Hi
In my company we are have 8 Search heads.
we want to change it into search head cluster.
what all the configuration i need to change please help me with this.
... View more
Hi,
I have some events which are related to file processing.
each file process have sub process with sub process ID and time taken to complete that sub process.
to know time taken for file process i need to add all sub process times.
my events are like this.
index=ABC source=trxfxfgf.log
Event 1 : myfile.txt sub_process_id: asgr1001 Total Time Taken: 10sec
Event 2 : myfile.txt sub_process_id: shhhtsh1002 Total Time Taken: 20sec.
Event 3 : myfile.txt sub_process_id: shsdthds1003 Total Time Taken: 30sec.
Event 4: myfile.txt sub_process_id: tdhtr1004 Total Time Taken: 40sec.
Event 5 : myfile.txt sub_process_id: rehttr1005 Total Time Taken: 50sec.
i want to display
filename timeTaken
myfile.txt 150sec
Please help me with basic query to add all sub process time.
... View more
use fields command
index=... NOT [search index=... url="DONT WANT" | table id]
| eventstats sum(buildTime) as SumID by id
| table SumID _time id | fields SumID _time id
... View more
convert the below drilldown into your usecase and add this in u r xml.
<condition field="TimeStamp">
<link>
<![CDATA[/app/<appname>/dashboardname?form.search=$row.TimeStamp$&form.Environment=$Environment$]]>
</link>
</condition>
... View more
Try this or above stanza
[ _json ]
BREAK_ONLY_BEFORE={"preview"
TIME_PREFIX=\s\\"date\\":\s+\\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S+%N:%N
TRUNCATE=9999999
... View more
I have installed splunk in EC2(ubuntu) and started Splunk.
I have changed web.conf to
cat /splunk/splunk/etc/system/local/web.conf
[default]
[settings]
httpport = 8001
and restarted
But I am not able to see Splunk web port in the browser
http://ip-XXX-XX-XX-XXXX:8001
Please help me with this
root@ip-XXX-XX-XX-XXX:/opt/splunk/bin# ./splunk start
Splunk> Take the sh out of IT.
Checking prerequisites...
Checking http port [8001]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket history main summary
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.0.3-fa31da744b51-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd).
Done
Waiting for web server at http://127.0.0.1:8001 to be available.. Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at http://ip-XXX-XX-XX-XXXX:8001
root@ip-XXXXXXXXX:/opt/splunk/bin# netstat -an | grep 8001
tcp 0 0 0.0.0.0:8001 0.0.0.0:* LISTEN
root@ipXXXXXXXX:/opt/splunk/bin# ps aux | grep mrsparkle
root 4884 0.2 0.1 1909236 57468 ? Ssl 19:58 0:01 /opt/splunk/bin/python -O /opt/splunk/lib/python2.7/site-packages/splunk/appserver/mrsparkle/root.py --proxied=127.0.0.1,8065,8001
root 5149 0.0 0.0 12944 1084 pts/0 S+ 20:04 0:00 grep --color=auto mrsparkle
... View more
I need to setup a alert if my count is zero on that day.
my query is
index= abc | timechart span=1d count
and I am running for last 7 days.
if count=0 on that day I want trigger a alert.
Please help me with search query.
... View more
Hi,
I have data like this I want to display middlename and lastname from the below info.
please help me out in writing rex for below raw data
\"middleName\":\"L\",\"lastName\":\"CRIB\"
... View more
Hi,
i want to join all three fields with common id field. please help me with search query
| table id servicename errordetails
i have data like this
Ex:
In index = abc "error"
servicename id
abc 101
gfg 102
hhv 105
and In index = abc "errordetails"
id errordetails
103 error1
102 error5
104 errorabc
105 error4545
i want to join both by field "id". so i want data like this
id servicename errordetails
102 gfg error5
105 hhy error4545
Please help me with this
... View more
Try this
If you can to refresh panel use this tag
<option name="refresh.auto.interval">30</option>
if you want to refresh whole dashboard
<form refresh="30">
... View more
I have a dashboard (Say /app/MyApp/MyDashboard) In this dashboard have a text input.
i want to increase the size of this text input.
How can i do this?
what all the files i need to update ?
... View more
help me with JOIN query for my usecase
i have
index=abc sourcetype=abc
index=abc sourcetype=pqr
In sourcetype=abc i have fields userName and ID.
In sourcetype=pqr i have fields ID and i want to know count made by the ID
i want to display it in a table like
userName ID count
name1 101 3
name2 102 2
name3 103 1
please help me with join query
... View more
Hi
I have a errors in the field (say myfield)
Error xyz : 123
Error xyz : 456
Error xyz : 789
Error xyz : 135
Error xyz : 987
i want to group it by matching the partial values of a string like
| eval myfield=if(myfield=="Error xyz*","Error xyz",myfield)
So myfields should contain values
"Error xyz" and other errors
(i am tring to group myfield values which starts with "Error xyz" )
how can i do this
... View more