Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About linu1988
linu1988
Champion
Member since:
12-18-2012
06-05-2020
Community Statistics
| Posts | 979 |
| Solutions | 75 |
| Karma Given | 127 |
| Karma Received | 253 |
| Member Since | 12-18-2012 |
Activity Feed
- Got Karma for Re: Throttling-parameters in realtime search. 01-04-2023 06:13 AM
- Got Karma for Re: Convert a string into a number. 02-03-2022 07:44 AM
- Karma Re: Is there a way to change the font size or bold text in alert emails? for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: Require input value in text box for dfoster_splunk. 06-05-2020 12:47 AM
- Karma Re: How to prevent | stats count in a macro from triggering a remote search? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Why is the Search app time range picker defaulting to 2001, even if I specify another date and time? for devicenul1. 06-05-2020 12:47 AM
- Karma Re: What is the easiest way to identify my universal forwarder versions for kscher. 06-05-2020 12:47 AM
- Karma Re: http://localhost/en-US/debug/refresh from terminal/console for MuS. 06-05-2020 12:47 AM
- Karma Re: Alert if source stops indexing for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How do i ignore the new line character in the _raw field? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Python Script Not working via search command for psobisch. 06-05-2020 12:47 AM
- Karma Re: How to join value using wildcard? (Urgent) for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Are there any search and performance pitfalls with keeping data in hot buckets for 1 month and moving it from hot to cold directly? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: Is it possible to update a table with a drilldown value from another table's field in the same browser tab? for vtsguerrero. 06-05-2020 12:47 AM
- Karma Re: how to get 1st 2nd and 3rd place results? - based on value of a field - not frequency. for colineltringham. 06-05-2020 12:47 AM
- Karma Re: 6.1.3 issue with mounted Bundles for michael_herbert. 06-05-2020 12:47 AM
- Got Karma for Re: indexer configured but inactive on new Linux servers. 06-05-2020 12:47 AM
- Got Karma for Re: How to fix perfmon errors "Object specified...in conf file is not valid"?. 06-05-2020 12:47 AM
- Got Karma for Re: How to fix perfmon errors "Object specified...in conf file is not valid"?. 06-05-2020 12:47 AM
- Got Karma for Re: DBX JOIN 2 databases together. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
09-29-2014
05:34 AM
Hello Ajay,
That is not actually a problem from splunk end. You don't have enough data to tell splunk which date to take so automatically it takes the current system date from where you do the data upload. in your case timerange picker also should work fine if you can show it on a monthly basis. The query has to be formed likewise.
Regarding the lookup what exactly would you match up? If you do the lookup on the splunk query timerange picker will not have any effect as it looks for the splunk events rather than the non-existing data which is formed after the query is triggered. To have a the trend it will be better if you can have the same included in your csv file rather than going for lookup implementation which is quite expensive on maintenance and configuration.
Thanks,
L
... View more
09-29-2014
04:12 AM
2 Karma
Hello Vincenteous,
This is happening because of your old sendemail.py file. If you have managed to customize it you may not be able to use it with savedsearch. There are two options.
One is to include a |sendmail command in your search and remove the to list. This will just work fine with all the provided parameters to the command.
You need to replace the sendemail.py file with default search app sendemail.py file and customize it. You may also go for a scripting solution which will not actually change with every splunk release. Splunk doesn't give us a good template to customize our own email format so we need to do it by ourselves.
Thanks,
L
... View more
09-26-2014
08:39 AM
I think the data is now picked from the files but, when we update the existing csv files splunk doesn't take only the updated rows it take the whole CSV content again.. This can be reproduced easily.
... View more
09-24-2014
06:58 AM
Your search please? Did you check the search peers if they are up or not?
... View more
09-24-2014
06:55 AM
yeah timechart also should do. Yesterday asked you to check with
| stats count by _time, cs_username .
My main intention was to make the timerange option available in summary. Happy that you worked it out 🙂
... View more
09-24-2014
02:55 AM
it seems like your raw events are not having any other _time. Did you delete the existing index and tries to re-index it?
... View more
09-23-2014
10:20 AM
Delete the summary index completely and index them freshly, it should work..
