I'm using splunk default simple http receiver that configured in heavy forwarder. 3rd party post the data using the heavy forwarder url. 2 hour window they post the data using some scripts or something. I have got a lot of traffic coming in. Splunk couldn't handle the request ... View more

Try this | inputlookup netdevices_new | search NOT [search index=network | rex field=_raw "^(?:[^ \n]* ){4}(?P[^ ]+)" | stats c by netdevice, ip | fields - c ] If you don't have both fields ip netdevice change your rex accordingly. Idea here is you need to pass both the field combination to search. If your lookup doesn't have all the possible combination you need to write another subsearch ... View more

What is the search interval you are running now? If possible share some sample data along with search ... View more

You need to increase the size in limits.conf or optimize your search like reduce the data size that needs to be processed by search intervals ... View more

Hi, Try this, .......uri_path="/landing/view/*" method=POST | stats dc(sessionId) as A by date_month | sort 0 date_month | appendcols [......."REBOOKED_ACTIONED" | stats dc(session_id) as B by date_month | sort 0 date_month ] | appendcols [ .......uri_path="/cancel/confirmed/*" method=POST | stats dc(sessionId) as C by date_month | sort 0 date_month ] Thanks, V ... View more

Try with chrome ... View more

Wats the expected format ... View more

Wat version of Splunk you are using ? ... View more

Wat browser you are using.? I guess tat should be supported by Splunk. If you are not getting internal logs.there should be a problem with your browser. Use chrome or mozilla ... View more

| head 1| table _raw Check it. index=_internal error ... Wats the index and sourcetype it source you are using.Can you share the sample data ... View more

Honestly I never tried it. You can try one by one.... ... View more

Is that helped? ... View more

Is that helped? ... View more

I have updated the search. Sorry for the typo. Pls check now ... View more

Is data has time zone on it? If you are using strftime it will convert based on your user settings... ... View more

Hi SecureIA, Try something like this, | stats latest(eval(if(status="loggedin",_time, null()))) as logon, latest(eval(if(status="logout",_time, null()))) as logoff by <host, device, sessiond, msg_id> | eval logoff=if(logoff<logon OR isnull(logoff), "Live",logoff)) | eval logon=if(isnull(logon,"Not in time Range",logon) | eval duration=tostring(logoff-logon,"duration") | eval logon=if(isint(logon),strftime(logon,"%+"), logon) | eval logoff=if(isint(logoff),strftime(logoff,"%+"), logoff) stats's by class i've mentioned some random fields, you can change based on your search. I guess remaining will help you, Note: Assuming you have a field called status that can identify the even is logon or logoff. If not you can use the _raw to define. I prefer instead of checking raw extract a field and name it as status. stauts="loggedin" => _raw like "%logged in%" status="logout" => _raw like "%logged out%" Thanks, V ... View more

Hi athorat I face the similar issue, in my case the user timezone was the problem. In Spunk web, click your name and edit your account and save time zone as default system time zone and try. Thanks, V ... View more

I got you..... in windows you need to add another parameter for host name in server.conf [general] hostnameOption = <ASCII string> * The option used to specify the detail in the server name used to identify this Splunk instance. * Can be one of "fullyqualifiedname" , "clustername", "shortname" * Is applicable to Windows only * Shall not be an empty string Updating previous answer with this option ... View more

Are you positive you have updated in system local? Restart the service and check once... Use btool command to check your inputs and server conf ... View more

Restart the server after configure the host name to see the changes. Accept the answer if it solves your issue. ... View more

Hi Kollerj, Try to update like this, $SPLUNK_HOME/etc/system/local/server.conf [general] serverName = <host_name> $SPLUNK_HOME/etc/system/local/inputs.conf [default] host = <host_name> Check your other inputs.conf from other apps have host entry or not? I guess the apps you are on-boarding or monitoring inputs.conf has older entry. Or you can use the below CLI commands, ./splunk set servername <host> ./splunk set default-hostname <host> For windows you need to update server.conf's general stanza with additional option [general] hostnameOption = <ASCII string> * The option used to specify the detail in the server name used to identify this Splunk instance. * Can be one of "fullyqualifiedname" , "clustername", "shortname" * Is applicable to Windows only * Shall not be an empty string Ref: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf Thanks, V ... View more