@woodcock I have the same query, need to redirect the output csv file to some other directory in Linux. Is there a way to do that from Splunk query? OR We will have to do this via script. Kindly confirm. ... View more

@HiroshiSatoh Have you used "Density Function" algorithm for anomaly detection? ... View more

@HiroshiSatoh I didn't get it, could you please elaborate. ... View more

@mmodestino_splunk I am trying to check the license usage consumption by event pattern and trying to create a report which would say which event patterns are consuming more license. ... View more

@gcusello I am trying to find the log patterns in splunk which are consuming more license, the entire agenda behind this exercise to find those logs and then fine tune them to reduce the license consumption. Let me know if you need any more information. ... View more

This really worked, thanks for all your help! ... View more

@gaurav_maniar This worked, thanks a lot for all your help! ... View more

@gaurav_maniar Could you pls check ... View more

@gaurav_maniar Could you please help me to create a custom command like sendemail and how do we add it at end of the query. I have seen the second link and that says we can create custom event but that requires mandatory fields like summary, eventtype & severity. How do we do this in splunk? curl -X POST --user user1@customer1:secret 'http://demo.appdynamics.com/controller/rest/applications/5/events?severity=INFO&summary=test1&eventtype=CUSTOM&customeventtype=mycustomevent&propertynames=key1&propertynames=key2&propertyvalues=value1&propertyvalues=value' ... View more

Can we do this through script? ... View more

Hi All, I am using the below mentioned query in cluster maps visualization index=abc sourcetype=xyz:log| iplocation src| geostats count by src globallimit=0 Link to search drilldown is actually working for all the values not for the clicked value. Let me know if you need any additional details... ... View more

Let me explain you, I have 4 columns in my lookup table and when any keywords are found from the raw data of the indexes then it should get tagged to the following columns of the lookup For instance, I get cpu keywords in the raw data then it should tag against the respective cpu columns of the lookup table ... View more

This is not working for me ... View more

@niketnilay @woodcock , hello mates, do you have any workaround for this? ... View more

@ Niket & Woodcockl, Do you have any workaround for this? Regards Manish Singh ... View more

Sorry, I should have posted this under comments section, my apologies.. ... View more

Hi Niket/Woodcock, I am trying to bring in data from different indexes and then trying to match with the application inventory so that I will have one table where in I could see the check list of 4-5 columns which am looking for, like whether we are getting any data in splunk for app, infra and alerts from alerting tool in splunk. Here is the output would be like Application Name Infra_Data App_Data Events_Data Appdynamics_Data ABC Yes No Yes Yes Here is the mock query, | inputlookup Application_Inventory | where Application="PROD" | rename Server as host | join type=left host [search (index=linux_windows_os*) OR (index=xyz_*) OR (index=applications_data-*) OR (index=applications_info*) earliest=-24h@h latest=now() | stats latest(_time) as latest_time values(host) as host by index | eval current_time=now() | eval Time_difference=(current_time-latest_time) | eval Validation=if(TimeDiff>86400,"No","Yes") | eval latest_time=strftime(latest_time,"%F %T"), current_time=strftime(current_time,"%F %T"), TimeDiff=strftime(TimeDiff,"%S") | dedup index | table index Validation host | eval Indexes=case(index like "%applicatons_%", "App_data",index like "%linux_windows_%","Infra Data"|mvexpand host|xyseries host Indexes Validation]|table App_data "Infra Data", Application_Component_Name, PlatformName|join type=left Application_Component[search index=*alerts_data* earliest=-24h@h latest=now()|eval AlertsData=if(Application_Component!= " ", "Yes","No")|table AlertsData, Application_Component|dedup Application_Component]|join type=left Application_Component[|inputlookup AppDynamics_Data] I have taken common fields to match the data with the Application_Inventory lookup. Let me know if you guys have better options to achieve this or the question needs more clarification. ... View more

I have gone through that thread before and it is not helping me.. ... View more