Hi Jacob,
The link should not have earliest or latest in it, ideally it should refer to the existing job:
Something like:
https://splunk.instance/app/an_app/@go?sid=<job_id>;
... View more
Not sure that will work with your use case, but could you try add the following to your search
| sort <your_field>
| streamstats dc(<your_field>) as num
... View more
Okay, can you confirm you opened TCP port (not UDP)?
Can you check for "connection refused" or something similar under the _internal index while the firewall is turned on?
... View more
You could try the following:
index=blah
| bucket _time as day span=1d
| stats earliest(_time) as login, latest(_time) as logout by user, day
| eval diff=logout-login
| stats sum(diff) as tip by user
| eval tip=tostring(tip, "duration")
| rename user as User, tip as "Time in Portal"
That should retrieve time in Portal per user per day, then sums it to get Time in Portal per user last 30 days
... View more
split function will create a value for the multivalve field overtime it meets the splitter.
So, in first case "cat=FFIEC; PPI" it will return "FFIEC" and " PPI" if you use ";"
In second case it will just return "PPI" because nothing to split.
... View more
Could you run the following search your host machine:
index=_internal metrics "group=tcpin_connections"
That will let you know with ports are being used to forward data.
... View more
Hi teknet9,
It is described in Splunk docs that runshellscript is not a supported search command:
https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Runshellscript
This is most likely why your method does not work. arg8 is supposed to be the path to the search results passed by Splunk, and you are manually providing a path where the results should not be.
To test your script I would suggest setting up an alert with a script action (your script).
... View more
That is strange, are you sure the cron expression is the issue?
It could be another parameter wrongly set?
Can you share a screenshot of it maybe?
... View more
Don't use strftime to deal with durations, use the following (where diff is your difference value in seconds):
| eval diff=tostring(diff, "duration")
... View more
Oh alright, so you were talking about cloning in the first place? Sorry i did not realise.
I would expect cloning to also clone the permissions.
However manual edit of the savedsearches.conf would require to change the name of the object in metadata stanza as well.
... View more
You can try play with settings in limits.conf like @p_gurav wrote below.
However best solution is to try re-engineer your search to work with current settings (if that's possible).
I would like to help more but it's difficult without knowing the use case and having data sample available.
... View more
If the subsearch in your append command is returning a lot of results, it may get truncated.
In that case you would see a message in the Job dropdown menu (bottom right of search SPL), can you confirm if that's the case?
... View more
You need to escape special characters such as / and ?
Try URI=\/v4\/cp\/members\/summary\?hcid=(?P<hcid>[^&]+)
The value will be stored in field hcid
... View more