About richgalloway

richgalloway

The prefix is the part that comes *before* the timestamp string and must not describe the timestamp string itself. The prefix for the sample event would be ^[

richgalloway

If the file doesn't change then Splunk won't re-index it. You'll have to delete the fishbucket to force Splunk to re-index the file. splunk cmd btprobe -d /opt/splunkforwarder/var/lib/splunk/fishbucket/splunk_private_db --file <small file> --reset

richgalloway

Assuming that represents 18 July 23 00:15:41.421 then the format string would be %Y%m%d:%H%M%S.%3N

richgalloway

I believe I already said you can do that.

richgalloway

Fields have a name and values. They can be renamed. Values do not have names so they cannot be renamed. To change a value of a field, use the eval command to assign a new value. | eval Device_Interface="x_y_z" To change selected values of a field, use a condition within the eval. | eval Device_Interface = if(Device_Interface="foo", "bar", Device_Interface) Putting the field name in the else clause leaves the value unchanged if the condition is not met.

richgalloway

If the search runs then it counts toward SVC usage. Hiding a panel does not prevent the search from running. To prevent a search from running in a hidden panel, embed an unset token in the query.

richgalloway

The rename command can't use conditions, but eval can. <some query> | eval "This String" = if(Device_Name="Value1" AND Device_Interface="Value2" AND SomeField>="NumberX", Value2, null()) | eval "This Other String" = if(Device_Name="Value1A" AND Device_Interface="Value2A" AND SomeField<"NumberY", Value2A, null())

richgalloway

The lack of props for the sourcetype is not a good thing. It means Splunk is guessing about how to interpret the data and may be guessing wrong. Perhaps Splunk Cloud makes different assumptions about the data than Splunk Enterprise does. Create an app with good props.conf settings for the sourcetype and install the app in both environments. That should fix it.

richgalloway

To include the time component, we don't need to extract anything. Just treat StartDateTime as a floating point number. | makeresults | eval StartDateTime="59025.5249306" | eval time=(StartTime-40587) * 86400 | eval humanTime=strftime(time, "%c")

richgalloway

Index-time extractions don't have an equivalent to the max_match option of the rex command. Consider extracting all users together and then extracting them at search time. [get-users] REGEX = (\d:)(?<user>.+) FORMAT = users::$1

richgalloway

How are you escaping the semicolon in the curl command? I suspect you need to use a shell escape to keep the shell from thinking the ; separates two commands (and makes Splunk think the search is missing a quote). curl ... -d search="search ... | makemv delim=\"~;\" hashes | ..." -d output_mode=csv

richgalloway

Once multi-value fields are expanded, any relationship among them is lost. They need to be combined into a new field before expansion. ... | eval new_field = mvzip("participants{}.object_value", "participants{}.role") | mvexpand new_field | eval new_field = split(new_field, ",") | eval object_value = mvindex(new_field, 0), role = mvindex(new_field, 1) The mvzip function combines two multi-value fields, separating them with a comma. The split function later on breaks the field on the comma. If you have more than two fields to combine, use nested mvzip functions. | eval new_field = mvzip(field1, mvzip(field2, mvzip(field3, field4)))

richgalloway

This run-anywhere example shows how to convert MJD into a text date. | makeresults | eval StartDateTime="59025.5249306" ``` Extract the day number (prior to .) ``` | rex field=StartDateTime "(?<JD>\d+)" ``` Shift the day number to base epoch day and convert to seconds ``` | eval time=(JD-40587) * 86400 ``` Convert to text ``` | eval humanTime=strftime(time, "%c")

richgalloway

Try this. The timechart command should fill in empty time slots automatically. | tstats prestats=true count as Total where index="abc" by _time, Type span=1d | timechart span=1d cont=true count as Total by Type

richgalloway

The search head alone can be replaced/rebuilt.

richgalloway

Yes, Splunk merges the settings for inputs.conf from all enabled apps as well as system/default and system/local to arrive at what the complete list of inputs will be. See the Admin Manual at https://docs.splunk.com/Documentation/Splunk/9.1.1/Admin/Wheretofindtheconfigurationfiles for a description of configuration file precedence. Note that etc/apps/test/inputs.conf will be ignored by Splunk because it is not in a local or default directory.

richgalloway

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

richgalloway

If you don't know which props.conf file has the sourcetype, use btool to find it. splunk btool --debug props list tos_access That will show all of the settings that apply to the sourcetype. The --debug option adds the name of the file where the setting is made. If you don't see the tos_access sourcetype in the Splunk Cloud UI (Settings->Source types) then there are no settings for it, which might very well explain the difference in behavior.

richgalloway

Please share the [tos_access] props.conf stanza from both the Enterprise and Cloud installations. Is it possible the data goes through a heavy forwarder before reach Splunk Enterprise and by redirecting the EC2 instance to Splunk Cloud the HF is skipped and any transforms done by it are not applied?

richgalloway

Have you tried the usual web debugging procedures? Clear your cache, try a different browser, etc. If you still have trouble signing in, contact Splunk at education_amer@splunk.com

Posts	14705
Solutions	2660
Karma Given	1375
Karma Received	5514
Member Since	‎07-24-2012

Online Status	Offline
Date Last Visited	Wednesday

Receiving notifications that are disabled

collectd reports "write_http plugin: curl_easy_per...

How do you restart splunk?

stats count(eval) always returns zero

Need help getting right timestamp from CSV

How to display more than 5 questions per page on A...

What will break if I set coldPath to /dev/null?

Knowledge Object Explorer won't load

How to use a field in SingleValue label?

How to move an index to another app?

Re: Custom timestamp parsing

Re: reindexing a small file

Re: Custom timestamp parsing

Re: How to blacklist security events by regex?

Re: Conditional rename using multiple fields

Re: SVC usage for hidden and depends panels

Re: Conditional rename using multiple fields

Re: Splunk Cloud not stripping syslog headers

Re: How to convert Modified Julian Date (MJD) to h...

Re: Index time extraction multiple regex match

Re: Using semicolon as multivalue delimiter result...

Re: How can i create new fields with data from two...

Re: How to convert Modified Julian Date (MJD) to h...

Re: How to fill the gaps from days with no data in...

Re: Rebuilding a Splunk Search Head ?

Re: Help on inputs.conf

Re: splunk app alert trigger report

Re: Splunk Cloud not stripping syslog headers

Re: Splunk Cloud not stripping syslog headers

Re: error while login to education portal