Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About renjith_nair
renjith_nair
Legend
Member since:
01-08-2015
9 hours ago
Community Statistics
| Posts | 2474 |
| Solutions | 640 |
| Karma Given | 56 |
| Karma Received | 935 |
| Member Since | 01-08-2015 |
Activity Feed
- Posted Re: injecting indexed file within a search on Splunk Search. 13 hours ago
- Got Karma for Re: How to insert hyperlink to the values of a column in Dashboard Studio.. 16 hours ago
- Got Karma for Re: difference between nomv and mvcombine. yesterday
- Got Karma for Re: hide the Splunk App navigation bar. yesterday
- Posted Re: How to insert hyperlink to the values of a column in Dashboard Studio. on Dashboards & Visualizations. yesterday
- Posted Re: Background Color for single card value on Splunk Dev. Thursday
- Got Karma for Re: Clickable hyperlink in search result. a week ago
- Got Karma for Re: How to set a token based on search results?. a week ago
- Posted Re: Dashboard Studio - changing layout modes on Dashboards & Visualizations. a week ago
- Posted Re: Dashboard Studio - changing layout modes on Dashboards & Visualizations. 2 weeks ago
- Karma Re: splunkd is not running for Exxnihiloo. 2 weeks ago
- Posted Re: Single card value background color change on Splunk Cloud Platform. 2 weeks ago
- Got Karma for Re: How to add download button while hiding the result s of the panel. 2 weeks ago
- Posted Re: splunkd is not running on Getting Data In. 2 weeks ago
- Got Karma for Re: service status of a service including Disaster Recovery situation. 3 weeks ago
- Got Karma for Re: service status of a service including Disaster Recovery situation. 3 weeks ago
- Got Karma for Re: How do you parse and chart fields in a JSON array?. 3 weeks ago
- Posted Re: service status of a service including Disaster Recovery situation on Splunk Search. 3 weeks ago
- Posted Re: How to add download button while hiding the result s of the panel on Splunk Cloud Platform. 3 weeks ago
- Got Karma for Re: How to add download button while hiding the result s of the panel. 3 weeks ago
Topics I've Started
01-06-2016
03:00 AM
3 Karma
Probably those hosts are not sending data any more. Metadata doesn't depend on time range but index=_internal does.
So those hosts might have sent data earlier but stopped now. Can you increase your timerange to last 30 days or even "all time" and look for one of the hosts from the above list? or just run the below search and see when these hosts were last updated.
| metadata type=hosts | rename firstTime as "First Event" lastTime as "Last Event" recentTime as "Last Update" | fieldformat "First Event"=strftime('First Event', "%c") | fieldformat "Last Event"=strftime('Last Event', "%c") | fieldformat "Last Update"=strftime('Last Update', "%c")|table host "First Event" "Last Event" "Last Update"
Splunk should send it's internal data if the connection is established. It's quite interesting if it's forwarding other data but not internal
... View more
01-05-2016
07:30 PM
1 Karma
Either splunk installation is broken or it' a problem with your browser.
Can you try it on a different browser?
... View more
01-05-2016
11:50 AM
Normally forwarder switches at every regular interval, say 30 mins or if the indexer goes down
The selection of receiver from the group is random
If you want to select only two out of three, you can configure that.
Detailed doc available here : http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Setuploadbalancingd
On top of this, If you have a specific issue, then somebody might be able to help you
... View more
01-05-2016
11:25 AM
2 Karma
Please make sure that your new license is enough to process the amount of data you have
Add license to the correct license master
Allocate the new license to the pool : http://docs.splunk.com/Documentation/Splunk/6.2.0/Admin/Createalicensepool
Check your license quota has reflected new license
If this doesn't work, contact Splunk support and they can help get you back up and running
... View more
01-05-2016
11:17 AM
1 Karma
Try this. This should give you the difference for a week per day
...your search earliest=-7d@d
| bucket _time span=1d
| stats earliest(_time) as FirstTime,earliest(counter) as FirstCounter, latest(_time) as LastTime,latest(counter) as LastCCounter
by _time
|eval Difference=LastCCounter-FirstCounter
|table FirstTime FirstCounter LastTime LastCounter Difference
Please test it with your events
Also refer to http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Specifytimemodifiersinyoursearch
... View more
01-05-2016
05:07 AM
Normally it takes the scheduled time but Splunk considers different methods to run scheduled reports. http://docs.splunk.com/Documentation/Splunk/6.3.2/Report/Configurethepriorityofscheduledreports
... View more
01-05-2016
03:08 AM
2 Karma
Add a loop to your Java script to list all table elements and apply renderer to each element.
Something like below. Please test it and feel free to amend for your requirements
function addStatusIcon(id) {
mvc.Components.get(id).getVisualization(function(tableView){
tableView.table.addCellRenderer(new CustomRangeRenderer());
tableView.table.render();
});
}
//Get all table elements in the dashboard
var s = document.getElementsByClassName("dashboard-element table splunk-view");
// Loop thru the list
for (i=0;i<s.length;i++) {
id=s[i].getAttribute("id");
addStatusIcon(id);
}
... View more
01-05-2016
02:53 AM
1 Karma
Your first search gives you run time and your second search gives you the delay in execution; ie; if you have scheduled a search at 9:00 and executed at 9:05, then the delay is 5 minutes.
