About redc

redc · ‎04-09-2015

As you reminded me, TRANSFORMS doesn't work for extracting the fields except when you can do index-time extractions. After some additional research, I determined that we need to do search-time extractions (using REPORT). As I stated above, I tried doing both REPORT and TRANSFORMS in the same props.conf stanza. Whichever one came second in the stanza was the only one that was actually applied to the data. If you're supposed to be able to do that, then either there's something missing in what I did or there's a bug.

redc · ‎04-09-2015

After several more hours of additional playing around...here's what I ended up with.... To change sourcetype, you need to use TRANSFORMS in your props.conf stanza. To extract fields when the data is coming from a non-heavy forwarder (e.g., a universal forwarder), you need to use REPORT in your props.conf stanza (they have to be search-time extractions, not index-time extractions). In this scenario, at least, you can't do both in the same props.conf stanza (at least, when I tried it, whichever one came second in the props.conf stanza was the only one that got results, so either I got my altered sourcetype OR my extracted fields, never both). So I left transforms.conf exactly the way it was (see original post above), set the generic sourcetype originally specified in my props.conf to use TRANSFORMS (which reassigned the sourcetype for the events), then added props.conf stanzas for each of the new sourcetypes that uses REPORT and points to the same relative transforms.conf stanzas (to minimize how many stanzas I needed to put in transforms.conf). End result of props.conf: [error-test] BREAK_ONLY_BEFORE=^ MAX_TIMESTAMP_LOOKAHEAD=150 NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_FORMAT=[%A %B %d %T %Y] TRANSFORMS-error_logs = assignDud, assignRestartStatus, assignRestartDigest, assignErrorOnly, assignSTD, assignBadScript, assignIPSPHP, assignZkError [dud] REPORT-error_logs = assignDud [restart] REPORT-error_logs = assignRestartDigest, assignRestartStatus [error_only] REPORT-error_logs = assignErrorOnly [bad_script] REPORT-error_logs = assignBadScript [standard] REPORT-error_logs = assignSTD [IPS_PHP] REPORT-error_logs = assignIPSPHP [ZkError] REPORT-error_logs = assignZkError

redc · ‎04-07-2015

For the record, I just tried that FORMAT thing I outlined in my comment above...big ba-da-boom. Definitely didn't work right, so I'm missing something in how that's supposed to work. What I got is a bunch of duplicated data inserted into each field. The fields were extracted at index time like I wanted, but instead of getting a single IP address in the error_client field, for example, I got a multi-value field with the IP address repeated 3 times... Same on most of the other fields. So probably my "FORMAT" line is in the wrong format to work properly, but I don't see any examples in the documentation of how to specify multiple fields, so I was just guessing that a comma-delimited string would work.

redc · ‎04-07-2015

Okay, I'd forgotten that difference between TRANSFORMS and REPORT (I started working on this project like 2 months ago and had to back-burner it for most of that last 2 months, so I'd forgotten why I'd written it that way). What I really want should be both things coming from TRANSFORMS rather than REPORT - I want the fields extracted at index time (not search time) and I want to set the sourcetype based on which transforms stanza matches for the extraction. Originally, I had written my props.conf stanza to use "TRANSFORMS-error_logs" because of this; when coming back to the project this morning (after 2 months of not looking at it), I switched to "REPORT-error_logs" because the fields were not being extracted. Possibly what I was missing in this case is the "FORMAT" line in the transforms stanza, but I can see where there could be some conflict there because I already have a "FORMAT" line for specifying the sourcetype. So, if I change each of the existing transforms.conf stanzas to drop the DEST_KEY and current FORMAT lines, and add a new FORMAT line like this (for the assignZkError stanza): FORMAT = error_time::$1, error_type::$2, error_client::$3, error_class::$4, error_message::$5, error_uri::$6, error_apache::$7, error_referrer::$8 That should cause the fields to be extracted at index time instead of search time, right? But then, how do I get that to assign a sourcetype of "ZkError", given that each of those fields appear in multiple transforms?

redc · ‎04-07-2015

I'm not having a problem extracting the fields I want when I use the REPORT-error_logs line in props.conf. That is working exactly the way I want it to. The problem is with the assignment of the sourcetype. Are you saying I need to add WRITE_META = true to the transforms.conf stanzas in order to force it to write those values?

