All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello @ITWhisperer @PickleRick , Maybe I don't explain it clearly. I am confused on why you need to know how I constructed the search I don't think it matters because the summary index derived from... See more...
Hello @ITWhisperer @PickleRick , Maybe I don't explain it clearly. I am confused on why you need to know how I constructed the search I don't think it matters because the summary index derived from the same source of commands I attached the picture below. I hope that explains.  Thank you
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines... See more...
We have configured parallelIngestionPipelines as 2 in Splunk HF as we were facing congestion in the TypingQueue while our CPU was underutilized (~2 Cores used/12). However, the load in the pipelines are not balanced. Pipeline 0 is still congested while Pipeline 1 is barely utilized.   Digging around, this seems to be because 80% of our input is on a single UDP port. Will splitting the UDP ports on the source itself solve this issue? i.e. having multiple UDP Inputs on the HF instead of one?
The collect command (assuming that is what you are using to populate your summary index), merely puts the events from the pipeline into your index. What @PickleRick is driving at is that it is how yo... See more...
The collect command (assuming that is what you are using to populate your summary index), merely puts the events from the pipeline into your index. What @PickleRick is driving at is that it is how you construct your search prior to the collect command that determines how the events look in the summary index. Perhaps you could share an anonymised version of your search SPL (preferably in a code block </>), so we can suggest changes prior to the collect command.
Perhaps I think you don't understand my question. I put an example very specific on my original post. I do understand the data and how it got here because I was the one that created the summary inde... See more...
Perhaps I think you don't understand my question. I put an example very specific on my original post. I do understand the data and how it got here because I was the one that created the summary index, but I could not post company's data in here, so everything is just imaginary fields.   So, the point is after summary index, the data does not change, but it got merged into one line Can you provide an example what you meant? Thanks
I cannot do that.  That's a job for Splunk Professional Services.
It seems like you've successfully integrated Meraki with Splunk.  Interpreting the data is another matter and probably calls for Meraki documentation (perhaps this will get you started https://docume... See more...
It seems like you've successfully integrated Meraki with Splunk.  Interpreting the data is another matter and probably calls for Meraki documentation (perhaps this will get you started https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Event_Log). FTR, Splunk recommends NOT using a Splunk instance as a syslog server as data will be lost when the instance restarts.  Splunk recommends using a dedicated syslog server such as syslog-ng, rsyslog, or Splunk Connect for Syslog.
I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command. Usage: substr(<str>,<start>,<le... See more...
I am not sure if this option was available in 2015 but as of today the easier way to do this would be with the use of one of the text functions with the EVAL command. Usage: substr(<str>,<start>,<length>) In your case: | eval n=substr("your_string", 1, 3) 
I am very new to ITSI, the operational task is to create a business service in ITSI. I have created a test service and under the created service  I have configured KPI and entities but I cannot see ... See more...
I am very new to ITSI, the operational task is to create a business service in ITSI. I have created a test service and under the created service  I have configured KPI and entities but I cannot see any data in KPI or entity it shows  N/A . Splunk ITSI veri Can someone please provide solution to it.  
Hi @PickleRick, I'll try tomorrow morning to remove the full default stanza. thank You. Ciao. Giuseppe
Hello everyone, We've recently installed the Add On for Cisco Meraki and have configured Splunk as the syslog server. I have been trying to explore failure and error events but I cant seem to fully... See more...
Hello everyone, We've recently installed the Add On for Cisco Meraki and have configured Splunk as the syslog server. I have been trying to explore failure and error events but I cant seem to fully understand what I am seeing. I also havent been able to find any worthy reference online. For instance,  looking at eventData.reason, I dont know what these values represent. Does anyone have a clue or any successful experience with integrating Splunk for Meraki?  
The first one still threw an error but the second worked fine, thanks
Are you going to tell us what "threshold" means in your mock data?
Summary index is not something that materializes out of thin air. Something is puting data there. Find out what and how.
Hello, What do you mean I have to seek there for answers?   As I mentioned in the example, the index summary does not change the data, but it merged data into one row companyA companyA to ... See more...
Hello, What do you mean I have to seek there for answers?   As I mentioned in the example, the index summary does not change the data, but it merged data into one row companyA companyA to Company A company A Here's my original questions: 1) How do I make summary index put multiple values into separate lines like on a regular index? 2) When I use stats values command, should it return unique values? Thank you for your help
Hi Would you be able to set up an app or custom parser for me.  Thanks...
It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So... See more...
It's not about disabling it because then the input is still defined, just disabled. So you'd probably nees to edit the default/ files to remove the stanza altogether which of course is a bad idea. So I'd go for fixing the spec file.
Thank you, but could you share an example of it please.
You could write a custom command to connect to the confluence api to post an update to a page using the events in the events pipeline (I have done something similar to this before but it is not somet... See more...
You could write a custom command to connect to the confluence api to post an update to a page using the events in the events pipeline (I have done something similar to this before but it is not something I can easily share).
Which version of Splunk are you running as the format and data options to makeresults were introduced in version 9
Hi @Anusree,   I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recomme... See more...
Hi @Anusree,   I’m a Community Moderator in the Splunk Community. This question was posted 2 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.   Thank you!