Hi, Do you have a unique ID for each job that runs? If so - try something like this: index=yourIndex [search index=yourIndex status="STARTED" | fields yourUniqueIDField] | transaction yourUniqueIDField | search status!="FAILURE" status!="SUCCESS" This should give you data for everything that has Started, but where there is not a FAILURE or SUCCESS log line. You might actually find you dont need the subsearch, the following might also work: index=yourIndex status=* | transaction yourUniqueIDField | search status!="FAILURE" status!="SUCCESS" I hope this helps! ... View more

Hi, Are you planning to continue indexing to both indexers once your remove indexer clustering, or just one at once? Dont forget that you'll end up using twice your license amount if you index it on multiple indexers that arent in a cluster. ... View more

Hi, In 5.0.5 and 6.0, as part of a security-related fix (reference SPL-65987) Splunk disabled the ability to insecurely embed content on a remote site by default. To restore this capability, you now need to make an explicit change in web.conf to the x_frame_options_sameorigin parameter and set it to False: x_frame_options_sameorigin = [True | False] * adds a X-Frame-Options header set to "SAMEORIGIN" to every response served by cherrypy * Defaults to True I hope this helps! ... View more

Just out of interested, have you tried putting the hpp.macaddress=00-16-E4-12-9B-4B as hpp.macaddress="00-16-E4-12-9B-4B" (e.g. with quotes) ... View more

Ive had the unfortunate scenario where we thought a Load Balancer would be the answer. It isnt.. We thought it'd be fine. It Wasnt. 😞 As suggested by starcher - Your best bet is to create a DNS entry (e.g. splunk.ext.yourcompany.com) and set an A record for each Splunk Indexer (or Forwarder) on your boundary. I think if it was me I'd have multiple UF on the boundary (where one side can be reached by the external servers/machines and the other side can see your indexers). By setting multiple A records on the DNS entry, Splunk UF on your remote machines will round-robin their connections to the forwarders on the boundary. This allows you to scale appropriately as you can add additional A records and forwarders as required. ... View more

Sorry, cant see a description of what the independent charts look like. I hope you get this resolved. Cheers ... View more

What currently happens when you set it to independent? I would have thought that should sort it out! 🙂 ... View more

Ah okay, If you want to exclude sessions where the app crashed then I think the below might help? my_indexes type=some_mobile_brand NOT [search my_indexes type=some_mobile_brand SM_C.key=CrashUploaded | fields userId] | transaction userId maxspan=5m | stats values(userpattern) ... View more

If you are overwriting the existing lookup files in your app then you do not need to restart Splunk. When you do a lookup in Splunk (assuming it is a file-based lookup) it will take the data from within the file in your app/lookups folder. The only thing to remember is to make sure the permissions are correct and the file can still be read by Splunk as I have seen cases where people run a cronjob as root that overwrites the file and prevents Splunk from reading it. Let me know if you hit any problems! ... View more

Re-reading it again, I see what you mean now - as you will have many mounts.. ... View more

Ah I may have misunderstood your question... Is there a reason you cannot use the wildcard approach? If it is so you can specify a specific index or sourcetype then this can always be overwritten with a transform based on the hostname.. ... View more

Hi there, You can use wildcards in your monitor stanza as adonio suggested, you'll end up with something like this: [monitor:///dsto/sw/prod/webapps/jbossEAP*/servers/appname*/log/*/server.log] disabled = false sourcetype = jboss:server:log index = jboss Regards Will ... View more

There are possibly a couple of ways of doing this, however I think you could start by searching for crashes, taking the sessionId and then searching all activity for that sessionId: Looking at the query you have above, it looks like you might already be taking this approach but using the userId instead of sessionId ? Perhaps I got the wrong end of the stick? ... View more

Or..you could overwrite the source... If your sourcetype was called "jvm-log", you'd have a props.conf entry for the sourcetype, identifying the transform rule. [jvm-log] TRANSFORMS-1_source = force_jvm_source This references a rule that would be defined in transforms.conf: [force_jvm_source] SOURCE_KEY =_raw REGEX =.*\\([^\\]+)\\messages.log DEST_KEY = MetaData:Source FORMAT = source::$1 ... View more

I think personally I would create a new field (field extraction) called something like JVMHost. That way you preserve the original data. You could use a regex like this: .*\\(?<JVMHost>[^\\]+)\\messages.log ... View more

Its also worth noting that Support for ALL versions of Splunk software on macOS 10.13 High Sierra has been REVOKED as of 23 Feb 2018. ... View more

Excellent - Got there in the end 🙂 ... View more

Are each of these on new lines/events? index=yourIndex | rex field=_raw "car\.(?<manufacturer>[a-zA-Z]+) = (?<model>[a-zA-Z0-9]+)" | stats count by manufacturer ... View more

Are you getting this error after executing an AJAX request from a click or keystroke action? If so, are you doing a return false or e.preventDefault(); (Where e is your event). function onClick(sender, e) { e.preventDefault(); $.ajax({ type: 'POST', url: 'http://yoursplunk.com:8088' }); } ... View more

On the timechart command you can add a limit=1000 useother=f - That will allow 1000 results. ... View more

Hi, I think what you might be after is makecontinuous ? Have a look at http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Makecontinuous Here are two examples below of before/after using makecontinuous (and also using fillnull to fill the gaps). Before: After: ... View more

Unfortunately the in-built rest command only supports GET requests. If you want to just trigger an action then the POST Workflow actions may probably help, however if you're wanting to use the data returned from the POST then you're going to need something a little more bespoke, a simple Python modular input might help? ... View more

Does your search run as a specific user (e.g. Admin?) If so - login as that user and check their default timezone, you might find that it is a default and needs updating to GMT (or whatever your timezone). I hope this helps. ... View more