Could you please share the sample raw logs and how are those looking in Splunk once they are ingested? Issues with Line breaking, timestamp assignment, field extraction?
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits....
See more...
You can disable those integrity checks as well if your Splunk environment is working fine after upgrade. To disable the file integrity check, edit the installed_files_integrity setting in the limits.conf file
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I ...
See more...
@Alan_Chan I have upgraded Splunk from version 9.3.1 to 9.4.0 on a Linux platform and observed this warning. However, Splunk is functioning properly, and no issues have been noticed post-upgrade. I believe the warning can be safely removed. I hope this helps, if any reply helps you, you could add your upvote/karma points to that reply, thanks.
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data ...
See more...
Not without combining them into a single event - this is usually done with some sort of stats command e.g. stats, eventstats, streamstats, etc Depending on what you are trying to do and how the data is represented in your events, there could be a number of ways to do this.
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Add...
See more...
Hi @RSS_STT , in [Settings > Lookups > Lookup Definitions ] open "Advanced Options" and configure CIDR as match_type, as described at https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration Ciao. Giuseppe
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add...
See more...
Can i do the wildcard matching in lookup? |makeresults |eval ip=192.168.101.10 |lookup ip.csv ip output host In my lookup i have two entry ip=192.168.101.10 & ip=192.168.101.10/24. How can i add wildcard (*) for match and i should get two entry.
That's it! I hadn't even considered that. Thank you so much! But given Where only works one event at a time, does that mean it can't be used to compare fields in two different sourcetypes?
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a field_b rohan rohan rahul ...
See more...
NO they are not quoted string seperated by comma..i think i dint put the example in the right way..let me try the below example field_a field_b rohan rohan rahul rahul raj now i need to have the difference of the above to field field_c raj
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any m...
See more...
The where command (as with most commands) works on one event at a time - since your events are coming from different sourcetypes, they will be different events so the where command doesn't find any matches.