All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Sorry, I don't understand what you are talking about re splitting your data - what is being split with the dbxquery?
If the data is in an index, it must be placed there with a timestamp, so if an app was updated 45 days ago that info ingested to Splunk and the Splunk _time timestamp is 45 days ago, the only way you... See more...
If the data is in an index, it must be placed there with a timestamp, so if an app was updated 45 days ago that info ingested to Splunk and the Splunk _time timestamp is 45 days ago, the only way you can find that data is to search that data with a time range that encompasses that time. But of course you don't know when it was updated. I have used a technique in the past where I roll forward existing index data by running a search at say 1am, that will search for data from yesterday earliest=-d@d and latest=@d and does a stats latest(*) as * by X Y Z Then use collect to write that data to the index with the current timestamp (1am) so effectively all rolled forward items from the previous day PLUS any new items that are added in the same day and collected to the same index. Naturally you would need to massage the data so that any updates would then shift previous->discard, current->previous,  new->current. That means your previous day's data is always the latest view of all versions. Not sure if this helps. Have you tried using kv store for the lookup - that's another story and you can use some accelerated keys for that data that may make it perform faster than standard lookup.  
I'm currently working on optimizing our Splunk deployment and would like to gather some insights on the performance metrics of Splunk forwarders. Transfer Time for Data Transmission: I'm intereste... See more...
I'm currently working on optimizing our Splunk deployment and would like to gather some insights on the performance metrics of Splunk forwarders. Transfer Time for Data Transmission: I'm interested in understanding the typical time it takes for a Splunk forwarder to send a significant volume of data, say 10 GB, to the indexer. Are there any benchmarks or best practices for estimating this transfer time? Are there any factors or configurations that can significantly affect this transfer time? Expected EPS (Events Per Second): Additionally, I'm curious about the achievable Event Per Second (EPS) rates with Splunk forwarders. What are the typical EPS rates that organizations achieve in real-world scenarios? Are there any strategies or optimizations that can help improve EPS rates while maintaining stability and reliability? Any insights, experiences, or recommendations regarding these performance metrics would be greatly appreciated. Thank you!
Hi, Thanks for your help. No I do not care the order. I am afraid if I split the data and re-combine them it will return duplicate/missing data as it doesn't have a unique identifier. Also I d... See more...
Hi, Thanks for your help. No I do not care the order. I am afraid if I split the data and re-combine them it will return duplicate/missing data as it doesn't have a unique identifier. Also I don't know how to split the data and keeping the same _time.  Please help answer this. Thanks How do I split my query from DBXquery (eg. 200k rows)and push it into a Summary Index at the same time?
Hello, Thank you again for your help. Just to clarify,  I cannot set _time to the exact time every time I query the data, , correct? So, I need to filter the data last update, if I want to get the... See more...
Hello, Thank you again for your help. Just to clarify,  I cannot set _time to the exact time every time I query the data, , correct? So, I need to filter the data last update, if I want to get the most recent copy. I currently are using CSV as a lookup, but the limitation is the size like you mentioned. I am trying to replace CSV lookup by doing the following:   Please let me know what you think. https://community.splunk.com/t5/Splunk-Search/How-to-perform-lookup-from-index-search-with-dbxquery/m-p/650654 | index=vulnerability_index | table ip_address, vulnerability, score | append [| dbxquery query="select * from tableCompany"] | stats values(*) as * by ip_address
Hello @bowesmana  Your solution hit the spot! Thank you so much
Without knowing a bit more about your data and extracted fields, you could do something like this   | eval BROWSER=if(BROWSER="Chrome" AND match(_raw, " Edg\/"), "Edge", BROWSER)  
Hi Dear Malaysian Splunkers,  Part of the SplunkTrust tasks, I have created a Splunk User Group for Kuala Lumper Malaysia.  https://usergroups.splunk.com/kuala-lumpur-splunk-user-group/   Pls joi... See more...
