Hi @Day, they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches. they both use schedule searches to take events from the raw...
See more...
Hi @Day, they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches. they both use schedule searches to take events from the raw logs Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields. You can accelerate Data Models. for more infos see at https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels Ciao. Giuseppe
It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintena...
See more...
It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintenance overhead, etc.
Which kind of environment you have (single node, distributed) and have all nodes updated to the same version Splunk + OS and are all nodes using same OS?
Hi Are you sure that you have access to _internal index? You could check it by | rest /services/authentication/users splunk_server=local f=roles
| search title="<YOUR SPLUNK ACCOUNT NAME>"
| field...
See more...
Hi Are you sure that you have access to _internal index? You could check it by | rest /services/authentication/users splunk_server=local f=roles
| search title="<YOUR SPLUNK ACCOUNT NAME>"
| fields title roles
| join roles
[| rest /services/authorization/roles
| fields title srchIndexesAllowed srchIndexesDefault srchIndexesDisallowed
| dedup title
| rename title as roles
]
| transpose Just look what you have on allowed and disallowed rows. r. Ismo
Hi i'm new hier and i still don't understand the difference between summary indexing and data modeling. When should I use each? Or which is the best option for optimizing searches?
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart. Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format...
See more...
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart. Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format. I have google a lot without finding any answer on it. Hope someone can give me some hints on it. Thanks Geir
With the same query, if I try to view the events from verbose mode, I get something like blank events. Please. refer the attached screenshot. But this was not occurring earlier. We used to see the re...
See more...
With the same query, if I try to view the events from verbose mode, I get something like blank events. Please. refer the attached screenshot. But this was not occurring earlier. We used to see the respective log events for the host and sourcetype which are mentioned in the query (though index is not included.)
I am not too surprised by that, head can discard events quicker than stats. You could try removing the table command from the appended searches and just have it at the end to see if that speeds thing...
See more...
I am not too surprised by that, head can discard events quicker than stats. You could try removing the table command from the appended searches and just have it at the end to see if that speeds things up.
Hello Splunkers!! I am not getting any data in the internal index for the last 24 hours. Please let me know what will the cause behind it & what i need to check.
Hi I think that's just like you said. There must be a user on group to see it. IMHO: with LDAP / AD authentication it's much better to create an own app where you have done those mappings and then ...
See more...
Hi I think that's just like you said. There must be a user on group to see it. IMHO: with LDAP / AD authentication it's much better to create an own app where you have done those mappings and then install it as normal app. That way you could always add new role - group mappings there even there is no users yet on those groups. Also put that app on git and you know what you have. BUT after that don't use GUI anymore to user management (mappings etc.). If you are continue with both way you will be get real "spaghetti" sooner or later ;-( r. Ismo
index=os source="/var/log/bitbucket" host=servera* Failed and evaluate them as failed packages to install. Failed: python-urllib3.noarch 0:1.10.2-3.el7 python-urllib3.noarch 0:1.10.2-7.el...
See more...
index=os source="/var/log/bitbucket" host=servera* Failed and evaluate them as failed packages to install. Failed: python-urllib3.noarch 0:1.10.2-3.el7 python-urllib3.noarch 0:1.10.2-7.el7 php subscription-manager-rhsm-1.24.51-1.el7_9.x86_64 subscription-manager-rhsm-1.24.52-2.el7_9.x86_64 python-syspurpose-1.24.52-2.el7_9.x86_64
Yes - this works the same! BUT it yields the exact performance as "| dedup" for my real data example while the "| head 1" approach is roughly 15x faster.
Hi you should write your own modular input and add those libraries under that app. See more https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemodpy/ ...
See more...
Hi you should write your own modular input and add those libraries under that app. See more https://dev.splunk.com/enterprise/docs/devtools/python/sdk-python/howtousesplunkpython/howtocreatemodpy/ r. Ismo
Hi Usually you should always add index=xyz on your query to avoid this situation. This is the best practices! The reason for that behaviour is that every role has attribute srchIndexesDefault which...
See more...
Hi Usually you should always add index=xyz on your query to avoid this situation. This is the best practices! The reason for that behaviour is that every role has attribute srchIndexesDefault which are used if you don't add index=xyz on your query. srchIndexesDefault = <semicolon-separated list>
* A list of indexes to search when no index is specified.
* These indexes can be wild-carded ("*"), with the exception that "*" does not
match internal indexes.
* To match internal indexes, start with an underscore ("_"). All internal indexes are
represented by "_*".
* The wildcard character "*" is limited to match either all the non-internal
indexes or all the internal indexes, but not both at once.
* No default. As users usually have different roles they have different combination of srchIndexesDefault and for that reason the real searches gives you to different results. https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf r. Ismo
Hi @Praz_123 , as @ITWhisperer asked: did you changed something in your configurations? I repeat my questions: are you using a custom sourcetype and add-on? if not which one? Ciao. Giuseppe
We have recently upgraded to Splunk Enterprise 9.0. When I try to run a search query without adding the index field into it, the event count are showing wrong. Also if I try to see the respective eve...
See more...
We have recently upgraded to Splunk Enterprise 9.0. When I try to run a search query without adding the index field into it, the event count are showing wrong. Also if I try to see the respective event logs, from Verbose mode they are weird and this is not usual format of logs. In other case, if index is mentioned in the query, everything is working fine and asusual. This issue occurs only when the search query have stats or chart commands to visualise the data. Below is the sample search query which I used host=abc sourcetype=xyz |stats count I am not sure whether it is a bug in Splunk 9.0 or any other issue from config side (like limitations in search head). Could anyone please help me on this.
Hi one comment here. You must remember that "depends" and "rejects" look if value has set or not (null vs. non-null, also false is non-null). Basically this means that e.g. <eval token="foobar">mat...
See more...
Hi one comment here. You must remember that "depends" and "rejects" look if value has set or not (null vs. non-null, also false is non-null). Basically this means that e.g. <eval token="foobar">match(str,"foo")</eval>
<eval token="foobar">if(match(str,"foo"),"foo",null())</eval>
<eval token="foobar">mvfind(str,"foo")</eval> 1st one set token foo bar even foo didn't found on str as it return "false". 2nd one works as expected. 3rd on also works as mvfind returns string or NULL. Also depends use AND between those tokens and rejects use OR. r. Ismo
