Hi I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : Splunk Query : `macro_events_prod_gch_comms_esa` ...
See more...
Hi I want to create a search to find all the events for which last row exists but there is atleast 1 row missing. Example is attached below : Splunk Query : `macro_events_prod_gch_comms_esa` gch_messageType="Seev.047*" host="p*" gch_status="*" NOT"BCS" | table BO_PageNumber,BO_LastPage,gch_status |rename BO_PageNumber as PageNo , BO_LastPage as LastPage , gch_status as Status | sort by PageNo Requirement is find all the events for which LastPage as True exists and there is atleast 1 row missing with PageNo less than the PageNo of row with LastPage as True.
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you ...
See more...
Hi @twanie , as @bowesmana said, it isn't possible because Splunk isn't a database: in the index you have day by day all the events, and it's not possible to delete or replace them, in this way you have also the history of your data. If you want a table that you can replace every day, you could save the results of your query in a lookup that you recreate every day. Ciao. Giuseppe
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are r...
See more...
Hi @ericg57, I agree with you: I don't remember that it's possible to change the monitoring interval but why do you want this? It's better to have the new events as soon as possible, and they are read in near real time. The solution with a script is possible but it makes the same job of the monitor command, so why? Ciao. Giuseppe
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full...
See more...
The message appeared for forwarders (search head cluster) upgraded in 9.1.2 settings: forceTimebasedAutoLB = false useACK = true autoLBFrequency = 30 Upgrading don't change the behavior on full enterprise splunk But this seems to work on Universal Forwarder
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If f...
See more...
Hello, Why does Splunk drilldown open two tabs instead of one? Here's my setting: Image => Drilldown settings => On click link to custom URL => put URL When I clicked it opened two tabs If found old post, but nobody answered. Please help. Thanks https://community.splunk.com/t5/Dashboards-Visualizations/Why-is-Splunk-drilldown-setting-opening-two-tabs-instead-of-one/m-p/602444
@ITWhisperer @gcusello In Hadoop ResourceManager, Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference be...
See more...
@ITWhisperer @gcusello In Hadoop ResourceManager, Once after "Operation=Submit Application Request" resourcemanager will "Allocate New ApplicationID". I would like to see how much time difference between 2 sub searches in the splunk query.
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities ...
See more...
Hello @jamesbanday , The message "is not a known identity" is related to the Identities that are configured in the Splunk Enterprise Security, probably this user is not configured in the Identities lookup. To configure Assets & Identities in Splunk Enterprise Security, use the following doc: https://docs.splunk.com/Documentation/ES/7.3.0/Admin/Addassetandidentitydata. Also, you could check in Splunk if this identity exists using the identities macro: | `identities`
| search identity=<NAME_IDENTITY> Thanks.
on that same link, they have given a good search explanation. may i know if you read it.. may i know what confusion you have after reading that, thanks.
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOB...
See more...
Hello @MattH665 , I believe that you are looking for the setting: hostname = <your_hostname> in alert_actions.conf - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Alertactionsconf#GLOBAL_SETTINGS examples: http://splunkserver:8000, https://splunkserver.example.com:443 Remember to restart your instance after the changes. Thanks.