I guys. Recently i came in trouble to resolve the "puzzle" described in Title... What we need 1) Trigger the "Job_Start", always 2) Monitor its processation Variables 1) "Job_Start" is dynamic, i can have it at 01:00 so at 04:30, 15:00 or 17:15 (and so on....h24): so "Job_Start" is the beginning point!!! 2) "Job_End" is the great variable: it could exists, as NOT AT ALL, and the focal point is to check if IT EXISTS in a range time of max 2h from "Job_Start" What i originally did, tag=mytag host=server earliest=-3h |transaction maxspan=120m maxevents=-1 startswith="Job_Start" endswith="Job_End" host,source |[...........do all if statements by "duration" field] ... ok, but what if Job never ends??? tag=mytag host=server earliest=-3h |transaction maxspan=120m maxevents=-1 startswith="Job_Start" host,source |eval CHECK_END=if(match(_raw,"Job_End"),_time,"X") |[...........do all if statements by "duration" field plus "CHECK_END" variable] ... ok, this is a good compromise to work... Now, what i really scheduled (every 15 minutes), after thinking of possible missing timings or other things... tag=mytag host=server earliest=-3h|sort + _time|eventstats first(_time) as tSTART last(_time) as tEND|eval RANGE=round((tEND-tSTART)/60) |eval CHECK_START=if(match(_raw,"Job_Start"),_time,"X") |eval CHECK_END=if(match(_raw,"Job_End"),_time,"X") |stats min(CHECK_START) as START min(CHECK_END) as END last(RANGE) as RANGE |where START!="X" |eval DUR=round((END-START)/60)|eval PASS=round((now()-START)/60) |eval msg=if( (START="X") AND (END="X"),"NO Job_Start last "+RANGE,msg)|eval nota="already skipped with where above!" |eval msg=if( (START!="X") AND (END="X") AND (PASS>120),"Job_Start no Job_End after "+PASS,msg) |eval msg=if( (START!="X") AND (END!="X") AND (PASS>120),"Job_Start with Job_End after "+DUR,msg) |eval host="server"| eval source="mylog" |eval displaythis="LOG:"+source+"__"+msg+"__[test]" | eval TimeStamp=strftime(now(),"%Y%m%d.%H%M%S") | table TimeStamp host displaythis ... the schedule is running... still have to test its real effects... Now, some advice or help about what did above, and WHAT COULD BE DONE BETTER AND MORE EFFICIENTLY ? ... View more

Hi there. Should we have Indexers issue, or SearchHeads ones? We have many many many (more than 200) scheduled savedsearches, interactive Dashboards running with automatic refreshes etc.. Recently, i saw an high, very high delay over scheduling time, and dispatching the search... _time savedsearch_name Scheduled_Time Dispath_Time Time_Diff 2020-03-12 16:15:19.941 Saved_Search1 03/12/2020 16:05:00 03/12/2020 16:15:19 10:19 2020-03-12 16:15:19.626 Saved_Search2 03/12/2020 16:05:00 03/12/2020 16:15:19 10:19 2020-03-12 16:15:19.446 Saved_Search3 03/12/2020 16:05:00 03/12/2020 16:15:18 10:18 2020-03-12 16:15:19.162 Saved_Search4 03/12/2020 16:05:00 03/12/2020 16:15:18 10:18 [...] Can the system be improved? How? Splunk Enterprise 7.0.0 SHs (3 nodes, clustered - no cpu issues) Indexers (4 nodes, not clustered - some cpu issues, recently we add 2 vCPU per node, issues resolved) Thanks. ... View more

Splunk Forwarder 7.0.2 (Windows 64 bit) Splunk Enterprise 7.0.0 (Linux) The strange problem: until 31/10, Europe TZ, logs are correctly indexed with this format (no Indexer props configured, set by default) [31/10/2019 23:59:55] [URL] [HTTP_RC] From 1/11, Splunk starts switching %m & %d in USA_TZ, so [01/11/2019 00:00:00] [URL] [HTTP_RC] become with timestamp (Europe) == 11/01/2019 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! And also today, i have 11/05/2019, but logs are [05/11/2019 00:00:00] [URL] [HTTP_RC] Why??????????????????? I know i should force the props in Indexers, such as, CHARSET = UTF-8 TIME_FORMAT = %d/%m/%Y %T SHOULD_LINEMERGE = false NO_BINARY_CHECK = true But why until 31/10 i have NO DATE PARSING problem at all? Suggestions? Thanks. ... View more

As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search. Here's my search, |inputlookup list.csv|where tag="locals" |map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source" First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok). Second line, the map, does not work with IN clausole and "hostnames" field with more than 1 host. list.csv NOT WORKING tag hostnames source locals host1,host2 /tmp/*logs locals host1,host2 /tmp/*TXT locals host1,host2 /tmp/*json WORKING tag hostnames source locals host1 /tmp/*logs locals host2 /tmp/*logs locals host1 /tmp/*TXT locals host2 /tmp/*TXT locals host1 /tmp/*json locals host2 /tmp/*json I also tried a host IN(*$hostnames$*) but this is like an IN(**), variable seems to be null, but i can display if i try a |makeresults|eval host=$hostnames$|table host Why? Suggestions? ... View more