Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About jayannah
jayannah
Builder
Member since:
03-29-2013
09-17-2025
Community Statistics
| Posts | 131 |
| Solutions | 21 |
| Karma Given | 35 |
| Karma Received | 90 |
| Member Since | 03-29-2013 |
Activity Feed
- Got Karma for Re: how to pass time span in datamodel. 07-07-2025 11:36 AM
- Got Karma for Re: how many clients can one deployment server manage?. 03-09-2021 02:03 AM
- Karma Re: How can i change the permissions of dynamically created Tags through REST API ? for kartik13. 06-05-2020 12:48 AM
- Karma how to mask data in data model? for viswanathsd. 06-05-2020 12:47 AM
- Karma Search for event field that can 'potentially' contain NULL values for kenth213. 06-05-2020 12:47 AM
- Karma Re: Why is the "map" command not working in dashboard and the corresponding panel displays "Waiting for inputs"? for wpreston. 06-05-2020 12:47 AM
- Karma Re: Should we have Splunk deployment server and cluster master on the same instance? Recommendations please! for mahamed_splunk. 06-05-2020 12:47 AM
- Karma Re: rex expression without resorting to mode=sed for somesoni2. 06-05-2020 12:47 AM
- Karma Re: EventStats count Function for tom_frotscher. 06-05-2020 12:47 AM
- Karma Re: How to forward all events to a single index, but filter out all splunkd sourcetype events that contain "INFO"? for mwilson788. 06-05-2020 12:47 AM
- Karma Re: Unable to view the field created using rex for richgalloway. 06-05-2020 12:47 AM
- Karma Re: Search Head Clustering - Deployer can't contact license master for dflodstrom. 06-05-2020 12:47 AM
- Karma Re: Why am I getting different results between these 2 searches? for MuS. 06-05-2020 12:47 AM
- Karma Re: Splunk query filtering on lookup table csv for Ayn. 06-05-2020 12:47 AM
- Karma Re: When to use prestats command in tstats and its uses? for pedromvieira. 06-05-2020 12:47 AM
- Karma Re: Calculate a value based on multiple events for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Why are larger events are truncated (10000 bytes)? for yannK. 06-05-2020 12:47 AM
- Karma Using Splunk DB Connect 2 in a search head cluster, should database inputs originally set on the deployer be set to disabled or enabled? for sim_tcr. 06-05-2020 12:47 AM
- Karma Re: What is tstats and why is so much faster than stats? for ppablo. 06-05-2020 12:47 AM
- Karma Re: How to include an app name as a part of the search query? for martin_mueller. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 3 | |||
| 5 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 1 |
01-27-2015
08:11 AM
Yes, it's in universal forwarder inputs.conf
You can put inputs.conf file in ..etc/system/local/ or ..etc/app//local/ directory. Remember that ..etc/system/local configuration has the highest precedence.
If you are log source in say system-1 and the log file to be monitored in /log/file1, then you can install the Universal forwarder on system-1 and configure in inputs.conf to read the log file path /log/file1 either in ..etc/system/local/ or ..etc/app//local/ directory.
Please find many sample example at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf
... View more
01-27-2015
07:34 AM
9 Karma
For reading from all UFs, enabling listen on 9997 will suffice.
Inputs.conf
[splunktcp:9997]
For outputs.conf to send it to indexers and aswell as to 3rd party (3rd party meaning non splunk instance..correct??)
outputs.conf
[tcpout]
defaultGroup = default-autolb-group , thridparty_group
#Splunk indexers
[tcpout:default-autolb-group]
server = idx1:9997,idx2:9997,idx3:9997
autoLB = true
#send to 3rd party (non splunk instances)
[tcpout:thridparty_group]
server = ip1:port, ip2:port
autoLB = true
sendCookedData = false
P.S: sendCookedData = false will send the raw events and untouched prior to sending
... View more
01-27-2015
07:22 AM
4 Karma
Yesterday I had the similar issue. The rootcause was the indexer had the 6.0.2 and Cluster Master with 6.1.3. After upgrading the indexers to 6.1.3 (same version as CM), the problem resolved.
... View more
01-22-2015
08:26 PM
Whats the timezone set in Indexers and Search head?
