All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Hod152, why you did this? if you have tstats BY _time, you already have the timechart:   | tstats count WHERE case=test responseCode=200 requestStatus!=legal BY clientIp _t... See more...
Hi @Hod152, why you did this? if you have tstats BY _time, you already have the timechart:   | tstats count WHERE case=test responseCode=200 requestStatus!=legal BY clientIp _time span=1h   Anyway, it's always better to indicate the indexes to use in the search, to have more performant searces  and avoid default search path issues. Ciao. Giuseppe
Hi @Cloud001, what are the Replication Factor and the Search Factor? anyway, usually logs are plicated between the indexers of each site anche between the sites, in this way, you have at least one ... See more...
Hi @Cloud001, what are the Replication Factor and the Search Factor? anyway, usually logs are plicated between the indexers of each site anche between the sites, in this way, you have at least one searcheabel copy (or more) in each site. e.g. to have two copies of data in each site, you should have: site_replication_factor = origin:2, site1:2, total:4 for more details see at https://docs.splunk.com/Documentation/Splunk/9.2.2/Indexer/Multisitearchitecture Ciao. Giuseppe
We did the same thing you did.  DS and HF on the same internet facing server.  We disabled the web interface and manage the deployment server with .conf files only. All of the deployment clients for... See more...
We did the same thing you did.  DS and HF on the same internet facing server.  We disabled the web interface and manage the deployment server with .conf files only. All of the deployment clients for the DS/HF show up on in the Settings > Forwarder Management page as you describe.  All of the deployment clients in another deployment server show up too.  My guess is that the logs in the new _dsappevent, _dsphonehome, and  _dsclient indexes that are created in 9.2 is where that page gets its information.  It's very confusing.  There should be a column for the splunk_server in the display, so that we can tell which server is serving apps to which clients.
Hey, Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart,... See more...
Hey, Iv'e noticed some wierd behviour that is making me suspect the relaibility of my queries so I'm really looking for an explanation, I was making some searches and displaying them on a timechart, for some reason the timechart looks completly different when I sort the fields befor. this is the basic search and it's results:     |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| timechart sum(count) span=1h     After sorting clientIp field this is how the graph looks like:     |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort -clientIp |timechart sum(count) span=1h         |tstats count WHERE case=test responseCode=200 requestStatus!=legal by clientIp _time span=1h| sort +clientIp |timechart sum(count) span=1h     Note that the count is decreased on the sorted search.     What can explain that behaviour? Which chart should I relay on? Is that a feature of sorting? Thanks  
2024-07-16T10:59:41.259Z eff08259-3379-5637-b5fe-dd4967aee355 ERROR Invoke Error {"errorType":"Error","errorMessage":"Required Message Attribute [EventTimestamp] is missing","errorCode":_ERROR","na... See more...
2024-07-16T10:59:41.259Z eff08259-3379-5637-b5fe-dd4967aee355 ERROR Invoke Error {"errorType":"Error","errorMessage":"Required Message Attribute [EventTimestamp] is missing","errorCode":_ERROR","name":"Error","stack":["Error: Required Message Attribute [EventTimestamp] is missing"," at throwRequiredParameterError  In the above log i need to extract errorMessage which was highlighted....Can anyone of you please help me in writing regex for the same.
Again - what in this event should tell Splunk that it's a new event?
Tried to use "_raw =errortrace" in fields alias section...it did not pick up this field alias.
Why is data from other sites retrieved?  1. splunk version  9.2.1   2. server.conf : manager-node      [general]      serverName = site01_master      pass4SymmKey = $7$50dW7T6+mDkef5xS4o2BemFWDA... See more...
Why is data from other sites retrieved?  1. splunk version  9.2.1   2. server.conf : manager-node      [general]      serverName = site01_master      pass4SymmKey = $7$50dW7T6+mDkef5xS4o2BemFWDAur04JWlGHTwFKCNHAXuGtkZkOaEg==      site = site1      [clustering]      available_sites = site1,site2      mode = manager      multisite = true      pass4SymmKey = $7$lBUz3IZR3TZJeUAdYDUZR4tesE3AL0ttpupYUywS3UrG7PdwqHZ01g==      site_replication_factor = origin:3,site1:3,total:6      site_search_factor = origin:2,total:2 3. server.conf : site1-SH      [general]      serverName = site01_sh01      pass4SymmKey = $7$lX74ABK5XURidryB9htlMI9hsjjZZSq0PulPOi3bCbCziiWrBBnN5g==      site = site1      [clustering]      manager_uri = https://192.168.79.141:8089      mode = searchhead      multisite = true      pass4SymmKey = $7$JZddW4jKx48TGUx03PmTHexz76aYtTwK/aW7cQ9AGFsnZaA++xv1lA==       3. server.conf : site2-SH      [general]      serverName = site02_sh01      pass4SymmKey = $7$zFcBrd6VgPug9rgiJvI+mvRI5H7PRWwuaGgg0HBY0UKp4hTMN1CBmQ==      site = site2      [clustering]      manager_uri = https://192.168.79.141:8089      mode = searchhead      multisite = true      pass4SymmKey = $7$3u+CM93kvNCnGZolsv6K9EdD6fyYpalpNDyfL/+Bq0D0Vuzd5u3kuQ==    
Thanks for Update    04/06/2024;09:55:33;Operator;Operator level: 0 -> 6 EP78543 line break Before and after  regex query
I just checked out my number formatting on the table and changed the precision to 0 exactly
This query is working fine with the given example But when I am running given query in index it not producing any result.  index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc | fields ... See more...
