Okay, now I got it. Try this slightly modified search: index=_internal sourcetype=splunkd foo bar | stats count by sourcetype | appendcols [| stats count | eval sourcetype=if(isnull(sourcetype), null(), sourcetype) ] | streamstats count AS line_num | eval head_num=if(line_num > 1, line_num - 1, 1) | where NOT ( count=0 AND head_num < line_num ) | table sourcetype count | transpose | transpose header_field=column | fields - column cheers, MuS ... View more

Clad it worked in the end, but you should really NOT use join for such searches 😉 Sooner or later they will break and most likely you will not even notice it. Try to use the base search like this: ( index=ngv $device_token1$ (NOT device.firmwareVersion=*XID* NOT device.firmwareVersion=*XI5*)) OR ( index=np_ngv device.deviceType=IpGateway ) and add the remaining SPL to it. cheers, MuS ... View more

try this: | makeresults | eval child="{ [-] assetClass: VOD assetPosition: 482000 device: { [-] account: ############# accountSourceId: ################## billingAccountId: null deviceId: ########################## deviceSourceId: ##:##:##:##:##:## deviceType: IpStb ecmMacAddress: 00:00:00:00:00::01 firmwareVersion: arris_#####.2p10s1 ipAddress: ##################### macAddress: ##:##:##:##:##:## make: Arris model: AX061AEI partner: shaw postalCode: T4B3A4 receiverId: 2d3d2f2a-d3d7-4241-8af6-df0518646c49 utcOffset: null } eventTimestamp: 1543889330038 header: { [-] hostname: tvxxre-c4-dt-d2u.x1.xcal.tv money: null timestamp: 1543889543807 uuid: fe6bbb18-338e-4f4f-9acf-63115a9882f9 } kinesisRecordArrivalTime: Tue Dec 04 02:12:34 UTC 2018 playbackRate: 1 streamName: trickplay trickplayName: PLAY } " | append [| makeresults | eval parent=" { [-] attributes: { [+] } device: { [-] account: ############# accountSourceId: ################## billingAccountId: null deviceId: ################### deviceSourceId: ##:##:##:##:##:## deviceType: IpGateway ecmMacAddress: 00:00:00:00:00:01 firmwareVersion: TG3482SHW_##_PROD_sey ipAddress: null macAddress: ##:##:##:##:##:## make: ARRIS model: TG3482G partner: shaw postalCode: T2V0N1 receiverId: #####-#########-####### utcOffset: null } eventCode: null eventCount: null header: { [+] } kinesisRecordArrivalTime: Tue Dec 04 00:43:30 UTC 2018 streamName: RDK-B timestamp: 1543858253000" ] | rex field=child "ecmMacAddress: (?<ecmMacAddress>[\d{2}:+]+\d)" | rex field=parent "ecmMacAddress: (?<ecmMacAddress>[\d{2}:+]+\d)" | rex mode=sed field=ecmMacAddress "s/::/:/g" | stats values(*) AS * by ecmMacAddress the important thing here is the regex with sed to normalise the ecmMacAddress cheers, MuS ... View more

Can you please provide 2 samples of each record ? Please make sure to remove sensitive data when doing so 😉 ... View more

Hi hxzq2018, Splunk's management port 8089 is SSL enabled by default, hence the error message. To make this work you need to use https/SSL in your script as well. Hope this helps ... cheers, MuS ... View more

Hi justins777, check the props.conf for the sourcetype and validate that you either use : INDEXED_EXTRACTIONS = JSON on the parsing Splunk instance (eq indexer or heavy weight forwarder) OR KV_MODE = json on the search head. Don't use both settings at the same time. Hope this helps ... cheers, MuS ... View more

Did you check the search mode you are using? See the docs on searches modes http://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode You might be in fast mode? cheers, MuS ... View more

Did you search over all time just in case the time stamps are not correct/recognised ? ... View more

Hi ketannagpal, a good starting point is the DB connect input health http://docs.splunk.com/Documentation/DBX/health/DeployDBX/Monitordatabaseconnectionhealth it might be your input was disabled by DB connect because of too many errors on it. If the input is still enabled, check the troubleshooting section of the docs http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Troubleshooting which provides a lot of useful tips. Hope this helps ... cheers, MuS ... View more

The easiest way to know, is to try it if it works. Usually these add-ons only provide parsing or field extraction configurations and no dashboards. I reckon more important is that the Netscaler version is supported, but even then you might have to modify the field extractions to match. So, it may or may not work out of the box, but it should not take a lot of effort to make it work. Hope this helps ... cheers, MuS ... View more

For me this was the only module that needed to be removed. Thanks for this hint! cheers, MuS ... View more

Hi daxacom, I had the same issue when there were old python process around - after a Splunk restart for example. So, you end up having multiple scripts using the same AUTH codes and therefor hit the limit. Usually the kill of the rouge process fixed the issue. I don't know if there is any serialisation option for the REST TA, summon @damien dallimore Hope this helps ... cheers, MuS ... View more

Hi there, can you please share some sample events (remove all private informations first!) and the expected result? Without these information it will be very difficult to provide help. cheers, MuS ... View more

Hi AzJimbo, you can hit the /debug/refresh endpoint to do an _reload of the admin/health-report-config endpoint, but be aware that using /debug/refresh on an instance that receives data will result in data loss because it will forcefully restart admin/cooked . If you want to prevent this from happen, use this app https://splunkbase.splunk.com/app/1871/ which by default excludes this endpoint. It also allows you to reload only one specific endpoint instead of all. Hope this helps ... cheers, MuS ... View more

As an add-on here is my macro I use to get distances based on lat's and lon's 🙂 [distance(4)] args = lat1,lon1,lat2,lon2 definition = eval rlat1 = pi()*$lat1$/180, rlat2=pi()*$lat2$/180, rlat = pi()*($lat2$-$lat1$)/180, rlon= pi()*($lon2$-$lon1$)/180\ | eval a = sin(rlat/2) * sin(rlat/2) + cos(rlat1) * cos(rlat2) * sin(rlon/2) * sin(rlon/2) \ | eval c = 2 * atan2(sqrt(a), sqrt(1-a)) \ | eval distance = 6371 * c | fields - a c r* iseval = 0 It is part of my Dark Sky app featured in this .conf2017 talk https://conf.splunk.com/files/2017/slides/take-a-talk-into-the-art-of-dark-sky-photography-with-a-splunk-ninja.pdf cheers, MuS ... View more

Hi msmapper, Like @somesoni2 already said, avoid all types of sub searches - because soon then later you will hit limits/problems without even knowing. Regarding your use case: I find multisearch being really useful to compare different time ranges, see an example here https://answers.splunk.com/answers/663294/timewrap-compare-last-24-hours-to-the-same-day-ove.html Hope this helps ... cheers, MuS ... View more

Okay, S.O.S app had a custom command called btool in it https://answers.splunk.com/answers/104622/make-output-of-btool-some-conf-type-list-more-legible-unix.html#answer-432032 You can still download the app here https://splunkbase.splunk.com/app/748/#/overview Not sure though if you can use it to do btool check but well worth to give it a try 😉 cheers, MuS ... View more

Hi octavioserpa, please remove all IP's or email address before you post log samples 🙂 cheers, MuS PS: I removed them from this post 😉 ... View more

HA, here it is http://docs.splunk.com/Documentation/SankeyDiagram/1.3.0/SankeyDiagramViz/SankeySearchDataFormat#Example_query ... View more