I need to get printer snmp data to splunk, can anybody explain step by step procedure. ... View more

What is the _time precedence for collect command? ... View more

What is the steps for indexers in cluster? ... View more

Can we move this answer as comment to the question, since it is not the answer to the question asked. index=indexname | collect index=si What is the _time precedence if I run this command. The same _time of index=indexname should retain? ... View more

But when I try simple below query its taking the current system time instead of _time of event. index=indexname | collect index=si I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time. ... View more

But when I try simple below query its taking the current system time instead of _time of event. index=indexname | collect index=si I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time. ... View more

@araitz , please check n help... ... View more

But when I try simple below query its taking the current system time instead of _time of event. index=indexname | collect index=si I want the events in the summary index to retain the _time as it is in the primary index. But it's storing the current system time. ... View more

@TStrauch , @renjith.nair for me _time and sourcetype is crucial so how to retain and index back the data. please see my above comments. ... View more

Got the solution, Under Excluded properties, just need to mention the fieldnames which i dont want to index. description, comments the space after comma is important in older versions of service now addon, else it didn't work donno why. ... View more

Thought to export the required data in csv file and upload it again after cleaning the complete index. if I use default sourcetype csv while uploading the file, the _time is syncing perfectly fine with my _time in csv file. But I need to retain my souretype name. so I cloned csv sourcetype with required sourcetype name and then when uploading the csv file back to cleaned index the _time is taking current system time. ... View more

Important fields which need to be retained: _time, sourcetype Few steps which I followed but couldn't succeed. Using Summary Index Has a Backup index. index="main_primary_index" "search filter terms for specific data" | table _time , required_field1,required_field2,required_field3... | collect index=bkp_index sourcetype="required_st_name" Problem: _time is taking current system time, tried all the possible scenarios like strptime, strftime, convert ctime in collect command there is no arguments to retain _time as it is. ... View more

index=indexname host=server1 | delete I have done the same way, because i don't want those data to come up in search. Since i have huge hard disk capacity so no tension with junk unwanted data which i filter out search query itself. My Splunk Architecture, 4 indexer in cluster. Now the problem is, when I push some new configuration to indexers through cluster master, sometimes it does rolling restart, and when rolling restart happens, the above deleted events will again show up in search results. May be due to replication factor it again shows up. Please suggest how to avoid it from showing it again. ... View more

I configured for windows, with the step by step setup guide, it's working perfectly fine. https://wiki.splunk.com/Community:Run_multiple_Splunks_on_one_machine ... View more

If data is huge, it will take long time, and also the default limit is 200MB, if it crosses in the evaluation then you might end up in improper results. If you are ok, with time and memory consumption. ... View more

For me, when I searched and verified, I got the earliest event ... View more

If we restart heavy forwarder, does it lead to data loss? as forwarder will be forwarding data in real-time. ... View more

what if the fields sequence changes.. 2015-08-07T18:59:32.388226Z pnews-api 1.1.2.1:5681 10.4.0.81:8081 0.000049 0.002743 0.000021 200 200 0 686 "GET https://xyz.xyz.com:443/news-content/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0; GomezAgent 3.0) Gecko/20100101 Firefox/24.0" ECDHE-RSA-AES128-SHA TLSv1 2015-08-07T18:59:32.388226Z pnews-api Gecko/20100101 Firefox/24.0" ECDHE-RSA-AES128-SHA TLSv1 1.1.2.1:5681 10.4.0.81:8081 0.000049 0.002743 0.000021 200 200 0 686 "GET https://xyz.xyz.com:443/news-content/ HTTP/1.1" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0; GomezAgent 3.0) ... View more

Same Here, waiting for answers ++ how to remove hide: save as,clear,navigation bar,collapsible icon. ... View more

What if this sequence is not in order: avgtemp 50 hottemp 50 tempalert y tempflag y etc avgtemp 50 tempalert y tempflag y etc hottemp 50 ? ... View more

Yes, same problem ... there should be some option to increase the trellis limit per page. As each row will display 6 viz per row, so it will look like : VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ VIZ <1,2> I have 21 Sourcetypes, so just for one more viz i need to click 2nd page, when there are places in the first screen itself. ... View more

comments="asdfhksdkjf"sdfkjh" sdfa ", sdfasf", --> does it removes the complete thing or just "asdfhksdkjf" ? ... View more