Hi, and sorry if this question was already answered in any other thread. Thanks in advance for the help. I had an index in which the current size was over 10 GB, for deleting the data...
Hello Team, Everyone has probably seen this error. Error in 'TsidxStats': _time aggregations are not yet supported except for count/min/max/range/earliest/latest I try to understand stats c...
...UTPUTNEW <lookup-destfield1> AS <local-destfield1>, <lookup-destfield2> AS <local-destfield2>
Here's my understanding of it, and hopefully someone can fill in the gaps or c...
Hi Splunkers, today I have a problem about understanding how and where Log Sources sends logs to Splunk. In this particular Splunk On Prem environments, no documentation has been done, except the H...
Hello Guys,
I am getting confused about this below query, can anyone help me to understand it.
Actually in the search query there is "AND" commands with the same Field name, I am n...
...cenario I cannot explain and wanted to understand further. While testing I created this search: | makeresults
| eval value=0, category="test", _time=strftime(now(), "%H")
| a...
...vents for SEARCH-2. I suspect something about the way the 'saved search' is utilized , I quite don't understand the difference in result. Any idea , why ?
Trying to understand how this SEDCMD works so I can modify it for something else. It works in props.conf but I can't seem to get it to work in SPL.
Here is the event log:
Jul 1 19:58:45 f...
...bsp;
Could anyone help me understand what the "(::){0}" portion of that stanza is defining? According to the documentation for props.conf the accepted stanza formats are
&n...
...nput to choose appropriate index for the base search. However it looks like it picks up just prod, and not returning results for ppe.
Can someone please help me to understand what is wrong with my c...