index="..." source="log a" OR source="log b" | eval match=if(A==B,1,0) | timechart span =1d sum(match) ... View more

Is this what you're looking for ? index="_internal" source =/apps/splunkforwarder/var/log/splunk/metrics.log group=per_host_thruput | timechart span=4h avg(eps) by series ... View more

Hi, Try this : index=itf host ="it*" bsName=something logLevel=ERROR bsBatchName="something" | dedup message | eval message=if(like(_raw, "ORA-00001: unique constraint"), "ORA-00001: unique constraint", message) | table bsName, bsbatchName, message 3no. ... View more

Your icon need a little bit smaller that 36px x 36px because Splunk take off something like 10%. Try with 30 x 30 ! Same for the 72px x 72px. Good Luck 😉 3no. ... View more

Try with : | search fa<=t (without the "") ... View more

Hi, You can use tonumber on both of your field to be sure they are Integer : | eval myInt = tonumber(your_field) 3no. ... View more

It seems that you need this command : your_search_here | transpose http://docs.splunk.com/Documentation/Splunk/6.6.1/SearchReference/Transpose ... View more

1 - Give this search a try : sourcetype=foo TradeEvent=NEW TradeDate="2017-05-04" | search TradeID=* |table TradeID If you see TradeID=123456 then to resolve the issue add those lines to your fields.conf : [TradeID] INDEXED_VALUE= False If this doesn't work, can you tell me if the value 123456 comes from the raw log or it's populated by an object knowledge (lookup, etc...) ? ... View more

@slapie Hi, Yes you search is much more efficient but in my case I'm comparing "volume" not "eventcount". Also I'm comparing today with the average volume in the last X days (where X can be whatever I want), comparing today with yesterday it's not really pertinent in my case especially when today=monday. And the last thing is I can specify a token to have this comparaison done by sourcetype. How can I still do this with tstats ? 3no. ... View more

also elevated and default ... View more

Can you check this points ? 1 - Are you sending your logs to the main index ? Check your role maybe you don't have access by default to this index. You can also try adding index=* or index=[your_index_name] before you search. 2- If you are using a custom index make sure it's well defined on you indexers and that you can access it. 3 - Also I'm pretty sure that by default the sourcetype for Active Directory should be something like sourcetype="WinEventLog:Directory Service" ... View more

I tried that, it didn't work ! And the password still remain in clear in identities.conf. I investiguated a little more and find out that there is file identity.dat that is used to encrypt the password. I couldn't find on the heavy forwarder so I checked on the other instance and tried to use this one. But still not working... Do you know by any chance how to create this file ? Thank you for your time and help. ... View more

Password has been changed, but the configuration came from an other Splunk so I guess it's using the other splunk password but I don't know where to change it. ... View more

I tried in DEBUG mode and I have some more informations : 2017-04-24T16:29:15+0200 [DEBUG] [splunk_service_factory.py], line 54 : action=sending_request url=https://127.0.0.1:8089/services/server/info message={'headers': [('Authorization', u'Splunk VX1xvtZxXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2y8Ujx^_mCb0vj3uobMLlU6vS8TlSGxxcILAh0RjsulWToivcv4J3l2dNLvlYoohBQAK38ncfLgVioro')], 'method': 'GET'} kwargs={} 2017-04-24T16:29:15+0200 [DEBUG] [shc_cluster_config.py], line 26 : action=test_if_enterprise_product product_type=enterprise result=True 2017-04-24T16:29:15+0200 [DEBUG] [splunk_service_factory.py], line 54 : action=sending_request url=https://127.0.0.1:8089/servicesNS/nobody/-/shcluster/config/ message={'headers': [('Authorization', u'Splunk VX1xvtZxXXXXXXXXXXXXXXXXXXXXXXXXXXXXX2y8Ujx^_mCb0vj3uobMLlU6vS8TlSGxxcILAh0RjsulWToivcv4J3l2dNLvlYoohBQAK38ncfLgVioro')], 'method': 'GET'} kwargs={} 2017-04-24T16:29:15+0200 [INFO] [mi_base.py], line 190: action=caught_exception_in_modular_input_with_retries modular_input=mi_input://Data_URL retrying="6 of 6" error=Request failed: Session is not logged in. I think it's using the splunk account of the other instance to connect. Do you know how I can change this and adapt it on my new config ? ... View more

jdbc:sqlserver://:;databaseName=;selectMethod=cursor;inst anceName=XXXXXXXXXX host, port, and database are define in the stanza like this : [XXXXXXXXXX] connection_type = generic_mssql database = XXXXXXXXXXXX host = XXXXXXXXXXXXXX identity = XXXXXXXXX jdbcUrlFormat = jdbc:sqlserver://<host>:<port>;databaseName=<database>;selectMethod=cursor;instanceName=XXXXXXXXXXXXXXX jdbcUrlSSLFormat = jdbc:sqlserver://<host>:<port>;databaseName=<database>;selectMethod=cursor;e ncrypt=true;trustServerCertificate=true jdbcUseSSL = 0 port = XXXXXX And login/password are stored in identities.conf. ... View more

Hi, Thank your for your time, I'll check with my DBA on monday. But I don't think that it is my problem, because it is working on a Single Splunk instance (based on windows) with the same credentials. I'll let you know. Thanks ! ... View more

No but il you have alerts, reports or schedule search running at this time, it will use them. ... View more

One core per search per user. So if a user you open a dashboard with 8 panels, you're already at the limit. ... View more

a1 field is in both file ? In every line ? ... View more

Hi rflouquet, That's a search I use to check if one of my sourcetype is sending me (in an hour) more data than it should compared to the last 3 days. index=_internal source=*license_usage.log type=Usage st="*" | eval h=strftime(_time, "%H:00") | stats sum(b) as bytes by h | eval Ko = round(bytes/1024,2) | streamstats sum(Ko) as CKo | chart first(CKo) as CKo over h | join h type=left [ search index=_internal source=*license_usage.log type=Usage st="*" [ | stats count | eval earliest=strftime(relative_time(now(), "-3d"), "%m/%d/%Y:00:00:00") | return earliest ] [ | stats count | eval latest=strftime(relative_time(now(), "@d"), "%m/%d/%Y:00:00:00") | return latest ] | eval d=strftime(_time, "%Y-%m-%d") | eval h=strftime(_time, "%H:00") | stats sum(b) as bytes by h | eval Ko=round(bytes/1024,2) | streamstats sum(Ko) as CKo | eventstats sum(CKo) as CKo by h, d | stats sum(CKo) as CKo_15 by h | eval CKo_15=round(CKo_15/3, 2) ] | fillnull value=0 | rename CKo as CGo, CKo_15 as CGo_15 | eval CGo=round(CGo/1024/1024, 2) | eval CGo_15=round(CGo_15/1024/1024, 2) | stats sum(*) as * by h | rename h as Hour, CGo as "GB sum", CGo_15 as "Last 3 day GB" What you can do is add a token to define the sourcetype. You'll need to replace the "3 days" by "30", the "hour" by "minute", and the "sourcetype" by the "host" to match your requierement but at least you have some base to work on. I hope this can help you build your search... 3no. ... View more

And also check, that your firewall or loadbalancer as not a limit in the TCP timeout session, it happens sometimes after a certain amount of time the firewall close the connection. ... View more