Hi,
Check time range of your report and tour schedule. Make sure that time range of your report is less than time range of schedule.
This means that you most be sure that your report produce results before time range of schedule may be achive.
So if your machine take a lot of time to produce result in your report, you must take that time in consideration when you'll define time range of your schedule report.
... View more
dedup command removes the subsequent duplicate results that match specified criteria. it's not means that it'll return the last event, but it return the first event that macth with creiterias. this event can be the first, the last ...
if you want the last, you can use last function to do that.
... |last(licUser) last(licType) last(licPC) by -_time|...
... View more
Ok now i understand you better. Use de commande dedup to have unique values. Try this:
dest_port=8000| dedup src_ip | dedup dest_ip | table src_ip dest_ip dest_port
... View more
# with [<sourcetype>]:
rename = <string>
* Renames [<sourcetype>] as <string>
* With renaming, you can search for the [<sourcetype>] with
sourcetype=<string>
* To search for the original source type without renaming it, use the field _sourcetype.
* Data from a a renamed sourcetype will only use the search-time configuration for the target
sourcetype. Field extractions (REPORTS/EXTRACT) for this stanza sourcetype will be ignored.
* Defaults to empty.
... View more
Hi,
for the first question: if you have field login or status that take "failed" as value, and user field; here is the query:
index=... status=failed earliest=-30d latest=now|top limit=10 users|table user ...
For the second, if you have region field, here is the query:
index=... | stats avg(user) by region|table user avg(user) ...
... View more
Ok .please forgive me to have not follow you. I as very busy.
So dedup commande will remove all the duplicates and then sort the results based on the specified sort-by field.
You can also use dc commande which Remove duplicates results with the same host value and return the total count of the remaining results. Fro example: ... | stats dc(host)
... View more
Hi try with join commande
index=index_1 | rex "/n(?< test_name>[/w/W]{1,})/nDATASET" | rex "Blahblah (?< field_3>/d+-/d+) | rex "Blahblash(?< field_4>[/w/W]{1,200}) | join [search index=index_2 | fields field_1,field2] |table test_name,field_3,field_4
Let me know if you have any issue
... View more
HI,
when you choose "continuously indexing a file", the path of that file and the name of the file must not change. If one of them change, splunk'll not be able to index that file.
If you respect those conditions and your index file is heavy, be patien because i had files that take me more than 45 mn to be indexed
... View more
Hi,
you must know that Winows Server 2008 is a server system. It's not like others system where you can have default permissions to install software.
So when you create a domain user via AD(active directory), you must give permissions to that user to install software. if not you'll never install software like SPLUNK from that domain user
... View more
ok try this:
host=MASTER *error* Message=$ErrorSelection$|stats count by siteID|sort -num(count) | join [search dbquery "SQLDB" "SELECT * FROM SubscriptionTable WHERE IsProduction=1"]
I've just remove pipe
... View more