Splunk license expires after 60 days so would not have a 2038 expiration date. The free license, which is what the trial license becomes after the trial ends, has a 2038 expiration date, but also has a number of limitations, including preventing an instance from functioning as a heavy forwarder or deployment server.  Also, the Settings->Licensing screen should clearly say "Free license". Again, your Splunk account team is your best source of answers about your licenses.
Probably not, but I'm not sure what you mean by "license duplication problems".  An LM will store only one copy of a license.
What about when you do this? index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod" | spath input=event
 
What do you get if you do this index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod" | table event
absolutely great, because it is also expandable to more than two datasets to be compared. here's what i done for a "triff": index=a | stats count by PSP_Element | rename * as a_* | rename a_PSP_Ele... See more...
absolutely great, because it is also expandable to more than two datasets to be compared. here's what i done for a "triff": index=a | stats count by PSP_Element | rename * as a_* | rename a_PSP_Element as PSP_Element | eval a=1 | append [ | inputlookup koop_aws_spitz_zahlen PSP_Element=* | rename * as b_* | rename b_PSP_Element as PSP_Element | eval b=1 ] | selfjoin max=0 keepsingle=yes PSP_Element | append [ | makeresults format=csv data="PSP_Element F-330751 F-330755 F-330758 " | rename * as c_* | rename c_PSP_Element as PSP_Element | eval c=1 ] | selfjoin max=0 keepsingle=yes PSP_Element | where isnull(a) OR isnull(b) OR isnull(c) | eval x = coalesce(b_PLAN,a_Preis) | sort - x | fields - x | fields PSP_Element c a b *
 
Thanks once again @ITWhisperer  It works as expected.
Ahhh... so you see. Splunk tries to find events which have your "1" as indexed field of the name you've given (which of course it will not have because it's a search-time lookup) or at least a verbat... See more...
Ahhh... so you see. Splunk tries to find events which have your "1" as indexed field of the name you've given (which of course it will not have because it's a search-time lookup) or at least a verbatim "1" indexed value. So you would probably find some events with both your lookup matching properly as well as having the value of "1" _somewhere else_ in the raw event. (these are probably these 5 results you're getting) It's just how Splunk parses your search I'm not 100 sure if you can call it a bug. (there are other similar issues with Splunk searching data with "wrong" conditions). EDIT: Is it a whole lispy search? I don't think so. EDIT2: Also - before Splunk constructs the lispy search, it creates an expanded SPL search and before that it includes the knowledge-objects processing which led to this search. You can dig there a bit more to see why it does what it does.
What is this that you have just shown? Please provide a screenshot
Yes, it seems Splunk has some more internal rules on how many buckets it creates so I think a doc feedback is called for.
No. If you remove it, Splunk will be trying to guess and that's performance-intensive. I don't know your data and don't know whether you don't have more border cases but you can use a regex with alt... See more...
No. If you remove it, Splunk will be trying to guess and that's performance-intensive. I don't know your data and don't know whether you don't have more border cases but you can use a regex with alternative branches to match either form) TIME_PREFIX = (</ReceiverFmInstanceName><eqtext:EventTime>|</State><eqtext:EventTime>) (I'm not sure if some of those characters do not require ecaping so take it with a pinch of salt)