Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About anil1432
anil1432
Explorer
Member since:
02-06-2020
03-04-2022
Community Statistics
| Posts | 60 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 02-06-2020 |
Activity Feed
- Posted How to search data usage by sourcetype on Getting Data In. 02-15-2022 10:27 PM
- Posted Re: Logs are not genarating , root cause is TailReafer on Splunk Enterprise. 01-26-2022 11:56 PM
- Posted Logs are not genarating , root cause is TailReafer on Splunk Enterprise. 01-26-2022 04:53 AM
- Posted Re: Why am I getting the error"Unable to distribute to peer named X.X.X.X:YYYY at uri=X.X.X.X:YYYY using the uri-s on Getting Data In. 12-20-2021 10:59 PM
- Posted Re: Log events are missing on Getting Data In. 12-06-2021 06:31 PM
- Posted Re: Log events are missing on Getting Data In. 12-05-2021 09:49 PM
- Posted Re: Log events are missing on Getting Data In. 12-05-2021 09:04 PM
- Posted Re: Log events are missing on Getting Data In. 12-05-2021 08:56 PM
- Posted Re: Unable to export millions of records on Getting Data In. 12-05-2021 08:48 PM
- Posted Unable to export millions of records on Getting Data In. 12-05-2021 07:55 PM
- Posted Log events are missing on Getting Data In. 12-05-2021 07:40 PM
- Posted Re: Remove closed search heads in our splunk cluster Or Master on Deployment Architecture. 11-11-2021 07:51 PM
- Posted How to find last 3 months data usage and what logs are genarated on Getting Data In. 11-09-2021 11:59 PM
- Posted Remove closed search heads in our splunk cluster Or Master on Deployment Architecture. 10-19-2021 11:10 PM
- Posted Search peer went down on Splunk Enterprise. 09-14-2021 11:09 PM
- Posted Issue in Splunk Cluster on Monitoring Splunk. 09-13-2021 10:45 PM
- Posted SENS STG Splunk new alerts unable to send emails on Alerting. 08-05-2021 11:37 PM
- Posted Re: Unnable to Access the splunk search page on Splunk Enterprise. 06-30-2021 03:13 AM
- Posted Re: Unnable to Access the splunk search page on Splunk Enterprise. 06-30-2021 03:11 AM
- Posted Unnable to Access the splunk search page on Splunk Enterprise. 06-30-2021 12:41 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-21-2021
03:32 AM
We have new servers in which we installed new Splunk forwarders that are running fine. In case of a system reboot, we would like to also start it up automatically. I noticed that our old servers has this file /etc/rc.d/init.d/splunk which is described in this guide https://docs.splunk.com/Documentation/Splunk/7.3.2/Admin/ConfigureSplunktostartatboottime We don’t know who configured it for our old servers, but may I confirm that I need to follow the steps in the previous link and that I also need to be a root user to run splunk enable boot-start -user <preferred user>?. Please can you give brief explanation and solutions please
... View more
Labels
- Labels:
-
installation
06-13-2021
08:39 PM
Good morning. I added new PRD Splunk forwarders and sourcetypes last Wednesday night, June 9. I can see the events in sourcetype list, but I cannot see the events listed at all when using search for sourcetypes starting with "sens2". We have been conducting load tests since last Thursday, June 10. We also can't see the events an hour ago. User=user_sens, no events listed for sourcetypes "sens2-ntfapi-dsl-order", "sens2-ntfapi-api-order-async", "sens2-ntfapi-api-order-async-performance", "sens2-ntfapi-api-basic", "sens2-ntfapi-api-basic-performance" since Thursday last week. The count shows a lot of events collected. We only started logging last Thursday to PRD Splunk.
... View more
06-13-2021
07:20 PM
If I give capital "T" in place of small "t" then my logs started genarating . What might be the solution
... View more
06-13-2021
07:15 PM
I have one file which is monitoring from 1 year in deployment server in inputs my file name is sourcetype: D:\Applications\Smartfill-tools\*\logs\*.log . I received my logs correctly till 2nd April , but after that m geeting error like this And also file is modified automatically on March 18th D:\Applications\Smartfill-tools\*\logs\*.log To D:\Applications\Smartfill-Tools\*\logs\*.log and if I check with this D:\Applications\Smartfill-Tools\*\logs\*.log again my logs are coming. But I don't know how file path name is modified . And also deployment server in inputs the file path is D:\Applications\Smartfill-tools\*\logs\*.log and if I change to this D:\Applications\Smartfill-Tools\*\logs\*.log and deployed .then if I check in search then my logs are coming. I want to know how file path is modified automatically and also small change small "t" to capital "T" is changed . If you want more information please reach me out
... View more
06-13-2021
08:10 AM
Sorry I didn't get your solution and what your trying to convey is some thing difficult to me please explore in brief please
... View more
06-10-2021
10:20 PM
So I need to delete only events from my from my logs. i.e from 17/05/2021 to delete events . How can I ?
