i have added "repFactor=auto" to each peer's indexes.conf and "rolling-restarted" them all i have put into them some data which can be seen on searchhead but they are still not there ... View more

for example： x.company1.com x.x.company2.com.cn x.x.x.company3.cn x.company4.co.jp how to extract with rex those "companyn"s? edit： infact i face a problem that my expression tooks "com" as a company ... View more

A field: a=1,2,3,4..... disordered i need a search like: a=1 | append [search a=2] | append [search a=3] | append [search a=4] .... where i can not simpley use "sort" ... is there any syntax like "if a<n a++ and search something...." in splunk? by the way, is there better way than " ...| head 88 | tail 1" when i want the 88th event? thank you [EDIT] OK! this is what i am after: Puting events in the right order, for example a business procedur acc=crazyeva (1a) id=0001 (1b) tim=20121009 (1c) act=toopooltopurch (1d) but "_raw" data is disordered by "_time": # _raw 16 11:48 acc=1a 15 11:49 id=1b 14 11:50 acc=2a 13 11:51 tim=1c 12 11:52 acc=3a 11 11:53 act=1d 10 11:54 id=2b 9 11:55 id=3b 8 11:56 tim=2c 7 11:57 acc=4a 6 11:58 tim=3c 5 11:59 act=2d 4 11:60 id=4b 3 11:61 act=3d 2 11:62 tim=4c 1 11:63 act=4d .... The only rule is in the time line: 1b never comes before 1a, the same manner, 1a >> 1b >> 1c >>1d, 2a >> 2b....; 2a never comes before 1a, the same manner, 1a >> 2a >> 3a >>4a, 1b >> 2b.... this is my solution: acc | sort _time | head 1 | tail 1 | append [search id | sort _time | head 1 | tail 1] | append [search tim | sort _time | head 1 | tail 1] | append [search act | sort _time | head 1 | tail 1] | append [search acc | sort _time | head 2 | tail 1] | append [search id | sort _time | head 2 | tail 1] | append [search tim | sort _time | head 2 | tail 1] | append [search act | sort _time | head 2 | tail 1] | append [search acc | sort _time | head 3 | tail 1] | append [search id | sort _time | head 3 | tail 1] | append [search tim | sort _time | head 3 | tail 1] | append [search act | sort _time | head 3 | tail 1] | append [search acc | sort _time | head 4 | tail 1] | append [search id | sort _time | head 4 | tail 1] | append [search tim | sort _time | head 4 | tail 1] | append [search act | sort _time | head 4 | tail 1] ......... | streamstats count | eval _time=count | sort _time | transaction maxspan=4s two problem: 1.I need to do a "loop search" if there are too many events 2."transaction" command does not work on written "_time" a second way: * | sort _time | stats list(acc) | appendcols [search * | sort _time | stats list(id) ] | appendcols [search * | sort _time | stats list(tim) ] | appendcols [search * | sort _time | stats list(act) ] | table list(acc) list(id) list(tim) list(act) the result seems like a table, but its not a useful table at all Could you help me to put them in order? ... View more

XXX | streamstats count | eval _time=count | sort _time | transaction maxspan=5s I found "tranaction" is still using original "_time" but not repaced "_time" as "count" How could I force transaction use replaced "_time" Or I want to devide and group events by a certain number of them in order like: No.1,2,3,4,5 6,7,8,9,10 11,12,13,14,15 ... View more

I want to append two (or more) search results by event number search1: # _raw 1 a 2 b 3 c search2: # _raw 1 x 2 y 3 z I want a result as: # raw1 raw2 1 a x 2 b y 3 c z Any one could help me? Thanks ... View more

hello I have my log form as multi lines breaked with an empty line thanks to ziegfried， I have devided each event successfully with his help now I want to extract a field, in each event, may covers more than one value. 1,2 maybe 3 of them, same REX. I find slpunk can pick out the first value which match the REX express, the others are dropped. Can splunk extract multi values in one event with one REGEX or one FIELD name? Thank you! ... View more

Hi I want to import some mussy data to splunk every event takes multi lines with an empty line declaring its end likes below shows two events: XXX XXX XXXX XXX XXX XX XXX XXXX XX XXXX XX XXXXX XX XXX The empty line seems to be the only basis on which could be depended to break up the event But when i "preview" this data, empty lines are filtered. ... View more

There are "date-time" fields other than _time in events: ...^2012/06/30 23:58:20^2012/06/30 23:58:20... we pre extracted them as "firsttime","lasttime" we want the results where (fisttime-lasttime)<300s, how could we approach that? I have tried search as: | rex field=firsttime "(? \d{2}/\d{2}/\d{2})\s(? \d{2}:\d{2}:\d{2})" | rex field=lasttime "(? \d{2}/\d{2}/\d{2})\s(? \d{2}:\d{2}:\d{2})" | convert dur2sec(ftime), dur2sec(ltime) | where fdate=ldate | eval duration=ltime-ftime |where duration<300 | but this is not impeccable. Edit: Hi This solution so cool But it seems not willing to work, I dont know what I did wrong: sourcetype="..." | fields FirstOccurrence LastOccurrence | eval firsttime_epoch=strptime(FirstOccurrence,"%Y/%m/%d %H:%M:%S") | eval lasttime_epoch=strptime(LastOccurrence,"%Y/%m/%d %H:%M:%S") | table FirstOccurrence firsttime_epoch There are values in FirstOccurrence but firsttime_epoch not one of samples: 1/10/11 12:08:58 (just now) ... View more