... View more
01-20-2015
11:50 AM
Your question is but unclear. If I could understand ur question correctly, all the events are duplicated and you to show/use only 1 event.Correct? If yes, try dedup _raw command.
| dedup _raw
... View more
01-20-2015
06:17 AM
I too facing the same problem and I posted the query yesterday. Hope we will get the resolution.
http://answers.splunk.com/answers/209024/why-is-the-map-command-not-working-in-dashboard-an.html
... View more
01-20-2015
06:12 AM
The search has 2 parts.
part-1: index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn
part-2: map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no
The token values for $cn$ for the 2nd search comes from the 1st search.
The search query is to find the timestamps values for consumer missing for which the event is not received for particular hour. Actually part-1 is little bigger query and I made it simple here for the discussion as the primary concern here is, whatever works in the search query doesn't work after saving it into dashboard. Why?
... View more
01-19-2015
04:57 PM
5 Karma
Hi
I wanted to find the missing timestamp for consumer numbers. We are expected to receive the data for each consumer's number for every 1 hour. If there are no events for any of the consumer numbers for any hour, such consumer numbers and missing hour should be displayed.
The below query gives the correct result as expected. The output of the below query gives the consumer numbers and its missing time hour information.
index="sm" sourcetype="sm" | rename "Consumer No" as cn | stats count by cn | map search="search index=sm sourcetype=sm $cn$| timechart span=1h count | where count=0 | eval Consumer_no=$cn$"| convert ctime(_time) | stats values(_time) by Consumer_no
I'm getting the following output as expected
Meter 1 31/08/2014 1:00
01/09/2014 13:00
Meter 2 29/08/2014 8:00
05/09/2014 12:00
Meter 3 05/09/2014 10:00
05/09/2014 15:00
Problem:
When saving the query into a dashboard, the same result is not displaying. I always see “waiting for inputs” in the corresponding panel in the dashboard and result never displays.
Can anyone help how to resolve this issue??
... View more
01-15-2015
01:12 PM
thats cool. Incase if you plan to use Heavy Forwarder between Uni. Forwarder and Indexer, then put these changes in Heavy forwarder aswell.
... View more
01-15-2015
07:31 AM
Hi Chris
Add one more configuration line BREAK_ONLY_BEFORE_DATE = false to your props.conf
[emailAlerts2]
BREAK_ONLY_BEFORE = \<EcomLogEntry\>
NO_BINARY_CHECK = 1
BREAK_ONLY_BEFORE_DATE = false
SHOULD_LINEMERGE = true
TIME_FORMAT = \d\d\d\d-\d\d-\d\dT\d\d:\d\d:\d\d-0500
TIME_PREFIX = Date\:
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
... View more
01-14-2015
09:07 PM
try this
|eventstats count as field1_total by field1 | eval field1_false_count=if(field1=false,1,0) | eval field1_false_perc=((field1_false_count/field1_total_count) * 100)
... View more
01-14-2015
06:24 PM
2 Karma
"NOT FIELD2=*" returns the events where FIELD2 value is NULL.
For your case :
option-1: FIELD1=* AND (FIELD2=* OR NOT FIELD2=* )
Option-2: |fillnull value=SOMETHING FIELD2 | where FIELD1=* and FIELD2=*
option-1 is preferred.
let me know if it doesn't work.
... View more
01-14-2015
02:40 PM
Updated now.. anything in between angel brackets without space, will be removed after post in this website.
So,
1. I have put space after & before angel brackets. Please remove them.
2. Put back slash for both angel brackets.. (use escape characters for both angel brackets)
3. As richgalloway pointed, 1st TIME_PREFIX should be TIME_FORMAT
4. Remove the following lines
MAX_TIMESTAMP_LOOKAHEAD=25
LINE_BREAKER_LOOKBEHIND=500
try these steps and let us know.
... View more
01-14-2015
12:30 PM
I think your event start is correct?
Modify the BREAK_ONLY_BEFORE line to
BREAK_ONLY_BEFORE = \<EcomLogEntry\>
... View more
01-13-2015
09:01 PM
The below line will add new field previous_response_time with value of response_time of previous event.
| streamstats current=f last(response_time) as previous_response_time
Then, the below query gives you the % you want..
eval Perc_change= ((response_time - previous_response_time) /previous_response_time * 100)
Hope this helps..
