Hello. Thank you for response. I think it's 8GB. If I increase the memory will I be charged on AWS account? Secondly, how can we save up the memory usage in my Splunk Console ?
Hello @dtburrows3, I didn't know about this "useother" option, and it works, it's exactly what I was looking for: Thank you very much for your help. Sincerely, Lionel M.
You can try | timechart span=1w useother=false limit=10 count by Service This should limit to only the top 10 and also discard any events that don't fall into the top 10.
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done...
See more...
Hello community, I am having a problem displaying a graph. I have an index that contains incidents from several monitoring tools. I need to pull up a top 10 of the most recurring alerts (that's done). However, on this top 10, I am asked for a graph to show the evolution of the number of errors in this top per week (in order to see for example when a fix has been deployed). And this is where I encounter a problem: in my query, I have my top 10 but I have an OTHER which brings together everything that is after the top 10: Here is the query that causes this graph: index=oncall_prod
| search routingKey != "routingdynatrace_cluster"
| dedup incidentNumber
| rename entityDisplayName as Service
| timechart span=1w count by Service
| sort - count limit=10 I tried to use "head" or "top" to force the display of the first 10 results only but in the case of "head", it doesn't change anything, and in the case of "top", my screen remains empty. I've searched the forum and it's often these two answers that come up but in my case, it doesn't work. Do you know how to remove the OTHER to only have the first 10 results in my graph? Sincerely, Rajaion
@gcusello - I was able to fine the way with rename
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d...
See more...
@gcusello - I was able to fine the way with rename
"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version | fields "app", "date_mday", "userId", "version" | rename "date_mday" AS "Date"
How much memory does the AWS instance have? It should have at least 12GB. It's possible your search query is too memory-intensive. Use the fields command to remove unused fields and save memory. ...
See more...
How much memory does the AWS instance have? It should have at least 12GB. It's possible your search query is too memory-intensive. Use the fields command to remove unused fields and save memory. Share the query so we can offer other suggestions to reduce memory use.
Hello @gcusello , Sorry to come back , is there any way to change the table label. example of my search: "sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex ...
See more...
Hello @gcusello , Sorry to come back , is there any way to change the table label. example of my search: "sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version can my table looks like below app version userid Date ( rather than date_mday)
Hi @svodela, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Point...
See more...
Hi @svodela, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @adrifesa95, it isn't so easy, you should: create a lookup containing two columns: area, mail, modify your alerts in this way: <your_alert>
| lookup your_lookup.csv area OUTPUT mail
| se...
See more...
Hi @adrifesa95, it isn't so easy, you should: create a lookup containing two columns: area, mail, modify your alerts in this way: <your_alert>
| lookup your_lookup.csv area OUTPUT mail
| sendmail to=mail supponing that in your mail search, you have the area field, matchig the value in the lookup. Ciao. Giuseppe
Hello, Splunk support helped me and gave me the solution. there is no feature to easily reset the password for a user. The admin needs to update it directly in de database : su caspida
psql -d ca...
See more...
Hello, Splunk support helped me and gave me the solution. there is no feature to easily reset the password for a user. The admin needs to update it directly in de database : su caspida
psql -d caspidadb
update accounts set password=md5('changeme') where email='admin'; Replace "admin" with your username and "changeme" with chosen password.
Hi @adrifesa95, the question is: have you Enterprise Security or not? anyway, if there isn't Enterprise Security you can apply my solution. Ciao. Giuseppe
Hi @svodela, if you're sure that you applications haven't numbers in their name and that version is always in the format "nn.nn.nn", you could use a regex like the following to extract apps and vers...
See more...
Hi @svodela, if you're sure that you applications haven't numbers in their name and that version is always in the format "nn.nn.nn", you could use a regex like the following to extract apps and versions and run a search like the following: <your_search>
| rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)"
| table app version you can check the regex at https://regex101.com/r/FNieNJ/1 Ciao. Giuseppe
Hello Everyone, I'm attempting to search for queries in Splunk Free Edition. However, it worked well for some time, and then I got the error "Search has been terminated." This is most likely due to ...
See more...
Hello Everyone, I'm attempting to search for queries in Splunk Free Edition. However, it worked well for some time, and then I got the error "Search has been terminated." This is most likely due to a lack of recollection." This occurs rather frequently. I created a free AWS instance using the Linux platform. Please suggest any solutions for these problems. (I've included a screenshot for reference.)
Hi @adrifesa95, are you speaking of Splunk Enterprise or Enterprise Security? If Enterprise Security it's a very hard job to impement multitenancy because ES isn't multitenant by default. If in Sp...
See more...
Hi @adrifesa95, are you speaking of Splunk Enterprise or Enterprise Security? If Enterprise Security it's a very hard job to impement multitenancy because ES isn't multitenant by default. If in Splunk Enterprise, you could create different alerts for each zone, working only on the indexes of that area and sending mails only to users of that area. Ciao. Giuseppe