... View more
09-23-2014
10:18 AM
I had seen errors like this on splunk 5 indexers. Mostly after restarting the services it would continue without any issue. It may be due to all the network ports getting used up?
... View more
09-23-2014
09:48 AM
when you run the search manually with the timestamp selected, don't you see the trend? the test env search should give you the data for every 30minutes count. if you want daily distinct value you need to use different summary index, that will not give you correct value after summarized as there are no values to look at
... View more
09-23-2014
08:27 AM
i see you ran the bash script rather than the bat file. Could you also trigger the bat file for yourself? That is the issue i can see nothing else.
... View more
09-23-2014
08:25 AM
You can use anything as long as you keep meaningful data. It is not mandatory to use sistats for Summary. Make your Summary set and make the searches go from there which will work perfectly. Choose your desired level of bucket time.
... View more
09-23-2014
08:03 AM
2 Karma
Hello,
Don't include the time any where while doing the summary. When you start aggregating data the search automatically becomes faster.We all know collect command will populate all the value but it has limitation where it take the local machine's name rather than the actual host. So do something like this.
Have some sample timing to have granularity of the summary
index=iis|bucket _time span=30m| stats count dc(cs_username) by cs_username
Create a saved search and schedule it for a one time load to the target summary index. define the earliest and latest parameter according to your requirement. Avoid running it again and again to have duplicate entries.
with the above you can preserve internal event timing and you can use the time range picker because in the summary data you have the time trend.
in your Dashboard do the calculation. You should be fine now by user selecting time ranges
Thanks,
L
... View more
09-23-2014
07:58 AM
Hello,
This occurs when your path is wrong for the script. Splunk will throw this error when it is not able to find the path. Could you double check if the TA-nessus app is added in the new 2012 Machine?
Thanks,
L
... View more
09-23-2014
07:47 AM
Hello Ajay,
You need to control these things in the search query where you get the result.
If they are already extracted records.
Search name!="john"|chart...
OR
Search ...|where name!="john"|chart...
Thanks,
L
... View more
09-19-2014
08:28 AM
there are options available in splunk to use accounts which has authentication process. Intranet servers AD accounts are more often authenticated to access the smtp servers with out any issue/ special authentication. Then like Martin suggested it depends on your environment.
... View more
09-18-2014
08:49 AM
This is occurring in splunk 6 as well, It doesn't work with long complex splunk queries. Here as well i have to do it using Macro.
... View more
09-18-2014
02:32 AM
I agree that is not at all a practical solution for the end users. It should be provided as an early patch 😞
... View more
09-16-2014
06:44 AM
I believe the autolb functionality does the request balancing than data load balancing. This means we have a request for 30 sec and there will be 5 MB of data the next 30 sec it will switch to the next indexer where we will have 10MB of data. this means there are indexer with single requests but the data varies. Is it not straight forward?
... View more
Hello Kavraja,
This is kind of easy. Monitor your local server with Splunk and see when it closes to the limit. Run a alert in the same.
Thanks,
L
... View more
09-15-2014
03:11 AM
Someone give a patch. It's kind of wield when it does round up to 2001. What is the config file in Splunk which is causing this? We are using Splunk x64 6.1.3 we have the issue
... View more
09-13-2014
05:01 AM
1 Karma
use SOS app to see which jobs are taking more time. The message suggests all of your cores are already taken and they are waiting for a free core to start the job. See the jobs in the jobs option and System Activity about users.
And in a distributed environment they also depend on Indexer how they handle the search head requests. So you might as well look into your indexer usage. Thanks
... View more
09-05-2014
12:38 AM
Needs to be marked as answered then 🙂
... View more
09-04-2014
09:07 AM
for returning multiple values use makemv and then return the whole value then divide the multivalued field.
... View more
09-04-2014
09:05 AM
2 Karma
the question is not that clear but you can always use |fields -col1,col2 to remove the column. There is no harm if they don't exist as well..
... View more
09-04-2014
09:04 AM
2 Karma
More over did you check if the perfmon counter are available in your system? SOmetimes they get corrupt and are not accessible
... View more