redc · ‎04-07-2015

Some results from additional playing around: When I add this to the props.conf stanza, all of the events get the sourcetype of the LAST transforms.conf stanza specified (in this case, "dud"): TRANSFORMS-error_logs=assignZkError, assignIPSPHP, assignSTD, assignBadScript, assignErrorOnly, assignRestartDigest, assignRestartStatus, assignDud And all of the regexes in the transforms.conf stanzas get ignored (so no fields get extracted). This is also what happens if I use "TRANSFORMS-error_logs" instead of "REPORT-error_logs".

redc · ‎04-07-2015

I have a data source where I'm applying multiple transforms (because there are multiple possible formats for the log lines in the data source...sucky, but it's what I have to work with). Here's what I've set in props.conf: [error-test] BREAK_ONLY_BEFORE=^ MAX_TIMESTAMP_LOOKAHEAD=150 NO_BINARY_CHECK=1 SHOULD_LINEMERGE=true TIME_FORMAT=[%A %B %d %T %Y] REPORT-error_logs=assignZkError, assignIPSPHP, assignSTD, assignBadScript, assignErrorOnly, assignRestartDigest, assignRestartStatus, assignDud This is working fantastically for extracting the fields defined in the regex values in each of those transforms stanzas. However, I want each transform stanza to assign a different sourcetype. That part is not working. When I use these settings, I get the stanza name from props.conf (i.e., "error-test"), not the sourcetype value specified in the transforms.conf. Here's my transforms.conf: [assignDud] REGEX = (?<error_message>.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::dud [assignRestartStatus] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] (?<error_message>.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::restart [assignRestartDigest] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] (?<error_class>[\w\s\d]+): (?<error_message>.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::restart [assignErrorOnly] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] \[client (?<error_client>\d+\.\d+\.\d+\.\d+)\] (?<error_message>.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::error_only [assignBadScript] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] \[client (?<error_client>\d+\.\d+\.\d+\.\d+)\] (?<error_message>.*)(, referer: (?<error_referrer>.*)) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::bad_script [assignSTD] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] \[client (?<error_client>\d+\.\d+\.\d+\.\d+)\] (|$\d+$)(?<error_class>[\w\s\d]+): (?<error_message>.*)(, referer: (?<error_referrer>.*)|\n) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::standard [assignIPSPHP] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] \[client (?<error_client>\d+\.\d+\.\d+\.\d+)\] \[\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4}\] \[(?<error_class>IPS_PHP:\S+)\] \"(?<error_message>.*)\" URI: (?<error_uri>\S+) APACHE: (?<error_apache>\S+) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::IPS_PHP [assignZkError] REGEX = \[(?<error_time>\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4})\] \[(?<error_type>\w+)\] \[client (?<error_client>\d+\.\d+\.\d+\.\d+)\] \[\w{3} \w{3} \d+ \d{2}:\d{2}:\d{2} \d{4}\] \[(?<error_class>ZkError:\S+)\] \"(?<error_message>.*)\" URI: (?<error_uri>\S+) APACHE: (?<error_apache>\S+), referer: (?<error_referrer>.*) DEST_KEY = MetaData:Sourcetype FORMAT = sourcetype::ZkError What am I doing wrong? EDIT: At present, I'm testing my configurations by importing a flat file once that contains examples of each of the types of errors that these transforms are being applied to, so this props.conf and transforms.conf exist on the Splunk server, not on the Universal Forwarder that will ultimately be sending the data.

redc · ‎03-12-2015

Alright, finally getting back to this (went to Splunk Live! yesterday, so...was a wee bit distracted). None of the other data sources seem to be populating. 😞 Found "No results returned handler=" for icmp, ip, tcp, and udp in the hydra_worker_ta_ontap_collection_worker_beta.log and the hydra_worker_ta_ontap_collection_worker_gamma.log. I have the following sourcetypes in the raw data: ontap:lun ontap:nfsexports ontap:options ontap:perf ontap:system ontap:vfiler Only the "lun" and "nfsexports" seem to have anything that is recognizable as a volume name (although it's not labeled as a volume name, it's "path" or "pathname", respectively). The dashboards all have text inputs for things like "LUN Name" and "Volume Name" (which none of this data seems to have), so I'm not entirely certain what's supposed to go in those. When I take a guess at what they're supposed to have, I get "no results" for everything. I haven't literally checked every single report in the Reports tab, but all the ones I've checked so far come back with no results.

