All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@Markfill - Please describe what do you mean by index rolling (I assume, you mean bucket rolling and not index rolling.) * Warm Bucket to Cold Bucket? OR  * Cold Bucket to Frozen Bucket or being d... See more...
@Markfill - Please describe what do you mean by index rolling (I assume, you mean bucket rolling and not index rolling.) * Warm Bucket to Cold Bucket? OR  * Cold Bucket to Frozen Bucket or being deleted?
I am using the below query (server names replaced) to find when there is a greater than 50% difference in volume between 2 call routers (servers). For some reason im getting no timechart results, eve... See more...
I am using the below query (server names replaced) to find when there is a greater than 50% difference in volume between 2 call routers (servers). For some reason im getting no timechart results, even when setting the difference to 1% which should always return results. index=OMITTED source=OMITTED host="SERVER1" OR host="SERVER2" | stats max(Value) as Value by host | eventstats max(if(host='SERVER1', Value, null)) as server1_value max(if(host='SERVER2', Value, null)) as server2_value | eval value_difference = abs(server1_value - server2_value) | eval value_percentage_difference = if(coalesce(server1_value, server2_value) != 0, (value_difference / coalesce(server1_value, server2_value) * 100), 0) | where value_percentage_difference > 1 | timechart avg(value_percentage_difference)
do we have splunk attribute to fetch index  we are passing index in splunk query. with only log file do we have any splunk attribute to fetch index??? index = aaa index = bbb like we have for hos... See more...
do we have splunk attribute to fetch index  we are passing index in splunk query. with only log file do we have any splunk attribute to fetch index??? index = aaa index = bbb like we have for host index=aaa(source="/var/log/tes1.log" |stats count by host  
in QA and PROd i have 3 servers test - testhost qa - qahost1,qahost2,qahost3 prod - prodhost1,prodhost2,prodhost3 and my query would be for qa if i choose qa from dropdownlist   index=aaa... See more...
in QA and PROd i have 3 servers test - testhost qa - qahost1,qahost2,qahost3 prod - prodhost1,prodhost2,prodhost3 and my query would be for qa if i choose qa from dropdownlist   index=aaa(source="/var/log/tes1.log" (host=qahost1) OR (host=qahost2,) OR (host=qahost3) )   can you please help me integrate above one with below query? index=aaa source="/var/log/test1.log" |stats count by host | eval category=case(match(host, "t"), "Test", match(host, "q"), "QA", match(host, "p"), "Prod", true(), "Unknown")
these were dummy numbers, apologies.  percent change of the average This is what i am looking for: Date                                       S0100D                    S0400D Friday       2024-04-... See more...
these were dummy numbers, apologies.  percent change of the average This is what i am looking for: Date                                       S0100D                    S0400D Friday       2024-04-11    200 (50%)               250 (25%) Saturday 2024-04-11    600 (50%)               1750  (75%) AVG                                        400                             1000
Still facing the same issue. It is intermittent sometime it is working and sometime not.I should get Total_GB1 and total of all column but instead i am getting 18 in place of Total_GB1 and penultimat... See more...
Still facing the same issue. It is intermittent sometime it is working and sometime not.I should get Total_GB1 and total of all column but instead i am getting 18 in place of Total_GB1 and penultimate value is getting printed in 18.
Right now! What is the best visualization to plot such multi data sources? It should illustrate the response codes from each back-end service as the time changes. 
Hi you said “due to a recent release”. What is this? A new splunk version, a new software realease of your business app or something else?  r. Ismo
index keeps rolling of data due to size even after size has been increased. Is there another way to resolve this issue?
Hi something like TIME_PREFIX=^\d+:\d+:\d+:\d+: TIME_FORMAT=%Y/%m/%d %H:%M:%S.%2Q r. Ismo 
I have a cloud-based server sending events to the Indexer over my WAN link via Http Event Collector (HEC).  We have limited bandwidth on the WAN link.  I want to limit (blacklist) a number of event c... See more...
I have a cloud-based server sending events to the Indexer over my WAN link via Http Event Collector (HEC).  We have limited bandwidth on the WAN link.  I want to limit (blacklist) a number of event codes and reduce the transfer of log data over the WAN. Q:  Does a blacklist on inputs.conf for the HEC filter the events at the indexer, or does it stop those event from being transferred at the source? Q: If I install a Universal Forwarder, am I able to stop the blacklisted events from being sent across the WAN?
Not really,  4880961 (75%) means what?  4880961 isn't 75% of any of your other figures.
Splunk does not have an out-of-the-box REST input.  You have to install an app for that.  There are a number of apps on splunkbase that support REST so perhaps you can use one of them as a model for ... See more...
Splunk does not have an out-of-the-box REST input.  You have to install an app for that.  There are a number of apps on splunkbase that support REST so perhaps you can use one of them as a model for building your own app to the API in question.
This is what i am looking for: well maybe Date                                  S0100D                    S0400D Friday 2024-04-11    4880961 (75%)     5247555 (35%)   AVG                        ... See more...
This is what i am looking for: well maybe Date                                  S0100D                    S0400D Friday 2024-04-11    4880961 (75%)     5247555 (35%)   AVG                                     34509759             4750349554   If that makes sense
Try without the penultimate search |search MOP=* It isn't necessary as stats by MOP effectively does the same thing i.e. you will only get stats for non-null values of MOP which is what the search ... See more...
Try without the penultimate search |search MOP=* It isn't necessary as stats by MOP effectively does the same thing i.e. you will only get stats for non-null values of MOP which is what the search is doing as well
Can you please let me know the TIME_PREFIX  & TIME_FORMAT for the below log type. 00:0009:00000:00000:2024/04/12 12:14:02.34 kernel extended error information 00:0009:00000:00000:2024/04/12 12:14... See more...
Can you please let me know the TIME_PREFIX  & TIME_FORMAT for the below log type. 00:0009:00000:00000:2024/04/12 12:14:02.34 kernel extended error information 00:0009:00000:00000:2024/04/12 12:14:02.34 kernel  read returning -1 state 1 00:0009:00000:00000:2024/04/12 12:14:02.34 kernel nrpacket: recv, Connection timed out, spid: 501, suid: 84
Mean to say not getting the required result.You can find the same in the snippet attached.
It isn't clear what you mean here, % of the total average? Do you mean the percentage of the total for that host that the count represents, or the percentage of the grand total for that host? Since y... See more...
It isn't clear what you mean here, % of the total average? Do you mean the percentage of the total for that host that the count represents, or the percentage of the grand total for that host? Since you have also used timechart, I guess you could also mean the percentage of the total for the time bin that the count for the host represents. It is probably best if you work out what it is that you are trying to show in your table/chart to clarify what the required calculation is.
Your makeresults isn't valid SPL so it is still a little unclear what you are working with. Having said that, if you make results has two fields, a key field and an expected results field, you could... See more...
Your makeresults isn't valid SPL so it is still a little unclear what you are working with. Having said that, if you make results has two fields, a key field and an expected results field, you could append your makeresults to your actual results and then use stats to combine the events by their key values and then you can compare whether they are different.
That is amazing, Thank you.  I am new to the Splunk world as you can see.  How about a field next to each host that calculating the %of the total average per count?