So, the search you are using to populate the summary index has multiple values in each row for the company, as does the company field in summary index. Is this not what you expected?
Hello @ITWhisperer @PickleRick , Maybe I don't explain it clearly. I am confused on why you need to know how I constructed the search I don't think it matters because the summary index derived from...
See more...
Hello @ITWhisperer @PickleRick , Maybe I don't explain it clearly. I am confused on why you need to know how I constructed the search I don't think it matters because the summary index derived from the same source of commands I attached the picture below. I hope that explains. Thank you
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines...
See more...
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines are not balanced. Pipeline 0 is still congested while Pipeline 1 is barely utilized. Digging around, this seems to be because 80% of our input is on a single UDP port. Will splitting the UDP ports on the source itself solve this issue? i.e. having multiple UDP Inputs on the HF instead of one?
The collect command (assuming that is what you are using to populate your summary index), merely puts the events from the pipeline into your index. What @PickleRick is driving at is that it is how yo...
See more...
The collect command (assuming that is what you are using to populate your summary index), merely puts the events from the pipeline into your index. What @PickleRick is driving at is that it is how you construct your search prior to the collect command that determines how the events look in the summary index. Perhaps you could share an anonymised version of your search SPL (preferably in a code block </>), so we can suggest changes prior to the collect command.
Perhaps I think you don't understand my question. I put an example very specific on my original post. I do understand the data and how it got here because I was the one that created the summary inde...
See more...
Perhaps I think you don't understand my question. I put an example very specific on my original post. I do understand the data and how it got here because I was the one that created the summary index, but I could not post company's data in here, so everything is just imaginary fields. So, the point is after summary index, the data does not change, but it got merged into one line Can you provide an example what you meant? Thanks
It seems like you've successfully integrated Meraki with Splunk. Interpreting the data is another matter and probably calls for Meraki documentation (perhaps this will get you started https://docume...
See more...
It seems like you've successfully integrated Meraki with Splunk. Interpreting the data is another matter and probably calls for Meraki documentation (perhaps this will get you started https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Event_Log). FTR, Splunk recommends NOT using a Splunk instance as a syslog server as data will be lost when the instance restarts. Splunk recommends using a dedicated syslog server such as syslog-ng, rsyslog, or Splunk Connect for Syslog.
I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command. Usage: substr(<str>,<start>,<le...
See more...
I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command. Usage: substr(<str>,<start>,<length>) In your case: | eval n=substr("your_string", 1, 3)
I am very new to ITSI, the operational task is to create a business service in ITSI. I have created a test service and under the created service I have configured KPI and entities but I cannot see ...
See more...
I am very new to ITSI, the operational task is to create a business service in ITSI. I have created a test service and under the created service I have configured KPI and entities but I cannot see any data in KPI or entity it shows N/A . Splunk ITSI veri Can someone please provide solution to it.
Hello everyone, We've recently installed the Add On for Cisco Meraki and have configured Splunk as the syslog server. I have been trying to explore failure and error events but I cant seem to fully...
See more...
Hello everyone, We've recently installed the Add On for Cisco Meraki and have configured Splunk as the syslog server. I have been trying to explore failure and error events but I cant seem to fully understand what I am seeing. I also havent been able to find any worthy reference online. For instance, looking at eventData.reason, I dont know what these values represent. Does anyone have a clue or any successful experience with integrating Splunk for Meraki?
Hello, What do you mean I have to seek there for answers? As I mentioned in the example, the index summary does not change the data, but it merged data into one row companyA companyA to ...
See more...
Hello, What do you mean I have to seek there for answers? As I mentioned in the example, the index summary does not change the data, but it merged data into one row companyA companyA to Company A company A Here's my original questions: 1) How do I make summary index put multiple values into separate lines like on a regular index? 2) When I use stats values command, should it return unique values? Thank you for your help
It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So...
See more...
It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So I'd go for fixing the spec file.
You could write a custom command to connect to the confluence api to post an update to a page using the events in the events pipeline (I have done something similar to this before but it is not somet...
See more...
You could write a custom command to connect to the confluence api to post an update to a page using the events in the events pipeline (I have done something similar to this before but it is not something I can easily share).