... View more
01-13-2015
09:34 AM
Please share you props.conf file for the processing these events. What is the size of single event? Do you see this error for each event or how frequently?
... View more
01-12-2015
06:59 PM
use "delta" command for the difference in the current Vs previous value for the given parameter.
Refer for more details : http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Delta
E.g: For each event where the count field exists, compute the difference between count and its previous value and store the result in countdiff.
... | delta count AS countdiff
... View more
01-12-2015
05:53 PM
The following configuration for any splunk enterprise version (not for universal forwarder)
The below configuration send the data with sourcetype=mysourcetype to the 192.169.1.1 indexer and remaining data to 192.168.1.1 indexer.
Hope this configuration helps you.
props.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[mysourcetype]
TRANSFORMS-tcpfwd = sendtotcpreceiver
transforms.conf
~~~~~~~~~~~~~~~~~~~~~~~
[sendtotcpreceiver]
REGEX = .
DEST_KEY=_TCP_ROUTING
FORMAT=tcpreceivergroup
output.conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[tcpout]
defaultGroup = default-group
[tcpout: default-group]
server = 192.168.1.1:9997
[tcpout:tcpreceivergroup] <-- To Splunk indexer
server=192.169.1.1:7999
... View more
01-12-2015
09:29 AM
I see in your code you are using searchPostProcess, that mean you are have searchTemplate define (you haven't put in the question).
So for the searchTemplate, add following lines (As said bu chabfoli)
< earliestTime >$field1.earliest$< /earliestTime >
< latestTime >$field1.latest$< /latestTime >
Secondly, remove the < earliest > and < latest > tags for the searchPostProcess (which are just below searchPostProcess line in your example.. i.e line #24 as indicated).
... View more
01-12-2015
07:04 AM
By default, [source::] and [] stanzas match in a case-sensitive manner,
while [host::] stanzas match in a case-insensitive manner. This is a convenient default,
given that DNS names are case-insensitive.
... View more
01-08-2015
09:08 AM
2 Karma
Hi, Today I was working on similar requirement.. so here is example how you can use accelerated datamodel and create timechart with custom timespan using tstats command. You can't pass custome time span in Pivot.
index=abc earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 | timechart span=2m count
The equivalent is using tstats is
| tstats count where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 index=abc groupby _time span=1m
For you requirement with datamodel name DataModel_ABC, use the below command
| tstats count from datamodel=DataModel_ABC where earliest=01/08/2015:11:00:00 latest=01/08/2015:11:12:00 groupby _time span=2m
Hope this will help all splunkers and you too.
... View more
01-07-2015
07:09 PM
2 Karma
chart (event tokens):
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The clicked field name is the name of the field or series for the y-Axis if present (similar to click.name2). If the name of the field or series is not available the field or category for the x-axis is used (click.name).
Data Property Description
click.name Name of the field or category for the x-axis. Not available when the legend has been clicked.
click.value Value of the field or category for the x-axis. Not available when the legend has been clicked.
click.name2 Name of the field or series for the y-axis.
click.value2 Value of the field or series for the y-axis. Not available when the legend has been clicked.
row. Any field values along the y-axis at the same point as the click on the x-axis. Not available when the legend has been clicked.
row. Value of the x-axis. Not available when the legend has been clicked.
earliest/latest Time range of the clicked chart segment, or if not applicable, the time range of the search.
For more details at http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML
... View more
01-07-2015
05:42 PM
Multiple combinations I tried and couldn't succeed. Finally restarted AWS instance and splunk web came up fine & running.
... View more
01-07-2015
05:13 PM
me too got this issue today on splunk running on AWS windows OS. Any suggestions??
Till yesterday I was able to login. Just I tried to login and noticed splunk web was not running. I restarted with 'splunk restart', splunk web comes & get terminated within few seconds. The same error as above.
... View more
01-07-2015
02:28 PM
While configuring alert, did you choose "Once" or "For each Result" for trigger action parameter?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-17-2025
12:21 PM
|
Karma from