redc · ‎03-10-2015

Okay, so I just installed v2...so far, reasonably good. The problem I'm currently running into has to do with the assignment of credentials on our NetApp. There are seven "groups" available that we can assign a user to: Administrators, Backup Operators, Compliance Administrators, Guests, Power Users, Replicators, and Users. (Apparently, we can't create our own custom groups.) When we assign the user to the "Users" group, the "Connection Validation" section says "Valid," but the "Credential Validation" section says "Invalid." Using the "Administrators" group, both sections say "Valid." All of the other groups say "Invalid" for both sections. For obvious security reasons, we don't want to put the user in the "Administrators" group. Any troubleshooting tips? P.S. Just to see if this was going to work with version 7.3.6, I went ahead and used the "Administrators" group and fired up the scheduler. I'm getting lots of perf data, but none of the other reports or dashboards seem to be getting data at this point. Only been running for about 7 minutes right now, though, so I'll give it a little more time before passing judgement. 🙂

redc · ‎03-05-2015

We currently have ONTAP version 7.3.6. Upgrading is not trivial at this time. But we would really, REALLY love to have this app! I noticed that version 2.x is only compatible with ONTAP 8.x and up, and I was hoping that maybe 1.x would be compatible with ONTAP 7.x. So, three questions: Is the Splunk App for ONTAP version 1.x compatible with ONTAP 7.x? Is version 1.x compatible with Splunk 6? If the answer to both #1 and #2 is "yes," is version 1.x still obtainable and where would I find it? (I was only able to find version 2.x on the app page here.)

redc · ‎03-03-2015

Ran across this need again and figured out what the problem with your answer is: You should not add the <param name="default"></param> param to the TextField module. Then it will use the upstream value as the default (otherwise it'll use "" instead of "Random text"). Could you update that in your answer for anyone else who stumbles across this post? Thanks!

redc · ‎02-11-2015

You might be onto something here... The data I'm working with IRL is a LOT more complex than the example I presented (and the use-case for the data has some dictates that I'm not presenting), so I can't just do index="datasetA" OR index="datasetB" , but I can grab one and then append the other...so I did that. In the append for datasetB, I created a new column called "Count" and set it equal to "1", then after the append, set a fillnull to "0" (zero) for that column (which made all the datasetA data have "0"). That allowed me to throw a "sum(Count) as Count" in the stats command. I'm still trying to figure out how to make the "Domain" type events from datasetB match the events from datasetA... Right now, the "Domain" datasetB entries never match any entries from datasetA because datasetA ALWAYS has a non-"-" value for user and for SystemMessageID (datasetB doesn't). I think with the start/end times, I should be able to do something like, "if datasetA event's timestamp falls within datasetB's events start/end, then match." Still working on that part... Just a side note: there's a typo in your foreach; should be: if(isnotnull(<<FIELD>>), <<FIELD>>, "-") I'm also not sure where you intended for the "count" column to be originally created in the stats command, but the search the way it's currently written it causes "count" to always be 0.

redc · ‎02-10-2015

The problem isn't with using different sourcetypes (95% of what I do uses multiple sourcetypes). The problem is that the two sourcetypes don't have a consistent/reliable related field (or a consistent/reliable way of generating one). I'm actually probably going to be stuck dropping the "Domain" type messsages because I'm starting to find there's a lot of complications in relating that data to the data in data set A. Without going directly to the originating database (which is a path I'm not eager to go down), it may simply not be possible to match "Domain" messages with their corresponding messages in data set A.

redc · ‎02-10-2015

There can be, but it's not reliable (I'd say in maybe 10-20% of lines from data set B, the timestamps are within a few seconds of each other, but the rest of the time, they could be minutes, hours, or even days apart). I guess I didn't show that very well in the sample data...

