Hello Splunkers!   Here is the case.  We already have clustered indexers on-premise and thinking to get an additional indexer server on our cloud system and adding to the index cluster on-premise.   What would be the considerations and cons?    Thank you in advance

I have some sources which can have significant (up to several hours) delay from the time of the event itself to the time the source transmits the event to my collector/forwarder/whatever there is. After my splunk infrastructure receives the event, there is no significant delay (up to 30 seconds usually) from the receive time to indexing time so we won't get into that too deeply. The problem is that I can either have the ingest time/index time parsed out as _time (which of course completely messes up with any analytics regarding the "real life" events) or the event's internal time field, which prevents me from doing any stats on the actual transmission performance. I can of course "dig" the _indextime from the events (it's fascinating though that I can't display the _indextime directly but have to do some magic like evaluating other field to the _indextime value) but with dozens of millions events it's quite heavy on the system. I can of course do very light summary calculations against _time using tstats. But the problem is that tstats works with span only against _time field.  

Hi, Need one field to be extracted or need a calculated field I have two fields that are auto-extracted (action and Severity) Values of action field = read, debug, modify Values of Severity field = SUCCESS and FAILURE Out of 100 logs 50 logs are having action field All logs are having Severity field Wherever action field is available in the logs, I want the same value, when there is no action field, I want the value of Severity to be disabled under action field NOTE: For all the logs Index/Sourcetype and source are same  

Hi    I'm trying to add a chart by using the below query, in chart lines Date is coming. But in x-axis shows only the Date field instead of Dates.       index=_internal FIELD1=* FIELD2=* | eval Date=(_time, "%d/%m/%y") | sort Date | eval Date=(_time, "%d/%m/%y") | table Date FIELD1 FIELD2      

I have two sets of IIS data (two sourcetypes) in a single index. One sourcetype logs web service requests, the other is a once-daily dump of the available services and their base URIs (app pools and apps). I have two working queries as shown below, and I'm trying to figure out how to combine them -- or if that is even possible. (Trouble is, I'm new to Splunk but I've been a programmer for decades -- trying to wrap my head around "the Splunk way"...) Returning servers and services with 25+ errors:     index=iis sourcetype=requests sc_status=503 | rex field=cs_uri_stem "(?i>(?<ServiceURI>^\S*\.svc\/)" | stats count by host,ServiceURI | where count > 25 | eval ErrCount=count,ErrHost=host | table ErrCount,ErrHost,ServiceURI     Results look like this: ErrCount ErrHost ServiceURI 106 server123 /app1/route1/filename1.svc/ 203 server456 /app2/filename2.svc/   Querying the once-daily service data is a bit more tricky -- each server can host multiple services, and each service can expose multiple base URIs which are stored as a comma-delimited list. So retrieving the service data for a specific server looks like this:     index=iis sourcetype=services earliest=-24h host=server456 | makemv delim="," RootURIs | mvexpand RootURIs | table AppName,RootURIs | where RootURIs != ""      Results look like this: AppName RootURIs pool2 /app2 pool2 /alsoapp2 pool2 /stillapp2/with/routes pool3 /app3 pool4 /app4   Both searches produce relatively low row-counts. I've seen the first produce maybe 15 or 20 hits max on a really bad 15 minute period (these will become alerts). The app info for a really large server might produce a maximum of maybe 200 root URIs. Both execute very quickly (a few seconds, tops). So my goals are: 1. feed the server names from the first search (503 errors) into the second search, 2. match the start of the first search's ServiceURIs to specific AppNames and RootURIs from the second search, 3. output the fields listed in the table statements in both searches Is this even remotely possible or realistic? I tried to do this via subsearches, but I think the subsearch has to produce just one result. With my developer and SQL backgrounds, a join was the obvious solution but I couldn't figure out how to get other fields (like the ServiceURI) into the joined search -- I thought I could use $ServiceURI$ but it didn't seem to work. I saw an intriguing comment that the splunk-way is to "collect all the events in one pass and then sort it out in later pipes with eval/stats and friends" but even if that's a good approach, I suspect the volume of data makes this a bad idea (millions of requests logged during a 15 minute window). Help an old code-monkey discover The Splunk Way!

Hi , Is there a way to create an alert for license consumption, without going to the license page on the controller can I just create an alert or query an API to send me an email when license consumption is about to hit the limit? Thanks!

Hello ! I have a SAP Java system that it is already monitored via Wily Instroscope. In the "configtool" there is "-javaagent" parameter that it refers to the "Agent.jar" file (path to the Wily agent file). I cannot remove the Wily Instroscope configuration. What do I need to do to start Appdynamics Java Agent if it is not possible to set another "-javaagent" in the "configtool" ? Thanks Eugenio

お世話になります。 アラートのSPL内でcaseを使っており、その戻り値（AもしくはB）をフィールド「C」に代入し、フィールド「C」の値をアラートメールの件名に記載する設定を行っています。 ）例 　SPL（一部抜粋）：| eval C=case(action == "allow" OR action == "alert", "A", action != "allow" AND action != "alert", "B") 　件名+$result.C$ SPLの検索結果が1イベントであるときは問題ないのですが、複数のイベントが検知されて イベント毎に戻り値が異なる場合に想定通りの挙動にならず困っています。 ）例 　・1つ目のイベント戻り値：B 　・2つ目のイベント戻り値：A 　⇒件名には「件名+B」が挿入される 以下のようにしたいのですが実現可否および方法についてご教示いただけますでしょうか。 ・SPLで検索されたイベント内で1件以上戻り値「A」が含まれている場合は「件名+A」にする ・SPLで検索されたイベント内に戻り値「A」が含まれていない場合は「件名+B」にする 以上、よろしくお願いいたします。

We have some firewall devices sending data to one index previously. Now I have to create new index for some of the devices to send data through TCP port. I'm unable to find old index and I'm not sure how to configure data to send to TCP port through splunk main server. Index is created in master node and i have provided bucket sizes but what should be done next? Please guide steps to configure as it is very important task for me.

Faced with the problem of consuming windows paging file by splunk universal forwarder. I didn't find a similar problem in the documentation and in the questions. What could be the reason? How to optimize? splunkforwarder v 8.0.4 OS: windows server 2008, 4 GB RAM, paging file dynamic

Hi Community. I need help and advise. Trying to Build a Dashboard with GeoStats to point locations on the Map. We have Rapid 7 data and I would like to build dashboard with MAP Visualization. My problem is that the Rapid7 data I am ingestion does not have latfield or longfield values. The only value is Site_Name with different sites across the globe. Is there a way to build GeoStats with only Site_Name value? Appreciate any help Regards