Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About kundeng
kundeng
Path Finder
Member since:
12-02-2013
02-27-2026
Community Statistics
| Posts | 50 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 6 |
| Member Since | 12-02-2013 |
Activity Feed
- Posted Re: Splunk MCP server only returns status and result count on All Apps and Add-ons. 02-27-2026 09:17 AM
- Posted Re: Splunk MCP server only returns status and result count on All Apps and Add-ons. 02-27-2026 08:10 AM
- Posted Re: Splunk MCP server only returns status and result count on All Apps and Add-ons. 02-19-2026 02:32 PM
- Posted Re: KVStore does not start when running Splunk 9.4 on Deployment Architecture. 07-27-2025 05:31 PM
- Posted Re: spl2 module upload successful, and testing is also successful but it's nowhere to be found. on Splunk Search. 07-22-2025 11:06 PM
- Posted Re: spl2 module upload successful, and testing is also successful but it's nowhere to be found. on Splunk Search. 07-21-2025 07:22 PM
- Posted spl2 module upload successful, and testing is also successful but it's nowhere to be found. on Splunk Search. 07-21-2025 06:52 PM
- Posted Re: Can I add python modules to the Splunk environment? on Splunk Dev. 05-01-2025 10:59 PM
- Posted Re: App Exporter on All Apps and Add-ons. 01-24-2024 10:57 AM
- Posted Re: Why is the KV Store status is showing as "starting" in Search Head Cluster? on Deployment Architecture. 04-20-2023 07:39 AM
- Got Karma for Re: Can an Heavy-Forwarder just raw forward and not parsing?. 02-14-2023 01:16 AM
- Posted Re: Can an Heavy-Forwarder just raw forward and not parsing? on Getting Data In. 02-09-2023 05:23 PM
- Posted Re: Intermediate Heavy Forwarder setup on Getting Data In. 01-30-2023 04:56 PM
- Got Karma for Re: How to delete local changes to knowledge objects in a search head cluster?. 10-12-2021 04:10 PM
- Posted Why is shc captain flapping- constant election going on every several minutes? on Deployment Architecture. 06-08-2021 02:28 PM
- Posted Re: Need a best practice guide on entity management in ITSI on Splunk ITSI. 07-28-2020 07:32 AM
- Posted Need a best practice guide on entity management in ITSI on Splunk ITSI. 07-27-2020 12:54 PM
- Got Karma for Re: Recieving error "Access is denied" when trying to deploy 'splunk apply shcluster-bundle'?. 06-05-2020 12:47 AM
- Got Karma for Re: How to delete local changes to knowledge objects in a search head cluster?. 06-05-2020 12:47 AM
- Got Karma for Does the anomalies command work at all?. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-26-2018
03:33 PM
I think I figured it out.
The splunk documentation is wrong.
http://docs.splunk.com/Documentation/Splunk/7.2.0/AdvancedDev/ModInputsStream#Streaming_example_.28XML_mode.29
The setting to force using input-layer timestamp should be
DATETIME_CONFIG = NONE (or CURRENT)
... View more
10-25-2018
04:20 PM
splunk modular input xml streaming mode allows specifying timestamp explicitly for each event. But it is not working for me.
Instead, splunk tries to find the event in the raw data and use index time if it is unavailable.
For example, my XML looks like this, and it would take 20150324111100 as the timestamp instead of 1540488716
I have also configured props.conf according to a hint in the documentation and it doesn't work either.
http://docs.splunk.com/Documentation/Splunk/7.2.0/AdvancedDev/ModInputsStream#Streaming_example_.28XML_mode.29
Modify $SPLUNK_HOME/etc/apps/myapp/default/props.conf
[my_config]
SHOULD_LINEMERGE = false
2018-10-25 13:31:56,858 INFO the xml file looks like
<stream><event stanza="hl7_modular_input://test"><index>main</index><time>1540488716</time><sourcetype>hl7</sourcetype><data>MSH|^~\&|EPIC|GMC||GMC|20150324111100|RECRN|ADT^A10|725308|T|2.3|||||||||
EVN|A10|20150324111100||ADT_EVENT|Model User^RECOVERY^NURSE^^^^^^OHSA^^^^^GMC1|20150320125007|
PID|1||3100068670^^^EPI^MR||OPTIME^TESTAVS||19950320|M|||^^^^^US^P|||||||6100212816|636-99-9512|||||||||||N||
PD1|||GRANT MEDICAL CENTER^^1013100|||||||||||||||
PV1|1|O|GSAG^OR ^OR^GMC1^^^^^^^DEPID|EL|||13020^LOMBARDI^ADOLPH^V^^^^^STARPROV^^^^STARPROV|||Surgery|PACG^^^GMC1^^^^^^^DEPID|||Phys/Clinic|||13020^LOMBARDI^ADOLPH^V^^^^^STARPROV^^^^STARPROV|OP SURGERY|6100212816|SELF||||||||||||||||||||||^^^GMC1^^^^^^^|^^^^^^^^^^|20150320125007||||||22150790003
PV2||GENERAL||||||20150320130000|||||||||||||n|N|||||||||||||||||||||||||||
ZPV||||||||||||20150320125007|||||||||
AL1|1|Drug Class|45202^NO KNOWN ALLERGIES^||||||
GT1|1|100046657|OPTIME^TESTAVS^^||^^^^^US|||19950320|M|P/F|SLF|636-99-9512|||||||||||||||||||||||||||||||||||||
</data></event></stream>
... View more
08-22-2018
10:29 AM
This is not cool, now I have to do this.