redc · ‎02-09-2015

I have two sets of data that I'm trying to join. Both data sets have a field for SystemMessageId value, but in the second data set, that value may be empty (when the value of another field is set to "Domain" instead of "Message"). Is it possible to do a join on the SystemMessageId or another field, as opposed to SystemMessageId and another field? Sample data set A: _time SystemMessageId User 2015-01-28 08:49:31 6e00000018fb1d user@domain3.com 2015-01-28 08:15:47 6e0000001263cf user@domain2.com 2015-01-28 07:50:07 6e000000117402 user@domain1.com Sample data set B: _time Message_or_Domain SystemMessageId User_or_Domain Message 2015-01-28 15:48:05 Message 6e000000117402 user@domain1.com Try+again+later 2015-01-28 08:15:47 Domain - domain2.com DNS+fail 2015-01-28 07:50:07 Message 6e000000117402 user@domain1.com Try+again+later Desired result of join: _time SystemMessageId User Message_or_Domain User_or_Domain Message Count 2015-01-28 08:49:31 6e00000018fb1d user@domain3.com - - - - 2015-01-28 08:15:47 6e0000001263cf user@domain2.com Domain domain2.com DNS+fail 1 2015-01-28 07:50:07 6e000000117402 user@domain1.com Message user@domain1.com Try+again+later 2 For event 2 in data set A, I would want to join on the SystemMessageId, but for event 3 in data set A, I'd want to do an eval to extract the domain from data set A, then join on that to data set B to User_or_Domain (and I don't want to drop event 1 in data set A, I just want to populate "-" in the empty fields for it). Because SystemMessageId may be empty, I can't join on both SystemMessageId and User_or_Domain. The search I'm imagining would look something like this... index="datasetA" | eval User_or_Domain=mvindex(split(User, "@"), 1) | join (SystemMessageId OR User_or_Domain) type=outer [search index="datasetB" | stats values(Message_or_Domain) as Message_or_Domain, values(Message) as Message, count as Count by SystemMessageId, User_or_Domain] | table _time, SystemMessageId, User, Message_or_Domain, User_or_Domain, Message, Count | fillnull value="-" Message_or_Domain, User_or_Domain, Message, Count I could, of course, do two joins, once to match on SystemMessageId, then eval the User_or_Domain field in data set A, and if that's not empty, join again to data set B...but that seems like a lot of extra overhead. Example search with two joins: index="datasetA" | join SystemMessageId type=outer [search index="datasetB" | stats values(Message_or_Domain) as Message_or_Domain, values(Message) as Message, values(User_or_Domain) as UOD, count as Count by SystemMessageId] | eval User_or_Domain=if(isnull(UOD), mvindex(split(User), "@"), 1), "") | join User_or_Domain type=outer [search index="datasetB" | stats values(Message_or_Domain) as Message_or_Domain, values(Message) as Message, count as Count by User_or_Domain] table _time, SystemMessageId, User, Message_or_Domain, User_or_Domain, Message, Count | fillnull value="-" Message_or_Domain, User_or_Domain, Message, Count

redc · ‎01-30-2015

I'd be satisfied (for the short-term, at least) with the props.conf / transforms.conf solution if I can figure out the inheritance/order of execution so that the sourcetypes are assigned correctly. Is it assigned by the order of the stanzas in transforms.conf , or by the order that the stanzas are called in the props.conf TRANSFORMS parameter?

redc · ‎01-29-2015

I've confirmed that the checksum error is completely unrelated to the duplication problem.

redc · ‎01-29-2015

I just updated the original post with additional detail...hope you guys will take another look.

redc · ‎01-29-2015

I'm only getting the checksum error on one file, and none of its data has been indexed at all (that file is generating some other errors later on), so I don't think that error is at all related to the duplicate data.

redc · ‎01-29-2015

Yes, the file is only appended to. I was thinking about it some this morning. Given the "Resetting fd to re-extract header" message, I believe the problem is that the header is at the top of the file and the file is being appended to (at the end of the file) - that it's causing the forwarder to have to go back to the top of the file to retrieve the header for the field extraction that is occurring, which then causes it to re-read the entire file. I'm going add the FIELD_NAMES parameter to the props.conf entry, see if that does it. EDIT: I've messed around with the props.conf quite a bit now and I'm having no luck. I'm still getting the "Resetting fd to re-extract header" message. New props.conf edited into original message...

redc · ‎01-28-2015

Drat. We're using the Universal Forwarder, not the heavy forwarder.

