Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sbbadri
sbbadri
Motivator
Member since:
12-11-2013
03-14-2023
Community Statistics
| Posts | 377 |
| Solutions | 48 |
| Karma Given | 11 |
| Karma Received | 74 |
| Member Since | 12-11-2013 |
Activity Feed
- Got Karma for Re: How to find out how many logs an index gets in a 24-hour period?. 05-22-2023 06:12 PM
- Got Karma for Re: How can I filter my search for a field only if the result is not a number?. 08-31-2021 02:30 PM
- Got Karma for Re: Props.conf timezone settings for Eastern? And do I need to reboot any peers?. 10-19-2020 04:59 AM
- Got Karma for Re: How do you btool inputs.conf?. 09-24-2020 06:18 AM
- Got Karma for Re: How to round a number to hundreds or thousands?. 08-28-2020 02:52 AM
- Got Karma for Re: Splunk App for Unix and Linux: How to modify netstat.sh to show PID/Program name?. 06-16-2020 05:06 PM
- Karma Re: How to remove a label that's not being searched using token? for niketn. 06-05-2020 12:49 AM
- Karma Re: Converting alphanumeric field to numeric values (39.6K:39600) for niketn. 06-05-2020 12:49 AM
- Karma Re: How to compare two field values and return a new field with a percent match between the two? for HeinzWaescher. 06-05-2020 12:49 AM
- Karma Re: How to sort strings based off a dictionary of values? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Reformat data into 2 dimensional table for charting for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Extraction error from log file for Sukisen1981. 06-05-2020 12:49 AM
- Karma Re: List of users accessing activesync for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: Splunk lookup using csv-keys as input and csv-values as output for DalJeanis. 06-05-2020 12:49 AM
- Got Karma for Re: Put the time into a column instead of a row. 06-05-2020 12:49 AM
- Got Karma for Re: Datetime to Date. 06-05-2020 12:49 AM
- Got Karma for Re: How do I delimit multivalue fields?. 06-05-2020 12:49 AM
- Got Karma for Re: How do I delimit multivalue fields?. 06-05-2020 12:49 AM
- Got Karma for Re: Getting Error from TailReader. 06-05-2020 12:49 AM
- Got Karma for Re: How to include additional field from inputlookup in results?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-05-2017
07:20 AM
I hope below link helps you,
http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTinput# - data/inputs/udp/{name} or data/inputs/udp/
... View more
07-05-2017
07:04 AM
So can get search body and other details by executing this rest command
| rest /services/search/jobs/1499263157.5501 splunk_server=local
Below is the link,
http://docs.splunk.com/Documentation/Splunk/6.6.2/RESTREF/RESTsearch
... View more
07-05-2017
06:32 AM
1 Karma
try this
your base search | timechart usenull=fasle useother=false limit=0 count
... View more
07-03-2017
10:41 AM
there should be a space between $TIME_STRING$ and index=main.
$TIME_STRING$ index=main
... View more
07-03-2017
10:25 AM
try this
index=xxxx sourcetype=xxxxxx | timechart span=1h count by DC
... View more
07-03-2017
10:14 AM
There is a typo "query>>" and it should be query> $TIME_STRING$ index = main | head 10
and typo in earliest as well. 7 Days Ago
... View more
07-03-2017
07:35 AM
Please check you have proper file read/write permission on authentication.conf
... View more
06-30-2017
01:03 PM
Did you change the $SPLUNK_DB folder old path to new path under indexes.conf. This will avoid splunk under default location.
Please go through below link for further clarification,
https://answers.splunk.com/answers/149248/how-to-move-index-from-one-hard-drive-to-another-in-splunk-clustered-environment.html
... View more
06-30-2017
11:38 AM
..... earliest=-2d@d latest=-0d@d | timechart span=1d count by users | eval _time = strftime(_time,"%Y-%m-%d") | fields - _span _spandays | transpose
... View more
It is possible two reasons
1) Interesting fields wont show because of fast mode.
