Hi team, I have catalina logs ocming to splunk from Central timezone But my splunk server is installed and configured in Eastern time Zone Time Event 1/24/17 4:12:55.911 AM 2017-01-24T 03:12:55.911-0600: 3331438.505: Total time for which application threads were stopped: 0.0008767 seconds, Stopping threads took: 0.000219 This is how splunk is generating the events with one hour ahead the time specified in logs my sample props.conf file [cfs_galaxy_dpsdao_catalina_st] TIME_FORMAT = %H:%M:%S,%3N MAX_TIMESTAMP_LOOKAHEAD = 12 NO_BINARY_CHECK = 1 pulldown_type = 1 SHOULD_LINEMERGE=true BREAK_ONLY_BEFORE =^\d+:\d{2}:\d{2}\,\d{3} TZ = CST6CDT ... View more

Hi , I have one graph which shows the response times for every second source="C:\Ping\" index="ping" sourcetype="pingstats" | rex field=source "(?.?)$" |lookup pinglookup.csv country OUTPUT router DestinationIP |search router=waterloo|chart values(RTT) as RTT by _time,router|fillnull value=0 I have another graph which shows the trend of the average of the response times for one hour source="C:\Ping\" index="ping" sourcetype="pingstats" | rex field=source "(?.?)$" |lookup pinglookup.csv country OUTPUT router DestinationIP |search router=waterloo | bucket _time span=1h | stats avg(RTT) AS avg_value by _time | trendline sma5(avg_value) as trend How can i combine both and get a graph i have used appendcols but the graph looks odd attaching the screen shot ... View more

Hi , I have search that is working fine and displaying the results that i need but i need events that are occuring before 1 min matching to my query and after 1min events matching to my query .I have tried transaction maxevent=10 ,maxpause=60s also but no luck please help me index=BAC_TEST source="XXXX" OR source="XXXX" |transaction _time,SNMP_Message,dwCommandHandle |where isnotnull(SNMP_Message) |table _time,SNMP_Message,dwCommandHandle,Category The scenario is like this I have two logs XFS TRACE LOG and SNMP LOG which are logged by application simultaneously just in few seconds delay XFSTRACE LOG HAS Field called _time,dwCOMMANDHANDLE,Category SNMP LOG has Fields called _time,SNMP_MESSAGE I need to combine these two searches and correlate with each other and get the fields _time,dwCommandHandle,Category,SNMP_message Based on my SNMP_message I have to look what dwCommand HANDLE has executed (but they don’t have same timings) so whenever I have a snmp_message in my log I have to check what dw_Command handle has executed 1m before the SNMP_message timestamp and 1m after the SNMP_message time stamp Till now what I have tried is this index=BAC_TEST source="C:\BAC\SNMP.LOG" OR source="C:\BAC\XFSTrace.log" |transaction _time,SNMP_Message,dwCommandHandle maxevents=10|where isnotnull(SNMP_Message) |table _time,SNMP_Message,dwCommandHandle,Category Attaching a screen shot of the table that I got but I am not able to achieve the 1m after the matching SNMP message and 1 min after this can u pls help me Regards, Deepthi Bulusu ... View more

Hi , I have two searches withing same index but different sources and sourcetypes index=XXX source=XXX |XMLKV |search Category="CDMSP" RI="0" | table _time,Category,F,RI which gives me time category function and request ID from my app log and another search index=XXX source="XXXX" sourcetype=XXXX |table _time,SNMP_Message Which gives me time and SNMP messages Now i want to correlate both these searches based on time and display a table so that i can know at a particular time what function,RI ,SNMP Message category are executed so a complete table based on time ... View more

I have a time stamp logged into my my SNMP log like the below [6844 0502 083830508 SNMP] BAXSnmpSTTWorker::HandleSystemOperatorEvent(), Entering supervisor (\SNMP\STT) // BAXS04202.CPP(164) [6844 0502 083830508 SNMP]-->In this 0502 is my Month and date followed by 08:HH 38:MM 30:SS 508 :ms how do i tell splunk to understand this as timestamp while indexing my log into SPLUNK Thanks Deepthi ... View more

Hello Team, I am upgrading my Splunk environment from Splunk 6.2 to 6.4. Before doing this on our production environment, we want to test it on a clone environment, so we will be cloning the search head machine. Does this affect the licensing in any way? Currently we have a 2 GB daily limit. Will this be doubled and calculated for two machines? Thanks and Regards, Deepthi Bulusu. ... View more