... View more
06-10-2021
09:38 AM
Hi All, How can I delete my logs permanently Request to delete old Splunk logs for EMS and Truvue webservices that are older than 05/17/2021. * Long Description Request to delete old Splunk logs for EMS (App id: 2926) and Truvue webservices (App id: 637) that are older than 05/17/2021 as required by Experian GSO as these logs contained plain text Pll data. As part of an Insider Threat audit currently being performed the following Splunk index was flagged as containing clear text Pll data originating from a production host. eits_ec_prod_us Items in Index: Name/Address/DOB/SSN Host names: mckecpap043v mckecpap044 I alnecsap456V alnecsap455v Source = /logs/TRUVUEWS_V6/TRUVUEWS_V6-std.log
... View more
Labels
- Labels:
-
search job inspector
06-10-2021
12:13 AM
Hii everyone, Please can any one do splunk query optimization. Phenomenon we are facing The report count looks incorrect and we could see this error as below. --- [subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000. And this is my query (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate. please provide me a solution
... View more
Labels
- Labels:
-
join
06-09-2021
11:15 PM
Can you please solve the query . Issue with limits.conf (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate
... View more
06-04-2021
03:04 AM
As far as I can explain this background, we have been using Splunk to know business conditions but we faced the issue on the Splunk. That issue is that when we tried to see User's 7day's churn rate, we were using that query on Splunk which I shared with you on previous e-mail. However, from around Feburary, churn rate was suddenly sprung up on our demographic tools as I attached capture image (we connect with Splunk report with DOMO). And we found that this issue is caused by .limitconf settings. This is the reason why I asked a question to change the settings. I would like to provide you more infromation, but I could not do that due to not having more additional information.
... View more
06-03-2021
06:53 PM
I need to know more details about splunk usage for Paas/Rpaas users. Can you define us some brief explanation please. Thanks in advance
... View more
Labels
- Labels:
-
search job inspector
06-03-2021
07:53 AM
If we increase the subserach limit to 3000000 any issue / problem will occur ?
... View more
06-03-2021
07:29 AM
Okay let me see , if it works , But you suggest me that we should not change limits to limits =3000000010 right? So if we do that any problem will occur? So better we should reduce the query and run the search right 😊
... View more
06-03-2021
07:11 AM
So can I use summary index to get correct count? For this issue or?
... View more
06-03-2021
07:10 AM
Actually I am facing this issue sir, I would like to ask a question about changing settings of Splunk. We have been using Splunk for few years for now. currently we are facing issues that Splunk can not dsplay results correctly. ■Background History We observe users churn rate through Splunk by using query. ■Phenomenon we are facing The report count looks incorrect and we could see this error as below. --- [subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000. --- ■Question As we investigated through some docs, I guess we have a option to change the upper limits by changing "limits.conf". Would it be possible to change limits from current 2,000,000 to 3,000,000 or 3,500,000 ?
... View more
06-03-2021
06:10 AM
And also I want to solve subsearch error. I will arrange in neat query (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate.
... View more
06-03-2021
06:04 AM
This is. My query and I want to know my summary index (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate
... View more
06-03-2021
06:02 AM
Okay thanks for your answer 1)If user have separate index and if we can have any problem regarding sub search . can I troubleshoot from summary index? To get the correct report count Like mentioning summary index =index And some query To solve Phenomenon we are facing The report count looks incorrect and we could see this error as below. --- [subsearch]: Subsearch produced 2602757 results, truncating to maxout 2000000. For user if I run a query
... View more
06-03-2021
04:44 AM
I have a question please summary index is like mixup up of all indexes? Like index 1 , index2 , index 3..... Combination of these three index data is stored in summary index ? . Or else one entire index is summary index? Please confirm me this plz Thanks in advance for you support
... View more
06-03-2021
03:06 AM
How to know that , how my summary index is implemented?. I know that only uses for implementing scheduled searches and reports . May I know it's correct . Otherwise can please you please provide me some solution . How to find out that our summary index is implemented Thanks in advance
... View more
Labels
06-02-2021
05:12 AM
1.(host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id 2.[search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] 3. | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate. This is you want me do sir or anything else do I need to do Can you give me suggestions Thanks in advance
... View more
06-01-2021
11:15 PM
This is my query sir, (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-60d@d latest=-30d@d id!=3000000010 | fields event_id platform | fields - _raw | stats count by event_id platform | dedup event_id | rename event_id as easy_id | table easy_id platform | join type=left easy_id [search (host=wscreenapi3* OR host=tracking-api-release) name="RegisteredUserLog" earliest=-30d@d latest=@d id!=3000000010 | fields event_id | fields - _raw | stats count by event_id | rename event_id as easy_id | table easy_id | eval retentionFlg=1] | eval platform_str=if(platform="0","Android",if(platform="1","iPhone",if(platform="2","Web (Android)",if(platform="3","Web (iPhone)","Unknown"))))| stats count(easy_id) as basedUserCount sum(retentionFlg) as retentionUserCount by platform_str | addcoltotals labelfield=platform_str | eval customerChurnRate=(basedUserCount - retentionUserCount) / basedUserCount * 100 |eval baseUserListDateFrom = strftime(relative_time(now(),"-60d@d"), "%Y/%m/%d")." 00:00:00" |eval baseUserListDateTo = strftime(relative_time(now(),"-31d@d"), "%Y/%m/%d")." 23:59:59" |eval compareUserListDateFrom = strftime(relative_time(now(),"-30d@d"), "%Y/%m/%d") ." 00:00:00" |eval compareUserListDateTo = strftime(relative_time(now(),"-1d@d"), "%Y/%m/%d") ." 23:59:59" | table baseUserListDateFrom baseUserListDateTo compareUserListDateFrom compareUserListDateTo platform_str basedUserCount retentionUserCount customerChurnRate. Can you please help me further plz
... View more
06-01-2021
10:59 PM
@bowesmana Thank you very much it's very helpful 😊😊🤘
... View more
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-04-2022
01:37 AM
|
