If the value is numeric, it behaves like a sample. This error is simply because the sub search result is 0. ... View more

It is described in the manual. https://docs.splunk.com/Documentation/Splunk/7.1.1/Search/Changetheformatofsubsearchresults Only the first one index = * [inputlookup xxx.csv | fields col_a | rename col_a as search] -> index = * "AA" In case of all cases index = * [inputlookup xxx.csv | fields col_a | rename col_a as query] -> index = * ("AA" OR "CC") ... View more

こんにちは。 CHECK_METHOD=modtimeを設定した場合はファイルの更新時刻が更新されれば取得します。ただし、ファイル全件取得で、差分だけ取得するわけではありません。 ＞crcSaltの場合、ファイルの中身が同じであれば、timestampだけ変更した場合、ファイルの取得できない認識です。 ⇒crcSaltは目的が違うので認識が少し違います。ファイルの中身が同じでもファイルパスが違えば取得します。同じヘッダファイルを持つログ等、本来は違うファイルなのにchecksumが同じになってしまうような場合にファイルパスをchecksumに含むことで両方のログを取得できるようにcrcSaltは使うものです。 ※平日の業務時間内であればSPSSで質問して頂いたほうが回答は早いと思います。 ... View more

Unfortunately I'm dealing with a large distributed network of a few thousand hosts across dozens of subnets. I was hoping for something a bit more scalable. I appreciate your input, and thanks for your time. ... View more

what does field_C supposed to do?? ... View more

Here is the event I was expecting: {"clock_number": REDACTED,"cwo": REDACTED,"pwo": REDACTED,"op_sequence": "020","start": "1528749692","elapsed_seconds": "0","work_center": REDACTED,"trigger_timing": "after","command": "update","data_type": "punch" } Here is the other event: {"clock_number": REDACTED,"cwo": "NPL","pwo": "","op_sequence": "","start": "1528749000","elapsed_seconds": "648","work_center": "","trigger_timing": "after","command": "update","data_type": "punch" } ... View more

When is host_name added? It does not delete the field. Just set the field to NULL. ＞↓if host_name is known from source1, then keep the host_name, otherwise, ＞set it to NULL (which I hope that it will 'delete' the field) ＞| eval host_name= if(host_name=="NONE", NULL, host_name) So I think that this is OK. | lookup source1 host_ip OUTPUT host_name | lookup source2 host_ip OUTPUTNEW host_name ... View more

In such a case, it is good to use the transaction command. index="auto_prod_ctm" sourcetype=daily_ctmag_sa_batch_log earliest=-30m |rex field=_raw "JOB (?.*) \(O" | rex field=_raw "ORDERID (?[^,]+)" | transaction Job_Name orderid startswith="STARTED" endswith="ENDED OK" ... View more

Rather than getting the log, you can set the file's presence check and the monitoring interval. So I think that fschange is good. I think that you can realize the time until deletion by alert for 15 minutes. ... View more

@Chinmai, sorry your query is not clear if your ask is different from the Answer. Please add a mock up of what you have right now and also add what you expect in the mock up. ... View more

Thanks for your comment. ... View more

OK I can see now what you mean, since its taking the most recent record and deduping BEFORE getting the info_tag its reduces the overall count. That makes sense. Thanks for that ... View more

That's a great idea. I would like to be able to do it 1 by 1 like I want to thought for specific reasons. If I wanted to do it your proposed way, I would have to divide the data somehow since, per year, I get over 2TB of Log data. I will probably do that for another type of environment I have. Thanks for this tip! ... View more

I think that I should use the search command. | search Country="{$country$}" $country$=*,UK,USA ... View more

Hi @diag , Can you please try following search? (sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*) | eval requestid=if(isnotnull(field_a),field_a,field_b) | stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid | where field_a = field_b This is my sample search | makeresults | eval sourcetype="A",field_a="1,2,3,4",field_a2="a2",field_a3="a3", field_a4="a4" | eval field_a=split(field_a,",") | mvexpand field_a | append [| makeresults | eval sourcetype="B",field_b="1,2,3",field_b2="b2",field_b3="b3", field_b4="b4" | eval field_b=split(field_b,",") | mvexpand field_b] | eval comment="Above search is for data generation. Use from below search" | search (sourcetype=A OR sourcetype=B) (field_a=* OR field_b=*) | eval requestid=if(isnotnull(field_a),field_a,field_b) | stats latest(field_a) as field_a latest(field_b) as field_b latest(field_a3) as field_a3, latest(field_a4) as field_a4,latest(field_b4) as field_b4 by requestid | where field_a = field_b Thanks ... View more

Why do not you monitor with DMC? http://docs.splunk.com/Documentation/Splunk/7.1.1/DMC/DMCoverview ... View more

thanks - that works... also | rename CurrentAgentSnapshot.Contacts{}.StartTime as StartTime works as well (just to share the knowledge) ... View more

My app is not Splunk cloud certified. So you’ll likely not get support to install it. You could run it from the HF if you can hit your Splunk cloud api from it. ... View more

Individually both query works. But it doesnt work when added as a panel in a dashboard ... View more

As I understood from your question, you need to create a dashboard with different windows servers with categories like application, Security,System. Use the below query , it will list the event count for each sourcetype for each server . Then you can save it as a dashboard , also you can enable drilldown. index= | chart count by host,sourcetype ... View more

yes thank you . It is cooked data. probably cant change index on the fly. ... View more