I was looking to figure out how to do this too and searched all through the inputs.conf documentation and couldn't find what I was looking for. Would be cool and useful.
Sure, and thanks for asking. The data file is called "tutorialdata.zip", and was downloaded from the Splunk site here: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Systemrequir...
See more...
Sure, and thanks for asking. The data file is called "tutorialdata.zip", and was downloaded from the Splunk site here: https://docs.splunk.com/Documentation/Splunk/9.3.1/SearchTutorial/Systemrequirements#Download_the_tutorial_data_files Thanks again. Avery
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Tha...
See more...
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Thank you.
Thanks for the advice. Well after working with Splunk for +10 years I frankly don’t agree with the “simple string-based manipulation that Splunk can in the ingestion pipe”, I’d say I’ve seen amazin...
See more...
Thanks for the advice. Well after working with Splunk for +10 years I frankly don’t agree with the “simple string-based manipulation that Splunk can in the ingestion pipe”, I’d say I’ve seen amazing (to the extend crazy) things done with props and transforms. Said that, Splunk might not be able to do exactly what I’m after here, but I’m willing to spend time trying anyway, as this will have a major impact on the performance at search time. Yes, there are some meta data that need to stay with each event to be able to find them again. I have some ideas in my head on how to twist this, but right now I’m on vacation, and can’t test them the next weeks time or so, so I’m just “warming up”, and looking for / listening in to others crazy ideas of what they have achieved in Splunk
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Tha...
See more...
Hello, I am confused about the "Expires" thing when setting an alert. I have my alert scheduled every day and the expires = 24 hours, does that mean after 24 hours the alert will NOT run no more? Thank you.
Is there a native way to run scripts in pwsh.exe managed environment? It's not mentioned in docs so I believe not: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Inputsconf We all know...
See more...
Is there a native way to run scripts in pwsh.exe managed environment? It's not mentioned in docs so I believe not: https://docs.splunk.com/Documentation/Splunk/9.3.1/Admin/Inputsconf We all know there is [powershell://<name>] in inputs.conf to run "classic" powershell scripts. Actually, it runs script in "classic" PowerShell environment. Depending on which Windows version/build Universal Forwarder is installed on, it will be PS version up to 5.1 (which is managed by powershell.exe binary btw). But now we have a brand-new PowerShell Core (managed by a different binary: pwsh.exe). PowerShell Core have new features, not available in "classic" PowerShell and they're not 100% compatible. Additionally, PowerShell Core is platform agnostic - so we can install it on Linux and run PowerShell Core based scripts there (don't ask me why anyone would do that, but it's possible). Currently I'm running PowerShell Core scripts, by starting batch script in cmd environment, then cmd starts pwsh.exe with defined parameter to run my PowerShell Core based script - not elegant at all.
Hi @sainag_splunk I have reconfigured HEC and I am able to send data to HEC indexer via Post man. Since, I had configured OTEL collector according to HEC but I am not able to see data from OTEL col...
See more...
Hi @sainag_splunk I have reconfigured HEC and I am able to send data to HEC indexer via Post man. Since, I had configured OTEL collector according to HEC but I am not able to see data from OTEL collector. Can you please suggest where went wrong. Thank you in advance. Regards, Eshwar
Eventstats should work as well (streamstats relies obviously on the order of results that's why I'm sorting on index so that the "payload" events are before the "joining" events; if your indexes are ...
See more...
Eventstats should work as well (streamstats relies obviously on the order of results that's why I'm sorting on index so that the "payload" events are before the "joining" events; if your indexes are named differently, you need to adjust this sort). Both commands have their own limitations and it will probably depend on particular use case which approach is more effective.
Nice work @PickleRick ! Imaginative approach!! I tried out your solution and it appears to work if you replace streamstats with eventstats. Feels like that should work to me and eventstats feels m...
See more...
Nice work @PickleRick ! Imaginative approach!! I tried out your solution and it appears to work if you replace streamstats with eventstats. Feels like that should work to me and eventstats feels more efficient than streamstats. Any thoughts?
Hello, Friends! So, I tried to change the height of the gap between these components: But in the Edit Dashboard I didn't find anything to change this: Thank you, guys
I recognize PPS logs But seriously - mvindex does not assign anything within a multivalued field. It picks one (or more) of the values from an mvfield. As a general remark - multivalued fields a...
See more...
I recognize PPS logs But seriously - mvindex does not assign anything within a multivalued field. It picks one (or more) of the values from an mvfield. As a general remark - multivalued fields are really tricky to work with and if you need to correlate between separate multivalued fields (and I suspect you're aiming at something like that)... this is not going to end well. What is the busines case and the actual data? Maybe it can be dealt with differently? EDIT: But yes, mvindex can be indexed with dynamically asigned values. A run-anywhere example: | makeresults | eval mv=mvappend("a1","a2","a3") | eval index=mvfind(mv,"a2") | eval value=mvindex(mv,index)
@yuanliu Thank you for your response. I tried below query but it doesn't seem to be working. When I further cut down the query for testing, looks like "|where index!=B" is not working. Everything...
See more...
@yuanliu Thank you for your response. I tried below query but it doesn't seem to be working. When I further cut down the query for testing, looks like "|where index!=B" is not working. Everything before this query is working but when I add this condition, I get 0 results. also, the query seems to be very aggressive. My index A has almost close to 70k events and index B has around 10k events. Splunk was crashing few times when I try to run the query. Any suggestions, how to address this ?
So, I didn't find how to use a base search, and then I just decided to proceed with a simple query as well in the Search Page. P.S. The stuff between ` are Macros, you can check here: https://itsi-*...
See more...
So, I didn't find how to use a base search, and then I just decided to proceed with a simple query as well in the Search Page. P.S. The stuff between ` are Macros, you can check here: https://itsi-*.splunkcloud.com/en-GB/manager/itsi/data/macros , it's interesting things but is not helpful for me right now. Thank you, friend! Maximiliano Lopes
Hi gcusello, thank you for reply and support. You where right there where 2 versions of app deployed in different directory. How should I proceed to safelly remove unwanted application from Splun...
See more...
Hi gcusello, thank you for reply and support. You where right there where 2 versions of app deployed in different directory. How should I proceed to safelly remove unwanted application from Splunk deployed on cloud? Thank you? BR