The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essen...
See more...
The simple answer is no - however, you could include a version number in your lookup, or a modified date as a new field, or every time you update it you save the old copy to a different lookup. Essentially, Splunk can only find information that you choose to keep.
I have OS log data coming from Windows/linux into splunk. I have a particular field with values unseparated. Sample log data representation. _time parameter value x a c b x1 x a c...
See more...
I have OS log data coming from Windows/linux into splunk. I have a particular field with values unseparated. Sample log data representation. _time parameter value x a c b x1 x a c b x2 x a c b x3 y d e y1 y d e y2 I would want to splint the parameter field's values in such a way that each parameter field will have one of the group values, in same order. Sample output : _time parameter value x a x1 x c x2 x b x3 y d y1 y e y2 Can someone please help?
Hey, thank you for your answer. Unfortunately, I have forgotten what exactly this was referring to, but I think i got it sorted out, as i havnt heard anything else about it. Not sure what the fix was...
See more...
Hey, thank you for your answer. Unfortunately, I have forgotten what exactly this was referring to, but I think i got it sorted out, as i havnt heard anything else about it. Not sure what the fix was. Thank you nonetheless.
Hi ITWhisperer, Thank you for your message. This has worked partially. But we are unable to get the full count of those jobs with State ENDED NOTOK. Please help me out on this.
Is there currently a capability in Splunk that will allow us search and compare the previous version of an input lookup to the current version of the input lookup to identify what has changed between...
See more...
Is there currently a capability in Splunk that will allow us search and compare the previous version of an input lookup to the current version of the input lookup to identify what has changed between the two? In search is there a parameter we can pass the input lookup command to specify the version what we want to evaluate?
Hi Bowesmana, I want to say I really appreciated the level of detail you have provided and it will prove useful for future people who lands here from google searches. So I actually found the probl...
See more...
Hi Bowesmana, I want to say I really appreciated the level of detail you have provided and it will prove useful for future people who lands here from google searches. So I actually found the problem: I use the Splunk Cloud product so we use a series of API calls to populate objects in the cloud, since we do not have access to the directories on their EC2 instances. I found the Splunk App for Lookup File Editing API that our CI/CD process uses may have not supported kvStore acceleration options. On github, I had the following collections.conf in our master branch – so I incorrectly assumed this was production: [qualys_kb_kvstore]
accelerated_fields.QID_accel = {"QID": 1, "PATCHABLE": 1}
replicate = true I tested the Splunk KVstore API against Splunk cloud, and discovered the two lines accelerated_fields and replicate was not there. It was not getting applied. Our CI/CD process was NOT getting the acceleration options applied. I used the Splunk KVstore API instead to get acceleration options to apply, and it worked. The lookup is now accelerated as expected. The lookup time was cut from 165 seconds to just 20 seconds.
Hello ITWhisperer, Thank you for your response. I have extracted all the mentioned fields earlier as well. But is there any possibility in extraction, so that we can only extract the status of ENDED...
See more...
Hello ITWhisperer, Thank you for your response. I have extracted all the mentioned fields earlier as well. But is there any possibility in extraction, so that we can only extract the status of ENDED NOTOK jobs only.
Hi! I tried adding this line to my inputs.conf -> no_appending_timestamp = true but I am still seeing logs come in to splunk with the UTC time even though the log itself shows a central timest...
See more...
Hi! I tried adding this line to my inputs.conf -> no_appending_timestamp = true but I am still seeing logs come in to splunk with the UTC time even though the log itself shows a central timestamp.
I have an odd task I'm trying to fulfill and I'm not entirely sure how to go about it. We have a print server that forwards logs to Splunk. We also have multiple printers that are on a separate VLA...
See more...
I have an odd task I'm trying to fulfill and I'm not entirely sure how to go about it. We have a print server that forwards logs to Splunk. We also have multiple printers that are on a separate VLAN that only the print server can see. The objective is to see if we can pull the logs directly from the printer and forward them to Splunk. From what I've been reading, this should be possible by setting up the print server as a sort of intermediate forwarder? I believe the process is to have the printers redirect their logs to the print server to a specific folder, then add that folder to the list of logs being reported in the Splunk forwarder. Does that sound correct? Has anyone done this before? Any instructions that could make this easier? I'm fairly new to Splunk and I'm still learning how to set things up so as many details as possible would be helpful. Thanks.
@bhawkins1 Old post; you probably have an answer. I was looking for one and came up with this. ```Set blank_calc for same and not fields for future eval commands.```
| foreach *_same, *_not
[|...
See more...
@bhawkins1 Old post; you probably have an answer. I was looking for one and came up with this. ```Set blank_calc for same and not fields for future eval commands.```
| foreach *_same, *_not
[| fillnull value="blank_calc" <<FIELD>>] Worked for me. God bless, Genesius
Please don't duplicate posts - it just clutters the site - please follow the answer here https://community.splunk.com/t5/Splunk-Search/Facing-issue-while-extracting-required-fields-and-while-using/m-...
See more...
Please don't duplicate posts - it just clutters the site - please follow the answer here https://community.splunk.com/t5/Splunk-Search/Facing-issue-while-extracting-required-fields-and-while-using/m-p/682268#M233094
It looks like you have too many backslashes (and execution_time_in_seconds does not appear in your sample) | rex max_match=0 "\\\\\\\"jobname\\\\\\\":\s*\\\\\\\"(?<Name>[^\\\]+)"
| rex max_match=0 "...
See more...
It looks like you have too many backslashes (and execution_time_in_seconds does not appear in your sample) | rex max_match=0 "\\\\\\\"jobname\\\\\\\":\s*\\\\\\\"(?<Name>[^\\\]+)"
| rex max_match=0 "\\\\\\\"status\\\\\\\":\s*\\\\\\\"(?<State>[^\\\]+)"
| rex max_match=0 "Timestamp\\\\\\\": \\\\\\\"(?<TIME>\d+\s*\d+\:\d+\:\d+)"
| rex max_match=0 "execution_time_in_seconds\\\\\\\": \\\\\\\"(?<EXECUTION_TIME>[\d\.\-]+)"