Hi, We have below search running to check if any forwarder is missing for the last 15 mins. Here below we are running across index=*, if so we are getting an error message as below: Error in 'metadata': No 'host' key found in results. Cannot merge metadata. Incase If I run below query only for index=_internal, search is running good,inorder to check if forwader is missing do we need to check all indexes or _internal would be fine? |metadata type=hosts index=* | where (now()-recentTime<7200) | stats count by host recentTime] | stats count by host recentTime | rex field=host "(?P<hostname>[^.]+)" | eval hostname=lower(hostname) | eval sourceHost=hostname | eval connectionType="universal forwarder" | eval arch="undefined" | eval lastReceived = recentTime | eval lastConnected=recentTime | eval KB = round(1000, 4) | eval eps = round(100, 4) | eval os= case(like(sourceHost,"l%"), "Linux",like(sourceHost,"W%"), "Windows", like(sourceHost,"w%"), "Windows", like(sourceHost,"s%"), "Solaris", like(sourceHost,"S%"), "Solaris", 1=1,"Other") | eval mystatus = if(lastConnected<(now()-100),"quiet","dunno") | eval status = if(lastConnected<(now()-900),"missing",if(mystatus="quiet","quiet","active")) Thanks ... View more

Hi, I am looking to format my current time to epoch time (as we need to calculate some math function on time) Time format for incidentEndTimeStr looks like this: 4/11/16 2:52 And used the eval command and strptime function below to change the format, but it doesn't work. Can you please assist? eval incidentEndTime = strptime(incidentEndTimeStr, "%m/%d/%Y %I:%M") OR eval incidentEndTime = strptime(incidentEndTimeStr, "%m/%d/%Y %H:%M") Thanks ... View more

Hi, We integrated Splunk to ServiceNow and looking to find a late closure incidents. For this we have 2 fields Stopdate, closeddate... we need to evaluate a new field Late Closure using these 2 dates. we need to find the diff of Stopdate and closeddate We need to list if Late closure > 5 (excluding weekends) For few of them, we don't have closed date. We need to compare with current date and evaluate number of late closure for these? Stopdate and closeddate is of this format: 08-01-2016 05:00:00 MST base search...|table Stopdate closeddate Can someone please help us with the search? ... View more

Hi, We are planning to implement summary indexing in our dashboards. As part of it, I have created a scheduled search below which would give us time by hosts, and have enabled summary indexing for this report. Provided: Summaryindex name to : testhadoop Added fields as: index=index1 index=index1 sourcetype="st:*:s1:s2" | rex field=Real "(?<min>\d+)m" | rex field=Real "\d+m(?<sec>\d+)\.\d+" | rex field=Real "\d+m\d+\.(?<ms>\d+)" | eval rt=min.":".sec.".".ms | convert mstime(rt) as seconds timeformat=%m:%s.%N | eval seconds=round(seconds,2) | timechart avg(seconds) as secs by Host | eval Baseline=3| and then we have created a dashboard with the search below: index=index1 sourcetype="st:*:s1:s2" | rex field=Real "(?<min>\d+)m" | rex field=Real "\d+m(?<sec>\d+)\.\d+" | rex field=Real "\d+m\d+\.(?<ms>\d+)" | eval rt=min.":".sec.".".ms | convert mstime(rt) as seconds timeformat=%m:%s.%N | eval seconds=round(seconds,2) | sitimechart avg(seconds) as secs by Host | eval Baseline=3|collect index=testhadoop testmode=true But this is not retrieving us the result we want. Instead, it is inserting new fields where these fields are not available in our raw data, but when we use above search, these additional fields are being displayed: psrsvd_ct_seconds psrsvd_gc psrsvd_nc_seconds Can someone please assist on it? We are actually new to Summary Indexing and planning to implement it. Thanks in advance. ... View more

HI, We are looking to monitor Tomcat related logs, and from documentation, we are suggested to install the Splunk Add-on for Java Management Extensions and Splunk Add-on for Tomcat . But we have already installed Monitoring of Java Virtual Machines with JMX with our environment. Can this solve our need, or do we need to install "Splunk Add-on for Java Management Extensions" specifically? These are 2 add-ons available for JMX in Splunkbase Monitoring of Java Virtual Machines with JMX Splunk Add-on for Java Management Extensions ... View more

Hi, We are seeing a weird issue with our roles. We have created new roles and assigned capabilities for our new APP. Although all the roles and capabilities look good, users with that role are unable to view dashboards periodically (some times they are able to view)..But if we log in with admin access, we are able to view all the dashboards. Whenever a user is facing this issue, we are just refreshing the search head using /deploy/reload and then are able view dashboards. Note that Our Search heads are in POOL, and apps are located in the below location: This was my first time working with pool environment cd /mnt/splunk_coe/coe_pool/etc/apps/myapp/local/authorize.conf We also have cd /opt/splunk/etc/system/local/authorize.conf Is this some file precedence happening? Thanks Sarath ... View more

Hi, can we change splunk managment port(8089) for one of my forwader in web.conf? We are using default port number for all forwarders, but users of a specific forwarder has requested to change the default port number ? Will there be any consequencies ,If we change this? Thanks ... View more

Hi, Is there a way we can upload all my saved search results to CSV file for scheduled search? Thanks ... View more

Hi, We need to create an alert to check if tomcat is up and running. This we could identify using pid. If tomcat is up and running, then we would receive tomcat events (logs) with pid. If tomcat is down, we wont receive any event. Can you please help us with the search for this? Base query below, but this does not work because whenever Tomcat is down, we won't get any events. We may need to use something like fillnull? index=idne1 source=ps host=host1 OR host=host2* apache-tomcat |stats count(pid) as Count by host _time |where count <1 ... View more