2) Field coverage might be less than 1%
... View more
06-30-2017
09:47 AM
1 Karma
Try this
eventtypes.conf
[stuff_index]
search = index=stuff-xxx OR index=stuff-yyy ...
Search query :
eventtype="stuff_index" .....
... View more
06-30-2017
09:10 AM
Hi,
transforms.conf
[testcsv]
default_match = OK
filename = testcsv.csv
max_matches = 1
min_matches = 1
match_type = CIDR(cidr_range)
props.conf
[sourcetypetest]
LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc
I hope this help.
... View more
06-30-2017
09:03 AM
can you post some sample events.
... View more
06-30-2017
07:59 AM
Hi Rayudu,
You can delete old splunkd logs i.e., internal logs by tweaking _internal index configuration under indexes.conf.
... View more
06-30-2017
07:11 AM
... | rex field=_raw "DBNAME=\"(?\S+)\" | chart sum(USED_KB) over SNAP_DATE by DBNAME
... View more
06-30-2017
06:48 AM
1 Karma
[]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
TIME_PREFIX=\d+-\d+-\d+\s\d+:\d+:\d+.\d+\,\sDBNAME=\"\S+\",\sSNAP_DATE=\"
MAX_TIMESTAMP_LOOKAHEAD=21
CHARSET=UTF-8
... View more
06-29-2017
11:07 AM
Hi,
Please try this,
.... | eval co = server."". status | stats values(co) as server_status by group | rex field=server_status "(?P\S+)(?P\S+)" | fields - server_status
... View more
06-29-2017
10:40 AM
Hello,
you can do the following,
$SPLUNK_HOME/etc/apps//local/transforms.conf
[extract_csv]
filename = extract.csv
index_fields_list = field1, field2 ....
... View more
08-10-2015
02:02 PM
at the end is mq-, secs- and err-*
... View more
08-10-2015
02:01 PM
Hi,
you can try this,
[monitor:///var/mtapps/ashl/logs/*/*/*/mq-*]
index = index_name
sourcetype = sourcetype_name1
crcSalt=
blacklist.1=secs-.*
blacklist.2=err-.*
[monitor:///var/mtapps/ashl/logs/*/*/*/secs-*]
index = index_name
sourcetype = sourcetype_name2
crcSalt=
blacklist.1=mq-.*
blacklist.2=err-.*
[monitor:///var/mtapps/ashl/logs/*/*/*/err-*]
index = index_name
sourcetype = sourcetype_name3
crcSalt=
blacklist.1=mq-.*
blacklist.2=secs-.*
Regards,
Badri Srinivas B
... View more
08-10-2015
12:58 PM
Hi,
Below is the sample query,
index=whatever | transaction statrtswith="Apps_Assignment: New apps retrieved" maxspan=1h | stats values(Count) as Apps_Assignment | stats first(Apps_Assignment ) as Initial_Apps_Assignment | eval apps_assignment_time = _time | Table apps_assignment_time , Initial_Apps_Assignment | transaction startswith="Apps_Assignment: apps generated" maxspan=1h | stats values(Count) as Assignment_app | stats last(Assignment_app ) as final_Assignment_app | eval Assignment_app_time = _time | Table Assignment_app_time , final_Assignment_app
Hope this will help you
Regards,
Badri Srinivas B
... View more
07-27-2015
08:19 AM
Hi Shankarananth,
You need to change the regex expression according to you xml source.
Regards,
Badri Srinivas B
... View more
07-15-2015
02:13 PM
Hi Shankarananth,
you can try to extract the field by using props.conf and transforms.conf instead of spath.
Below is example
$SPLUNK_HOME/etc/app/your_app/local/props.conf
[your_sourcetype]
KV_MODE = xml
REPORT-getting_logins_fields = xml_login_fields
$SPLUNK_HOME/etc/app/your_app/local/transforms.conf
[xml_login_fields]
REGEX=([^<]+)>([^<]+)<
FORMAT = $1::$2
MV_ADD = True
I hope this will help you.
Regards,
Badri Srinivas B
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-14-2023
05:59 PM
|
Karma given to
