Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-30-2023
06:33 AM
1 Karma
Those messages are reporting normal behavior. No action is required so the messages can be ignored. The messages cannot be suppressed except by changing the logging level.
11-30-2023
06:25 AM
i added the below to get what I want. | search Country!=<country name>
11-30-2023
05:59 AM
The Splunkd logs are sending me the messages listed below. Three days later, the alerts reappear once Splunkd has restarted. However, I've since made some adjustments to indexes.conf and added two at...
See more...
The Splunkd logs are sending me the messages listed below. Three days later, the alerts reappear once Splunkd has restarted. However, I've since made some adjustments to indexes.conf and added two attributes. maxHotBuckets = 5 minHotIdleSecsBeforeForceRoll = auto Please advise if both settings are sufficient to permanently remove the information messages. 11-04-2023 15:40:09.545 +0100 INFO HotBucketRoller - finished moving hot to warm bid=asr~308~34353497-7F2F-41CB-B772-DAF7007EA623 idx=abs from=hot_v1_308 to=db_1698249739_1698190953_308 size=786313216 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 11-03-2023 22:07:29.511 +0100 INFO HotBucketRoller - finished moving hot to warm bid=_internal~379~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_379 to=db_1698211695_1698040811_379 size=1048535040 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 11-01-2023 07:31:25.596 +0100 INFO HotBucketRoller - finished moving hot to warm bid=_audit~69~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_audit from=hot_v1_69 to=db_1696240764_1695536757_69 size=786419712 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-31-2023 19:58:48.033 +0100 INFO HotBucketRoller - finished moving hot to warm bid=messagebus~140~34353497-7F2F-41CB-B772-DAF7007EA623 idx=melod from=hot_v1_140 to=db_1696974841_1696841261_140 size=786358272 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-31-2023 17:23:48.700 +0100 INFO HotBucketRoller - finished moving hot to warm bid=asr~303~34353497-7F2F-41CB-B772-DAF7007EA623 idx=adr from=hot_v1_303 to=db_1697800494_1697727845_303 size=785281024 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-29-2023 00:03:30.635 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~376~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_376 to=db_1673823600_1673823600_376 size=40960 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-27-2023 12:24:16.567 +0200 INFO HotBucketRoller - finished moving hot to warm bid=messagebus~138~34353497-7F2F-41CB-B772-DAF7007EA623 idx=melod from=hot_v1_138 to=db_1696587710_1696461161_138 size=786423808 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-25-2023 07:28:42.146 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~374~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_374 to=db_1697476202_1697263512_374 size=1048510464 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-24-2023 06:36:55.716 +0200 INFO HotBucketRoller - finished moving hot to warm bid=asr~293~34353497-7F2F-41CB-B772-DAF7007EA623 idx=adr from=hot_v1_293 to=db_1697038969_1696983723_293 size=786386944 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-20-2023 13:15:13.165 +0200 INFO HotBucketRoller - finished moving hot to warm bid=asr~286~34353497-7F2F-41CB-B772-DAF7007EA623 idx=adr from=hot_v1_286 to=db_1696492029_1696421708_286 size=785948672 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-17-2023 08:50:44.494 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~373~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_373 to=db_1697263511_1697083171_373 size=1048502272 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-16-2023 19:10:28.534 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~372~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_372 to=db_1697083169_1696908238_372 size=1048461312 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-15-2023 18:10:43.940 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_introspection~230~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_introspection from=hot_v1_230 to=db_1683689783_1619379864_230 size=413696 caller=lru maxHotBuckets=3, count=3 hot buckets + 1 quar bucket,evicting_count=1 LRU hots 10-14-2023 21:26:48.653 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_audit~67~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_audit from=hot_v1_67 to=db_1694945963_1694438187_67 size=786403328 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-14-2023 08:06:09.886 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~369~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_369 to=db_1696504588_1696317607_369 size=1047363584 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-14-2023 05:02:31.677 +0200 INFO HotBucketRoller - finished moving hot to warm bid=wmc~44~34353497-7F2F-41CB-B772-DAF7007EA623 idx=www from=hot_v1_44 to=db_1695949104_1695348831_44 size=786358272 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-12-2023 05:59:51.941 +0200 INFO HotBucketRoller - finished moving hot to warm bid=_internal~367~34353497-7F2F-41CB-B772-DAF7007EA623 idx=_internal from=hot_v1_367 to=db_1696102911_1695901400_367 size=1048420352 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-11-2023 17:43:09.179 +0200 INFO HotBucketRoller - finished moving hot to warm bid=asr~284~34353497-7F2F-41CB-B772-DAF7007EA623 idx=adr from=hot_v1_284 to=db_1696364124_1696299722_284 size=786280448 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots 10-10-2023 23:54:56.050 +0200 INFO HotBucketRoller - finished moving hot to warm bid=messagebus~135~34353497-7F2F-41CB-B772-DAF7007EA623 idx=melod from=hot_v1_135 to=db_1696039435_1695914107_135 size=786350080 caller=lru maxHotBuckets=3, count=4 hot buckets,evicting_count=1 LRU hots
11-30-2023
05:34 AM
What is your search?
11-30-2023
05:17 AM
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configur...
See more...
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configure trellis_pie token ? this is the source: <option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<drilldown>
<set token="host_exposure_level">$row.category$</set>
</drilldown>
</chart>
11-30-2023
05:16 AM
Splunk has documentation on this subject. See https://docs.splunk.com/Documentation/Splunk/9.0.7/Installation/HowtoupgradeSplunk
11-30-2023
05:00 AM
Client is asking about Splunk Cloud backup and recovery procedure for DR. Specifically all the configuration, searched, dashboards, fields, tag so on and so on. I can not find a document outlining Sp...
