Hi swangertyler, Don't use join for reasons. Use multisearch instead, it will not hit any hidden limits without telling you. Try something like this: | multisearch [ search "base search with sourcetype=A" earliest=-1d@d latest=-0d@d | rename display_value as parent_num ] [ search "second search with sourtype=A" earliest=-3d@d latest=-2d@d | rename priority as parent_priority, number as parent_num, u_incident_type as type ] | dedup number sortby -sys_updated_on | table parent_num, parent_priority, type, parent_assignment | eval type = if(parent!="*", u_incident_type, type) might need some tweaking to make it fully work, but you get an idea how it works. hope this helps ... cheers, MuS ... View more

Hi daniel333, Get a screen with speakers 😉 add a bit of https://stackoverflow.com/questions/17745341/possible-to-make-browser-play-a-sound-file-when-a-certain-condition-is-met mix it with a lot of patience, try&error, web page debugging and other fun things and you might get it working ¯\_(ツ)_/¯ Hope this helps ... cheers, MuS ... View more

Hi jayakumar19, Usually I do this to test/troubleshoot scripts in Splunk: $SPLUNK_HOME/bin/splunk cmd /bin/bash This will start a shell session with all Splunk environment settings. Then I start the script like this: $SPLUNK_HOME/bin/splunk cmd $SPLUNK_HOME/etc/apps/XX/bin/X.py This helps a lot to understand where and/or why scripts fail to run. In addition I add logging lines into the script that will tell me variables being used and which step is being processed. You can add them like this: logging.debug('what ever you want to show in the logfile') Hope that helps ... cheers, MuS ... View more

Hi pratyushak, Completely un-tested, you can use https://splunkbase.splunk.com/app/2686/#/overview DB connect to query databases and get the information into Splunk. Asking Google there should also be a JDBC driver available for influxdb https://community.influxdata.com/t/influxdb-jdbc-driver/3829 The easiest way to find out if it works would be to try it ... Hope this helps ... cheers, MuS ... View more

Hi silrodgar, Start a CMD in administrative mode and start Splunk from that CMD. It will try to start Splunk, show startup messages, and will stay open afterwards. Also, you can check splunkd.log in $SPLUNK_HOME/var/log/splunk/ for any messages related to the failure. Hope this helps ... cheers, MuS ... View more

Greetings from the future ... Yes, you can specify a host name to be used in props.conf see the docs for more details https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#GLOBAL_SETTINGS cheers, MuS ... View more

Hi kramerni, A quick Google search revealed Splunk's official Ansible repository https://github.com/splunk/splunk-ansible Hope this helps ... cheers, MuS ... View more

Actually something like this would make more sense: props.conf [sourcetype1] TRANSFORMS-001-Send-Subsidiary-sourcetype1 = Send-Subsidiary-sourcetype [sourcetype2] TRANSFORMS-002-Send-Subsidiary-sourcetype2 = Send-Subsidiary-sourcetype [sourcetype1] TRANSFORMS-003-Send-Subsidiary-sourcetype3 = Send-Subsidiary-sourcetype transforms.conf [Send-Subsidiary-sourcetype] DEST_KEY = _TCP_ROUTING FORMAT = Subsidiary, Everything The reason for that is if you send everything by default to one destination, there is no need to configure a transforms stanza for this and add additional parsing load for these events 😉 Hope that makes sense ... cheers, MuS ... View more

Sounds like you are missing some unique identifier that is common to all events. If you don't have one you can create one like this: | eval joiner=case(isnotnull(field1), field1, isnotnull(field2), field2, 1=1, "unknown") once you have done this you can use a final stats values(*) AS * by joiner for example. cheers, MuS ... View more

Hi evinasco, Have a look at the docs here https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system Please note, that this setting is only configurable based on host , source or sourcetype but NOT on index. Hope this helps ... cheers, MuS ... View more

Always helpful to read https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata cheers, MuS ... View more

And yet another be aware post 😉 This will only work if you either: run it on the indexer itself and it will only return the indexes this indexer has configured run it on an instance that has indexers configured as search peer and if you have the correct permissions granted then it will show all configured indexes - otherwise you will get this error Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability. All of the SPL commands listed in all the posts are valid and useful, all of them have their limitations and all of them can be used to achieve the same, if you keep all the be awares in mind 😉 cheers, MuS ... View more

Not sure what version you are running but on Splunk 7.1.4 this SPL | tstats count WHERE index=DieserIndexExistiertNicht by index returns No results found. Also this one | tstats count WHERE index=DieserIndexExistiertNicht returns a count of 0 One might claim this a valid result ? IMHO it is not ... View more

Converted to answer 😉 cheers, MuS ... View more

Hi dapitis, the most efficient way in Splunk is to use tstats like this : | tstats count WHERE index=<PlaceYourIndexNamehere> This will not search any _raw data and therefore it is very, very fast 😉 Don't forget to set the correct time range if you run the search. hope that helps ... cheers, MuS ... View more

Hi mmdacutanan, My advice: forget join for reasons! Take all you searches and combine to one single base search like : index=ehop sourcetype=VOIP eh_event=RTP_Tick callId=* ( sourcetype=VOIP eh_event=RTCP_MESSAGE fractionLost > 128 callId=* ) ( eh_event=SIP_RESPONSE method=BYE callId=*) and do all needed eval or other SPL processing after that. Finally use a stats to get the correlation you need. See some examples to use stats instead join here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html Hope this helps ... cheers, MuS ... View more

Hi daniel333, try something like this in your transforms.conf : [GetFieldAndValueFromDict] SOURCE_KEY = mydictionary REGEX = "([^"]+)":"([^"]+)" FORMAT = $1::$2 and this in your props.conf [mySourceType] REPORT-000-GetFieldAndValueFromDict = GetFieldAndValueFromDict This will create a field name from capturing group one and the value from capturing group two from within the dict. Put that on your search head and it will work at search time. Hope this helps ... cheers, MuS ... View more

A bit late for the party, but yes use the app and you can do a refresh very easy. But be sure to use the latest version of it, because otherwise you can encounter data loss 😉 cheers, MuS ... View more

Greetings from the future, there is an app https://splunkbase.splunk.com/app/4395/ now that provides a REST API endpoint that the load balancer can check without authentication and without the need to enable the debug endpoints in web.conf . It provides also an option to take the Splunk instance out of the load balancer group (the load balancer must support such a thing). Hope this helps ... cheers, MuS ... View more

You are building an index cluster with 1 node and configure replication_factor=2 , this cannot work. You would need at least 2 nodes to make it work. cheers, MuS ... View more

Hi pattokt, Just run the exact same SPL from the Splunk instance that is configured to run the Monitoring Console, because this instance should have all other instances as search peers and therefore the REST search will query these instances as well and provide a list back of all the users logged into the instances. Hope this helps ... cheers, MuS ... View more

There is a setting in server.conf that will disable caching completely ... cannot find it right now 😕 Also don't forget your browsers cache, this did bite me multiple times in the past ... cheers, MuS ... View more