Hi Dear Malaysian Splunkers,  Part of the SplunkTrust tasks, I have created a Splunk User Group for Kuala Lumper Malaysia.  https://usergroups.splunk.com/kuala-lumpur-splunk-user-group/   Pls join and lets discuss monthly about Splunk and getting more value from the data. see you there. thanks.    Best Regards Sekar
Hello, I have this search for tabular format.   index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId... See more...
Hello, I have this search for tabular format.   index="webbff" "SUCCESS: REQUEST" | table _time verificationId code BROWSER BROWSER_VERSION OS OS_VERSION USER_AGENT status | rename verificationId as "Verification ID", code as "HRC" | sort -_time   The issue is at BROWSER column where even when user access our app via Edge it still shows as Chrome. I found a dissimilarity between the two logs. One that is accessed via Edge contains "Edg" in the logs. Edge logs   metadata={BROWSER=Chrome, LOCALE=, OS=Windows, USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx Edg/124.0.0.0, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})   Chrome logs   metadata={BROWSER=Chrome, LOCALE=, OS=Mac OS X, USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/xxx.xx (KHTML, like Gecko) Chrome/124.0.0.0 Safari/xxx.xx, BROWSER_VERSION=124, LONGITUDE=, OS_VERSION=10, IP_ADDRESS=, APP_VERSION=, LATITUDE=})   My question is, how do i create a conditional search for BROWSER like if contains Edg then Edge else BROWSER?
hey guys, with data retention being set, is there a way to whitelist a specific container to prevent it from being deleted?
Thank you @bowesmana,   I was looking for  | where (Check_Feature_Availability="false") AND ("a" IN ("a"))   Thank you.
I'm looking for a particular string in the list of strings.   The "a" in the first part is not from a field,  it's just a string that I'm trying to compare against.     I'm trying to implement the ... See more...
I'm looking for a particular string in the list of strings.   The "a" in the first part is not from a field,  it's just a string that I'm trying to compare against.     I'm trying to implement the following logic in python "word1" in ['word1', 'word2', ..., 'word_x', ]
OK, so I assume the list of strings are a, b and c, but what is the FIRST "a" in your statement "a" in ("a","b","c") as I said in my first reply, the search statement is comparing FIELD "a" with th... See more...
OK, so I assume the list of strings are a, b and c, but what is the FIRST "a" in your statement "a" in ("a","b","c") as I said in my first reply, the search statement is comparing FIELD "a" with the string values of the IN part. Is your field "a" something that has those values? For you to get all results simply adding that AND statement, would imply field "a" has "a" in all your events.
|search (Check_Feature_Availability=false) AND NOT ("Choice1" IN ("Choice1", "Choice2", "Choice3")) OR (Check_Feature_Availability=true) AND ("Choice1" IN ("Choice1", "Choice2", "Choice3"))   The... See more...
|search (Check_Feature_Availability=false) AND NOT ("Choice1" IN ("Choice1", "Choice2", "Choice3")) OR (Check_Feature_Availability=true) AND ("Choice1" IN ("Choice1", "Choice2", "Choice3"))   The list is really all the options from a multi-valued dropdown menu.  The values are all different.  
I am trying to dynamically alter my searched data, by utilizing a value from my data source (Check_Feature_Availability - boolean data) with a selected value from a multi-dropdown in the dashboard (l... See more...
I am trying to dynamically alter my searched data, by utilizing a value from my data source (Check_Feature_Availability - boolean data) with a selected value from a multi-dropdown in the dashboard (list of strings).  
So what is "a" in the first part of the statement? Your statement is saying does field "a" (NOT) have a value of a, b or c What is field "a" in your context and do they all have the value "a"?
What I'm trying to achieve from this, is try to implement an "exclusive or" logic. |search (Check_Feature_Availability=false) AND NOT ("a" IN ("a", "b", "c")) OR (Check_Feature_Availability=true) ... See more...