See more...
Client is asking about Splunk Cloud backup and recovery procedure for DR. Specifically all the configuration, searched, dashboards, fields, tag so on and so on. I can not find a document outlining Splunk cloud polices for high availability, backup and restore can anyone point to this info? Client ask - "Could you please check and let me know how and where following items are backed up and what is the process to recover them for DR purpose? Audit logs Usecases Reports, alerts, lookup tables, KV etc Config data Source type config Parsing API, TI Fields config Data model, macros Apps and app config ES config Threat intel config"
Labels
- Labels:
-
search head
11-30-2023
04:57 AM
You are right - default overwrites initial. So, the missing tokens may be somewhere else in your filters.
11-30-2023
04:53 AM
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configur...
See more...
ok, i found the problem one of the panels that updates the table is trellis_pie and this token is the one that brakes every thing so i guess i configured it wrong what is the right way to configure trellis_pie token ? this is the source: <panel>
<chart id="trellis_pie">
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
<option name="charting.drilldown">all</option>
<option name="charting.legend.placement">none</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<drilldown>
<set token="host_exposure_level">$row.category$</set>
</drilldown>
</chart>
</panel>
11-30-2023
04:43 AM
Hello i've tried to add * as the initial value but its not working in default initial value ignored once default value is configured.
Hi @gcusello , The SPL is actually a report, so the data has not even been sent to the function t has been invoked. I tried to add just the one line to the report and noticed that the report ju...
See more...
Hi @gcusello , The SPL is actually a report, so the data has not even been sent to the function t has been invoked. I tried to add just the one line to the report and noticed that the report just disappears. I am also attaching the code below | mstats sum("mx.process.logs") as count WHERE "index"="mx_metrics" mx.env=$mx.env$ log.type=log span=10s BY pid service.name replica.name service.type module.names severity host cmd mx.env\
| rename module.names as Module
| rename host as Hostname
| rename severity as lvl
| rename pid as PID
| eval Module=if(Module!="",Module,"UNDEFINED")
| eval temp=split(Module,",")
| mvexpand temp
| eval recipient=("MX_MONITORING_".temp . "@mx.com")
| fields - temp
| rename _time as timestamp
| mvcombine delim="," recipient
| rename timestamp as _time
| fields _time count PID service.name replica.name service.type Module lvl Hostname cmd mx.env recipient
| sort 0 - _time
| stats values(service.name) as Services values(replica.name) as Replicas values(PID) as PIDs values(Hostname) as Hosts sum(count) as Count_Of_Errors earliest_time(replica.name) as Earliest_Error_Time latest_time(replica.name) as Latest_Error_Time values(lvl) as Severities values(recipient) as Owners by Module mx.env
| eval Earliest_Error_Time=strftime(Earliest_Error_Time,"%d/%m/%y %H:%M:%S")
| eval Latest_Error_Time=strftime(Latest_Error_Time,"%d/%m/%y %H:%M:%S")
| table Module Services Replicas PIDs Hosts Count_Of_Errors Earliest_Error_Time Latest_Error_Time Severities mx.env I tried using the line in an another report, and the other report also disapperas in the report filter. Now I feel that this is more of a bug that a code functionality issue. Please let me know what you feel about this? Regards, Pravin
11-30-2023
04:25 AM
You are a genius. Thank you so much @ITWhisperer . Much appreciated!
11-30-2023
04:19 AM
yes, trying to create a search based input in Glass table input.dropdown, but for input.dropdown in glass table we are not having the search configuration.
11-30-2023
04:18 AM
1 Karma
You are missing an underscore! | makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS cou...
See more...
You are missing an underscore! | makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test_".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names])
11-30-2023
03:43 AM
I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the numeric order. My attempt is to create the fields in a subsearch and pass to "mvap...
See more...
I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work. | makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names]) Is there any alternative to spelling out: | eval x=mvappend(test_1,...test_20) by hand?
11-30-2023
03:34 AM
Understood. So, it sounds like your filter isn't working effectively. Here is a runanywhere example showing the filter working on the sample data with Workbook and testbook being excluded from the re...
See more...
Understood. So, it sounds like your filter isn't working effectively. Here is a runanywhere example showing the filter working on the sample data with Workbook and testbook being excluded from the results | makeresults count=10
| eval _raw="/api/cvraman/book
/api/apj/book
/api/nehru/book
/api/nehru/Workbook
/api/nehru/testbook
/api/cvraman/collections
/api/apj/collections
/api/indira/collections
/api/rahul/notes
/api/rajiv/notes
/api/modi/notes"
| multikv noheader=t
| eval duration=random()%10
| rename _raw as URI
| search (URI = /api/*/book OR URI = /api/*/collections OR URI = /api/*/notes)
| rex mode=sed field=URI "s/(?<root>\/\w+\/)[^\/]+(?<api>.*)/\1*\2/g"
| eval responseTime="response time"
| chart avg(duration) as avg_time by responseTime URI I am sure you can also understand that there is nothing wrong with the rex and the remainder of the search given the data examples you have given to work on, and that the issue is with your filter, which only you can sort out, given that it is production data that you cannot share.
11-30-2023
03:24 AM
thats the production data so i couldnt share here.but from the results i can see that it is give the results of /api/*/Workbook,/api/* /testbooks responses also. which i dont need this. Actually p...
See more...
thats the production data so i couldnt share here.but from the results i can see that it is give the results of /api/*/Workbook,/api/* /testbooks responses also. which i dont need this. Actually prod api's i renamed and just added workbook ,testbooks,notes like that. Hope you understand
11-30-2023
03:20 AM
So what is the time of your earliest event?