... View more
01-05-2016
02:42 AM
Try summary indexing. Run your search everyday and store only the results you want in summary index. Use the summary index in dashboard. This will speed up your dashboard especially if you have to search for one month data
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Knowledge/Usesummaryindexing
... View more
01-04-2016
10:39 PM
are these single line or multi-line?
If its multi-line, is there a common field in those events?
If its multi-line, are they coming in the mentioned order ie; hostname 1, status 1 , hostname2,status etc?
... View more
01-04-2016
10:15 PM
For any manual change in configs, splunk needs a restart
Ref : http://docs.splunk.com/Documentation/Splunk/6.2.0/Troubleshooting/Enabledebuglogging
... View more
01-04-2016
09:41 PM
Can you share your search which is used to get data from the KV store ? For eg: if my drop down token is id_token, then the search will be
|inputlookup my_lookup where ID=$id_token$
More read : http://dev.splunk.com/view/SP-CAAAEZH
... View more
01-04-2016
09:32 PM
Can you just try adding a table/fields with status and ip before the chart command and run the search without chart to make sure that status and ip are listed and then add the chart command. Something like below.
sourcetype=weblogs status=200 OR status=410 [search sourcetype=weblogs status=200 earliest=-3d@d latest=now request="GET /path/*" [search sourcetype=weblogs request="GET /path/*" status=410 earliest=-3d@d latest=now [search sourcetype=firewalllogs "/blocked/" earliest=-3d@d latest=now | dedup ip | table ip] | dedup ip | table ip] | dedup ip | table ip] | fields status,ip| chart count over ip by status
... View more
01-04-2016
09:17 PM
1 Karma
There are multiple ways to achieve this.
Easiest and best method is to merge events : http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/Indexmulti-lineevents
If you have common fields, join the events with one of the commands (join,transaction,stats etc) . https://answers.splunk.com/answers/335149/how-do-get-the-combined-search-result.html
... View more
01-04-2016
02:48 AM
Instead of hidden search, you can use search base=main search and then use base search in sub panel
See here
https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html
... View more
01-02-2016
06:27 PM
1 Karma
Try
| rest services/configs/conf-macros|table definition args
... View more
01-01-2016
01:29 AM
1 Karma
If you were able to see the fields before and not now, then most probably it's due to different search mode unless your raw events are changed.
See here for information : http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Changethesearchmode
... View more
12-31-2015
05:44 AM
Glad to here that. Please accept answer so that the question will be closed
... View more
12-31-2015
01:30 AM
2 Karma
Ok if you are using html, then just get the current time from java script itself instead of creating a search manager just for this.
var currentDate=new Date();
You can either use currentDate directly which has full timestamp including timezone or get date/time elements from the date object currentDate according to your requirements.
Check javascript datetime documents for further reference
... View more
12-30-2015
08:23 PM
1 Karma
Try this
|metadata type=sources|eval difference=now() - firstTime|fields source difference|where difference < 300
This will list the sources which have appeared in last 5 minutes. Schedule this for reasonable time window according to your requirement and adjust the difference accordingly. Try the above search without the where clause and test it
... View more
12-30-2015
04:42 AM
Sorry misunderstood your question. I will remove the answer so that the question stays back as unanswered.
... View more
12-30-2015
03:43 AM
Did you get a chance to look at the documentation mentioned above ?: http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/MonitorWindowsdata
also
http://docs.splunk.com/Documentation/Splunk/6.2.0/Forwarding/Setupforwardingandreceiving
and
http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configureyourinputs
Go thru these docs and refer to the sub links if necessary. It has all details about configuring your UF
... View more
12-29-2015
10:48 PM
We have used more than 100 especially when splunk converts sub searches to OR conditions and even in format. So most probably there are no limits we are aware of.
If you are facing an issue in searches it might be because of other limits in http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Limitsconf
There should be better ways to write search without using a lot of OR conditions.
... View more
12-29-2015
09:43 PM
You can do it from your search itself using outputlookup
for eg :
|stats count|eval timestamp=now()|fields timestamp|outputlookup kvstorelookup name
Its already mentioned in the docs provided above. also refer to
http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputlookup
In general, you can insert a record programmatically using rest end points as well.
http://dev.splunk.com/view/webframework-tutorials/SP-CAAAEZV
... View more
12-29-2015
07:31 PM
2 Karma
Splunk monitors files added to the directory automatically if you have configured monitor for a directory
Ref : http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Monitorfilesanddirectories
Whenever a new file is added, splunk creates a new source for that file unless you override the source parameter in the inputs.conf.
In that case, you can create an alert when a new source is created by comparing the count with previous one or looking for a specific event from the new file etc.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
9 hours ago
|
Karma given to