SELECT TO_TIMESTAMP('1970-01-01 00:00:00.0'
,'YYYY-MM-DD HH24:MI:SS.FF'
) + NUMTODSINTERVAL(r.TIMESTAMPfield, 'SECOND') AS event_date, r.* FROM r where ID> ? ORDER by ID
... View more
08-18-2017
10:27 AM
2 Karma
splunk should provide a simpler way for this on their GUI.
... View more
05-25-2016
08:08 AM
doesn't seem to really answer the question. I'm debugging someone's custom alert, and I don't want to change his code yet. So where are stderr stored, maybe it IS lost?
... View more
05-13-2016
07:45 AM
Did you solve this issue? I have the exact problem. dbx version is 1.1.6.
... View more
03-03-2016
11:31 AM
Did you find the answer to your question?
... View more
11-30-2015
01:43 PM
note this only works for the pretrained indexed extraction type such as w3c. For any other sourcetype, you do need to use a heavy forwarder.
... View more
11-30-2015
01:41 PM
I tested this, there is no need to change sourcetype. Just configure your sedcmd at the universal forwarder and it works just fine.
... View more
11-23-2015
01:18 PM
Can someone post a final and working example for using kvstore for time based lookup? Maybe splunk should post it on their blog or in their documentation?
It seems that the confusing issues are the following:
when we populate the lookup table, should we write out _time or convert(_time)?
in kvstore collection, do we need to specify the type of the time field or not?
If yes to 1, should it be specified as number or string or time.
in lookup definition, should we leave the format empty or else.
... View more
05-18-2015
04:52 PM
1 Karma
Hi, I have the same issue. Documentation did not say the deployer has to be linux. Can anyone using windows deployer confirm it works? Maybe it's a configuration issue with windows 2012 server?
... View more
04-28-2015
08:34 PM
That is strange. I have the latest version which is Version 4.2.0.
... View more
04-27-2015
10:24 AM
In the 4.2.0 version of the Common Information Model Add-on Manual, it states clearly the Web object name should be tagged by "web". However, in the actual data model downloaded from splunkbase, the Web root is constrained with sourcetype=iis*. Is this a bug or am I missing something?
... View more
03-26-2015
12:11 PM
I tried to restart mongod on linux, but it requires some ssl lib file under splunk/lib.
Anyone has tried and successfully restarted mongod service?
... View more
03-24-2015
01:45 PM
Can you get me in touch with the winner of that app as well. Thanks.
... View more
02-22-2015
04:52 PM
It seems that the lookup table for defining extra fields in datamodel can not be a dblookup (database lookup)? Can someone confirm this is the case and not a bug?
The dblookup works fine in standalone search, but I am not able to make it to work in datamodel editor.
... View more
07-25-2014
07:57 AM
Hi, it turns out the problem is with self-signed server certificate for splunkd. If you manually import the certificate into firefox and it should work. Note this only works with firefox, for chrome, the certificate has to match the server name, and so even if you import it into chrome, it still might not work.
... View more
07-18-2014
08:48 AM
Has anybody used the searchTemplate with searchPostProcess with single element? I simply can't get it to work. It always shows 0.
If I run the concatenated search, it works fine. What's wrong? Here is the snippet of the code:
<searchTemplate>
<![CDATA[
sourcetype=sitescope Capsuletech: host="UHSISMONCPRA*" | regex
source="SiteScope\d{4}_\d{2}_\d{2}(?<!v2)\.log"
| head 2000 ]]> </searchTemplate>
inside the "dashboard" element.
Then in a single element, I have
<searchPostProcess>search NOT UHCASSPR* | dedup MonitorName sortby -_time | stats count as total</searchPostProcess>
<field>total </field>
... View more
06-30-2014
09:04 PM
Hi,
Has anyone actually tried the CORS in splunk?