What I'm trying to achieve from this, is try to implement an "exclusive or" logic. |search (Check_Feature_Availability=false) AND NOT ("a" IN ("a", "b", "c")) OR (Check_Feature_Availability=true) AND ("a" IN ("a", "b", "c"))   TIA
| search (Check_Feature_Availability=false) AND ("a" in ("a")) is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a". Compare that with  | where (Check_Feature_... See more...
| search (Check_Feature_Availability=false) AND ("a" in ("a")) is saying "does field "a" have a value of "a", it is not comparing text "a" with text "a". Compare that with  | where (Check_Feature_Availability="false") AND ("a" IN ("a"))  Note added quotes around "false". That is comparing text "a" with text "a" and will match. What is the purpose of that constraint?
It does work See this example row/panel that creates some pseudo data and simulates what you're trying to do <row> <panel> <input type="dropdown" token="func_option"> <label>Fun... See more...
It does work See this example row/panel that creates some pseudo data and simulates what you're trying to do <row> <panel> <input type="dropdown" token="func_option"> <label>Func</label> <choice value="Func1">Func1</choice> <choice value="Func2">Func2</choice> <choice value="Func3">Func3</choice> </input> <chart> <search> <query>| makeresults count=1000 | eval _time=_time-random() % 3600 | eval Func=mvindex(split("Func1,Func2,Func3",","), random() % 3) | eval duration=random() % 1000000 / 1000 | timechart fixedrange=t count avg(duration) by Func | fields _time avg*$func_option$ count*</query> <earliest>-60m@m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option> <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option> <option name="charting.axisTitleX.visibility">visible</option> <option name="charting.axisTitleY.visibility">visible</option> <option name="charting.axisTitleY2.visibility">visible</option> <option name="charting.axisX.abbreviation">none</option> <option name="charting.axisX.scale">linear</option> <option name="charting.axisY.abbreviation">none</option> <option name="charting.axisY.scale">linear</option> <option name="charting.axisY2.abbreviation">none</option> <option name="charting.axisY2.enabled">1</option> <option name="charting.axisY2.scale">inherit</option> <option name="charting.chart">column</option> <option name="charting.chart.bubbleMaximumSize">50</option> <option name="charting.chart.bubbleMinimumSize">10</option> <option name="charting.chart.bubbleSizeBy">area</option> <option name="charting.chart.nullValueMode">gaps</option> <option name="charting.chart.overlayFields">"avg(duration): $func_option$"</option> <option name="charting.chart.showDataLabels">none</option> <option name="charting.chart.sliceCollapsingThreshold">0.01</option> <option name="charting.chart.stackMode">default</option> <option name="charting.chart.style">shiny</option> <option name="charting.drilldown">none</option> <option name="charting.layout.splitSeries">0</option> <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option> <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option> <option name="charting.legend.mode">standard</option> <option name="charting.legend.placement">right</option> <option name="charting.lineWidth">2</option> <option name="refresh.display">progressbar</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> </chart> </panel> </row> I can choose the Func dropdown and it will make that particular Func as the chart overlay using the token  
I apologize if the following question might be a bit basic.  But I'm confused with the results.   When I append the  following code into the "search" line, it returns a shortened list of results. (f... See more...
I apologize if the following question might be a bit basic.  But I'm confused with the results.   When I append the  following code into the "search" line, it returns a shortened list of results. (from 47 to 3)  AND ("a" in ("a"))   original code.  index=main_service ABC_DATASET Arguments.email="my_email@company_X.com" | rename device_model as hardware, device_build as builds, device_train as trains, ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability | search (Check_Feature_Availability=false) AND ("a" in ("a")) | table builds, trains, Check_Feature_Availability   I was expecting to see the same number of results.  Am I wrong about my expectations, or am I missing something here? TIA     index=main_service  ABC_DATASET  Arguments.email="my_email@company_X.com" | rename device_model as hardware, device_build as builds, device_train as trains, ABC_DATASET.Check_For_Feature_Availability as Check_Feature_Availability | search (Check_Feature_Availability=false)  AND ("a" in ("a")) | table builds, trains, Check_Feature_Availability