redc · ‎01-28-2015

If I understand you correctly, putting these props.conf and transforms.conf settings on the forwarder (rather than the indexer) will do what I'm looking for, then? From my experience as a sysadmin, "throw more hardware at it" is never an appropriate answer to performance problems. That's the answer for capacity problems. 🙂 The server that I was experiencing that pain on had 32GB of memory, and it would take in excess of 11,000ms to extract fields when searching more than 1,000,000 events (and we generate about 350,000 of those events per hour). We've since switched to index-time extractions and can search 50,000,000 of those events without any significant performance degradation, using about 10% of the memory that was required to search 1,000,000 events before.

redc · ‎01-28-2015

I just set up a new forwarder on a new Linux server and set it to monitor some files. For some reason, it is sending the data to the indexer twice; I haven't been able to figure out why. Here's my inputs.conf : [monitor:/mnt/swift/accounts/*/logfiles/*Queued.log] ignoreOlderThan = 1d index = mta-logs_queued sourcetype = mta-logs_queued disabled = 0 [monitor:/mnt/swift/accounts/*/logfiles/*Deferred.log] ignoreOlderThan = 1d sourcetype = mta-logs_deferred index = mta-logs_deferred disabled = 0 [monitor:/mnt/swift/accounts/*/logfiles/*Processed.log] ignoreOlderThan = 1d sourcetype = mta-logs_processed index = mta-logs_processed disabled = 0 And my props.conf : [mta-logs_queued] INDEXED_EXTRACTIONS=csv NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false KV_MODE=none PREAMBLE_REGEX=# HEADER_FIELD_DELIMITER=, FIELD_NAMES=Date,Time,EventType,SystemMessageId,CustomMessageId,MailingID,To,From,Size TIMESTAMP_FIELDS=Date,Time TIME_FORMAT=%m/%d/%Y %H:%M:%S TZ=America/Chicago FIELD_DELIMITER=space [mta-logs_processed] INDEXED_EXTRACTIONS=csv NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false KV_MODE=none PREAMBLE_REGEX=# HEADER_FIELD_DELIMITER=, FIELD_NAMES=Date,Time,EventType,SystemMessageId,CustomMessageId,MailingID,To,From,Size,ConnectionId,Reason,Message,LocalIp,FailureCode TIMESTAMP_FIELDS=Date,Time TIME_FORMAT=%m/%d/%Y %H:%M:%S TZ=America/Chicago FIELD_DELIMITER=space [mta-logs_deferred] INDEXED_EXTRACTIONS=csv NO_BINARY_CHECK=1 SHOULD_LINEMERGE=false KV_MODE=none PREAMBLE_REGEX=# HEADER_FIELD_DELIMITER=, FIELD_NAMES=Date,Time,EventType,SystemMessageId,CustomMessageId,MailingID,To/Domain,From,Size/Count,ConnectionId,Reason,LocalIP TIMESTAMP_FIELDS=Date,Time TIME_FORMAT=%m/%d/%Y %H:%M:%S TZ=America/Chicago FIELD_DELIMITER=space Sample raw data: #Software: SocketLabs, Inc. Hurricane Server. #Version: 1.0.0.917 #Date: 1/28/2015 00:00:08 #Account: 1000 #Fields: Date Time EventType SystemMessageId CustomMessageId MailingID To From Size 1/28/2015 15:08:02 Queued 6e000000199d02 - - recipient@domain.com sender@domain.com 464 #Software: SocketLabs, Inc. Hurricane Server. #Version: 1.0.0.917 #Date: 1/28/2015 00:00:09 #Account: 1000 #Fields: Date Time EventType SystemMessageId CustomMessageId MailingID To From Size ConnectionId Reason Message LocalIp FailureCode 1/28/2015 15:08:03 Sent 6e000000199d02 - - recipient@domain.com sender@domain.com 464 6e000000088f08 250+2.5.0+Ok - 10.110.76.77 - Sample expected event group: 1/28/2015 15:08:02 Queued 6e000000199d02 - - recipient@domain.com sender@domain.com 464 1/28/2015 15:08:03 Sent 6e000000199d02 - - recipient@domain.com sender@domain.com 464 6e000000088f08 250+2.5.0+Ok - 10.110.76.77 - Sample actual event group: 1/28/2015 15:08:02 Queued 6e000000199d02 - - recipient@domain.com sender@domain.com 464 1/28/2015 15:08:02 Queued 6e000000199d02 - - recipient@domain.com sender@domain.com 464 1/28/2015 15:08:03 Sent 6e000000199d02 - - recipient@domain.com sender@domain.com 464 6e000000088f08 250+2.5.0+Ok - 10.110.76.77 - 1/28/2015 15:08:03 Sent 6e000000199d02 - - recipient@domain.com sender@domain.com 464 6e000000088f08 250+2.5.0+Ok - 10.110.76.77 - From the splunkd.log : 01-28-2015 14:11:53.156 -0600 INFO TailingProcessor - Parsing configuration stanza: monitor:/mnt/swift/accounts/*/logfiles/*Deferred.log. 01-28-2015 14:11:53.156 -0600 INFO TailingProcessor - Parsing configuration stanza: monitor:/mnt/swift/accounts/*/logfiles/*Processed.log. 01-28-2015 14:11:53.156 -0600 INFO TailingProcessor - Parsing configuration stanza: monitor:/mnt/swift/accounts/*/logfiles/*Queued.log. 01-28-2015 14:11:53.156 -0600 INFO TailingProcessor - Adding watch on path: /mnt/swift/accounts. 01-28-2015 15:08:07.229 -0600 INFO WatchedFile - Resetting fd to re-extract header. 01-28-2015 15:08:07.233 -0600 INFO WatchedFile - Resetting fd to re-extract header. I also see some lines in this log, Checksum for seekptr didn't match, will re-read entire file='/mnt/swift/accounts/1034/logfiles/20150128Deferred.log'. (but the timestamps don't seem to line up the way the "Resetting fd" ones above do). This is 100% unrelated to the duplicated data. Something's wrong with that particular file. The inputs are not duplicated anywhere, they live ONLY in /opt/splunkforwarder/etc/system/local/inputs.conf on the forwarder. Ditto with props.conf . The duplication isn't instantaneous: the first copy of the events comes in, and a couple minutes later, the duplicates show up. This is the first time I've used the w3c extraction type, so maybe I've configured something wrong? I'm running Splunk 6.1.2, the forwarder is 6.0.