I configured the following in server.conf, but I can't get the splunkjs to access splunk instance on a different machine than a web2py server. Is there anything that I need to change on client/javascript side?
[httpServer]
crossOriginSharingPolicy = *
... View more
06-19-2014
07:26 AM
So here is the query that is being tested and it needs to be tweaked to further reduce false positives.
index=interfaces earliest=-10d latest=@d | bucket _time span=10m | stats count by _time sourcesession | eval timeOfDay=strftime(_time,"%H:%M") | stats p5(count) as perc5 p95(count) as perc95 by timeOfDay sourcesession | append [ search index=interfaces earliest=-40m latest=-10m | bucket _time span=10m | eval timeOfDay=strftime(_time,"%H:%M") | stats count by timeOfDay sourcesession |fillnull ]
| stats first(perc5) as perc5 first(perc95) as perc95 first(count) as count by timeOfDay sourcesession | eval etime=strptime(timeOfDay,"%H:%M") | where etime>=relative_time(now(),"-40m") AND etime<relative_time(now(),"-10m") | fillnull | where (count<perc5) | fields - etime | sort sourcesession timeOfDay | stats count by sourcesession |search count>=3
... View more
06-16-2014
09:28 AM
doesn't quite work yet. Besides some errors:
*"stats count by _time sourcesession" should be added before eval.
*typo "start"
There are two intertwining problems in result table. Suppose current time is 10:20, and suppose between 9:00-10:00, there is NO data at all for a sourcesession.
1. The abnormal row will be filtered out, because it's count==NULL. However, if I fill NULL count with 0,
2. then I will include extra rows such as rows for timeofday=11:00, because its count is also NULL.
How do I deal with this?
... View more
06-13-2014
03:08 PM
Hi, I have a query that is meant to compare longitudinal count of an event of a given day (e.g. today) with historical longitudinal percentiles.
query 1:
index=interfaces sourcesession="MICHART_SIU_HL7_INBOUND" [`define_relative_week(1)`] date_wday!=saturday date_wday!=sunday | bin _time span=20m | stats count as count by _time | eval timeofday=tonumber(strftime(_time, "%H"))*3600 + tonumber(strftime(_time,"%M"))*60 | stats perc5(count) as perc5 perc95(count) as perc95 by timeofday | eval timeofday= tostring(timeofday,"duration") | join type=outer timeofday [search index=interfaces sourcesession="MICHART_SIU_HL7_INBOUND" | bin _time span=20m | eval timeofday=tonumber(strftime(_time, "%H"))*3600 + tonumber(strftime(_time,"%M"))*60| eval timeofday= tostring(timeofday,"duration")| stats count by timeofday] |sort timeofday
where define_relative_week is a macro:
stats count | addinfo | eval earliest=(info_min_time-604800*$n$) | eval earliest=strftime(earliest,"%m/%d/%Y:%H:%M:%S") | eval latest=(info_max_time-86400) | eval latest=strftime(latest,"%m/%d/%Y:%H:%M:%S") | return earliest,latest
Basically, this search grabs historical data (previous week) and bins the time, and then compute percentile by binned time.
Some of the things that I'm grappling with are:
multiple event types.
How to generalize this to multiple event types? For example, I have many types of
events (e.g. with different sourcesession values). And recomputing the historical percentile for each type of events is going to be too much for computations.
Acceleration.
Suppose for now, there is only one event of interest. How can I further accelerate this search? I need to set-up an alarm by comparing current count with 5% and 95% percentiles for the same time period, and the saved alarm/search will run every 15 minutes and inspect the previous 15 minutes to see whether there is any anomaly.
I tried the following query which filters out irrelevant time ranges. But to my surprise it runs slower than the original query. Any insights why?
query 2:
| gentimes end=-1 increment=24h [stats count | addinfo | eval start=(info_min_time-604800*2) | eval start=strftime(start,"%m/%d/%y:%H:%M:00")| return start]
| rename starttime as earliest
| eval latest=earliest+20*60
| sort - earliest
| map maxsearches=99999
search="search earliest=$earliest$ latest=$latest$ index=interfaces sourcesession=MICHART_SIU_HL7_INBOUND " | ...
... View more
05-28-2014
04:57 PM
Please take a look the image attached.
It's private data but as you can see:
Splunk version is the most current 6.1.1
The search before piping into anomalies command
Calculates timechart of a counter A
Anomalies command uses as the option: field=A labelonly=true
... View more
05-28-2014
08:16 AM
1 Karma
Here is a simple example:
Server restarts at midnight, the anomalies command didn't really catch the drastic drop in event volumes.
I can't embed the image so here is the link:
i.imgur.com/a0nnbHK.png
... View more
- Tags:
- anomalies
- « Previous
-
- 1
- 2
- Next »