This query is working fine with the given example But when I am running given query in index it not producing any result.  index = cba_hcck8s_UHGWM110-013948 host=prod_poc source=poc | fields - {}.* ``` optional ``` | spath path={} | mvexpand {} | fields - _* ``` optional ``` | spath input={} | eval totalCount = SKIPPED + PROCESSED | chart sum(SKIPPED) as SKIPPED,sum(PROCESSED) as Processed sum(totalCount) as TotalClaims by DAYHOUR DATE I am getting no result with this query. You know my data reside in message under event field. Might be this query not reaching message  field where rest of the data stored in array.    Also adding my row text    {"id":"0","severity":"Information","message":"[{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00343\",\"TOTAL\":0,\"PROCESSED\":11,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":15,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00598H\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02141\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":9,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00447\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":5,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":7,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031AdjPro\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":30,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00343\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":43,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":9,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_HOSPICE_CLM\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283\",\"TOTAL\":0,\"PROCESSED\":16,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02107\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":104,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02141\",\"TOTAL\":0,\"PROCESSED\":8,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":17,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253\",\"TOTAL\":0,\"PROCESSED\":40,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00758H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02076H\",\"TOTAL\":0,\"PROCESSED\":27,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00283H\",\"TOTAL\":0,\"PROCESSED\":9,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00120H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":14,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00721H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":105,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00479\",\"TOTAL\":0,\"PROCESSED\":7,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_05009H\",\"TOTAL\":0,\"PROCESSED\":13,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00243\",\"TOTAL\":0,\"PROCESSED\":47,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02061\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00119\",\"TOTAL\":0,\"PROCESSED\":9,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035\",\"TOTAL\":0,\"PROCESSED\":101,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02093\",\"TOTAL\":0,\"PROCESSED\":188,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00680\",\"TOTAL\":0,\"PROCESSED\":5,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00394\",\"TOTAL\":0,\"PROCESSED\":198,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01902\",\"TOTAL\":0,\"PROCESSED\":4,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00363\",\"TOTAL\":0,\"PROCESSED\":12,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00072H\",\"TOTAL\":0,\"PROCESSED\":2,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":25,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00660\",\"TOTAL\":0,\"PROCESSED\":19,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02093\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02117\",\"TOTAL\":0,\"PROCESSED\":58,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00035Med\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":5,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_CSTATUS\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":16,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00363\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":24,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01902\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02149\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00072H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":28,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00380\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":8,\"FAILED\":8,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00367\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00200\",\"TOTAL\":0,\"PROCESSED\":28,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00479\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":23,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00663\",\"TOTAL\":0,\"PROCESSED\":3,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00119\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":1,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00243\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":25,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00598H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":482,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00031Medica\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":6,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00108\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":2,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":2,\"FAILED\":2,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_02131H\",\"TOTAL\":0,\"PROCESSED\":71,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01000H\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":18,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00367\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":1,\"FAILED\":1,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00680\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":7,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00313\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_01010\",\"TOTAL\":0,\"PROCESSED\":1,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00674\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":141,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00660\",\"TOTAL\":0,\"PROCESSED\":0,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":94,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3},{\"TARGETSYSTEM\":\"CPW\",\"ARUNAME\":\"CPW_00253H\",\"TOTAL\":0,\"PROCESSED\":12,\"REMAINING\":0,\"ERROR\":0,\"FAILED\":0,\"SKIPPED\":0,\"PROCESSING\":0,\"DATE\":\"7/16/2024\",\"DAYHOUR\":3}]"}  
how do i get the values in days_to_eol to just show without the .00 decimal. I even rounded the result to the nearest whole number with my query
 any solution to this issue, i am also having same problem after upgrading to Splunk 9.2.2
We have approximately a year's worth of data in our Splunk Cloud instance. Due to certain reasons, we need to export all the indexed data from Splunk Cloud into readable files. What are the possible ... See more...
We have approximately a year's worth of data in our Splunk Cloud instance. Due to certain reasons, we need to export all the indexed data from Splunk Cloud into readable files. What are the possible ways to achieve this?
It would help if you post the data as text instead of a photo of it.
Hi     <search> <query>index=* EventCode=25753 | stats count(EventCode) as toto | append [| search index=* EventCode=* | stats count(EventCode) as toto2]</query> <earliest>-... See more...
Hi     <search> <query>index=* EventCode=25753 | stats count(EventCode) as toto | append [| search index=* EventCode=* | stats count(EventCode) as toto2]</query> <earliest>-7d@h</earliest> <latest>now</latest> <done> <condition> <set token="NbHost">$result.toto$</set> <set token="NbHost2">$result.toto2$</set> </condition> </done> </search> <option name="drilldown">none</option> <option name="underLabel">$NbHost$ / $NbHost2$</option>   I dont succeed to display the NbHost2 value under my single panel what is wrong please?    
And your props for this sourcetype are...?
i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/wa... See more...
i'm facing problem with the storage of splunk i tried multiple way to minimize the heavy data stored at hot/warm DB but nothing went ok since the cold data won't accept and migartions from the hot/warm data       any suggestions?
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a... See more...
Honestly (yes, I know it is not helping in the immediate problem at hand but might save you some time in the future), this is a very ugly data format. I suspect that someone just receives data with a third-party solution which adds its own headers and forwards it to Splunk. The result is that you have some structure which Splunk is able to parse (the "outer json") and within that you have completely unparsed message field. And this field is "kinda like a json but not quite" so it doesn't parse properly (and I suspect there can be other types of events in that message field so no single parsing schema would work here). In the long run it would be best if you could force admins of your source solution to provide data in a more sane format.
dont post wrong answers to delete all the data