redc · ‎01-28-2015

Maybe I'm not following this correctly, but this sounds like it'll apply the field extractions (from props.conf/transforms.conf) at search time rather than at index time. I'd much rather have the fields extracted at index time because search-time extractions are SLOW. Am I reading this wrong? P.S. Sorry it took so long to reply...other projects came up.

redc · ‎01-27-2015

Pfff. I was afraid that was going to be the case. I could swear I read somewhere that you could use PHP scripts instead of Python, though. Different mechanism, maybe?

Posts	172
Solutions	11
Karma Given	10
Karma Received	38
Member Since	‎03-02-2012

Online Status	Offline
Date Last Visited	‎06-30-2021 05:43 PM

Marginal histogram visualization?

Why are subsearches and joins hard-stopped at 50k?

Wildcard field names for "search" or "where"

Sideview Utils: How to use the Switcher module to ...

Is there a setting for the maximum number of resul...

Sideview Utils: Why doesn't "export" work correctl...

How to get "splunk" user to read "root" user-owned...

Why is my transforms.conf configuration with multi...

Looking for Splunk App for NetApp ONTAP version 1

Is it possible to join on one OR another field wit...

Re: Why is my transforms.conf configuration with m...

Re: Why is my transforms.conf configuration with m...

Re: Why is my transforms.conf configuration with m...

Re: Why is my transforms.conf configuration with m...

Re: Why is my transforms.conf configuration with m...

Re: Why is my transforms.conf configuration with m...

Why is my transforms.conf configuration with multi...

Re: Looking for Splunk App for NetApp ONTAP versio...

Re: Looking for Splunk App for NetApp ONTAP versio...

Looking for Splunk App for NetApp ONTAP version 1

Re: Use $foo$ token as TextField default value

Re: Is it possible to join on one OR another field...

Re: Is it possible to join on one OR another field...

Re: Is it possible to join on one OR another field...

Is it possible to join on one OR another field wit...

Re: How to index a single data source and apply mu...

Re: Why is my forwarder sending data from monitore...

Re: How to index a single data source and apply mu...

Re: Why is my forwarder sending data from monitore...

Re: Why is my forwarder sending data from monitore...

Re: How to index a single data source and apply mu...

Re: How to index a single data source and apply mu...

Why is my forwarder sending data from monitored fi...

Re: How to index a single data source and apply mu...

Re: Why am I receiving "error code 1" trying to ru...

Join the Conversation