I have define only <1 <2 ❤️ i don't know from where the first row is picked up can some one help in resolving this. index=* sourcetype=AMS_samplelog | search server ="1" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-1" by range | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="2" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-2" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="3" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-3" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="4" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-4" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="5" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-5" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="6" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-6" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="7" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-7" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | search server ="8" | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Server-8" by range] | appendcols [ search index=* sourcetype=AMS_samplelog | rangemap field=Msg_Exec_Time "<1"=0-1 "<2"=1-2 "<3"=2-3 ">3"=3-100 | stats count as "Total" by range] | table range, Server-1, Server-2, Server-3, Server-4, Server-5, Server-6, Server-7, Server-8, Total This is the result: range Server-1 Server-2 Server-3 Server-4 Server-5 Server-6 Server-7 Server-8 Total 16493 20285 19466 19370 18649 32698 23075 26399 176899 <1 4451 5619 5377 5413 5083 8684 6548 7302 48477 <2 80 275 180 149 164 683 351 390 2272 <3 24 26 34 38 24 64 44 40 294 >3 26 40 28 40 34 54 48 50 320 ... View more

Hi team, I have 10 different hosts that are sending data to the SPLUNK every day they send some csv files daily C:\SPLUNKCEBU\xxxx.csv, etc Now i want to find out for a particular day if the data from all the files from all hosts are indexed or not (if not indexed then i can check my host if the files are present are not) Thanks deepthi ... View more

Hi team, I Have a dashboard which will show usage of 60 to 70 different sites at a time, but when I export this to PDF, it is not showing properly due to the large amount of data. How can we overcome this issue? Thanks and Regards, Deepthi Bulusu ... View more

Hi Experts, I need your help in the following scenario 1.I have 200 routers configured to feed splunk daily for generating network usage dashboards Scenario: 1.Downloading all 200 excels as splunk do not accept excel format converting it to csv and feeding splunk with the daily data 2.Generated a look up table SNO country start_hour end_hour receivebandwidth transmitbandwidth router sitename tier threshold start_wday end_wday 1 C:\xxx\rdatsalzbu010-3-1.xxx.com.csv 8 17 40 40 atsalzbu010-3-1 salzbu tier1 70% 1 7 2 C:\xxx\rdatsalzbu010-3-2.xxx.com.csv 8 17 40 40 atsalzbu010-3-2 salzbu tier1 70% 1 7 3 C:\xxx\rdgbmother010-1-1.xxx.com.csv 0 24 10 10 gbmother010-1-1 mother tier1 70% 1 7 4 C:\xxx\rdgbmother010-1-2.xxx.com.csv 0 24 10 10 gbmother010-1-2 mother tier1 70% 1 7 8 C:\xxx\rdilraanan010-4-2.xxx.com.csv 8 19 80 80 ilraanan010-4-2 raanan tier1 70% 7 4 9 C:\xxx\rdinchenna010-1-1.xxx.com.csv 9 19 10 10 inchenna010-1-1 chennai tier1 70% 1 5 10 C:\xxx\rdinchenna010-1-2.xxx.com.csv 9 19 10 10 inchenna010-1-2 chennai tier1 70% 1 5 11 C:\xxx\rdinmumbai010-7-1.xxx.com.csv 0 24 50 50 inmumbai010-7-1 mumbai tier1 70% 1 7 12 C:\xxx\rdinmumbai010-7-1.xxx.com.csv 0 24 45 45 inmumbai010-7-1 mumbai tier1 70% 1 7 13 C:\xxx\rdinmumbai010-7-2.xxx.com.csv 0 24 40 40 inmumbai010-7-2 mumbai tier1 70% 1 7 14 C:\xxx\rdinmumbai010-7-2.xxx.com.csv 0 24 50 50 inmumbai010-7-2 mumbai tier1 70% 1 7 and the dashboard query source="C:\xxx\rus-dayha-5.xxx.com.csv" OR source="C:\xxx\rus-dayha-5.xxx.com.csv" OR source="C:\xxx\rus-daywtc-2.xxx.com.csv" OR source="C:\xxx\rus-daywtc-5.xxx.com.csv" OR source="C:\xxx\rus-daywtc-5.xxx.com.csv" OR source="C:\xxx\rus-daywtc-5.xxx.com.csv" OR source="C:\xxx\rusxwalmartedc.csv" OR source="C:\xxx\rusxwalmartNDC.csv" OR source="C:\xxx\rdarbaires010-14-1.xxx.com.csv" OR source="C:\xxx\rdsariyadh010-1-1.xxx.com.csv" OR source="C:\xxx\rdthbangko010-5-1.xxx.com.csv" OR source="C:\xxx\rdtristanb020-1-1.xxx.com.csv" OR source="C:\xxx\rdtwkaohsi010-18-1.xxx.com.csv" OR source="C:\xxx\rdtwtaipei010-15-1.xxx.com.csv" OR source="C:\xxx\rdusaviejo010-1-1.xxx.com.csv" OR source="C:\xxx\rdusconcor010-2-1.xxx.com.csv" OR source="C:\xxx\rdusfbranc010-1-1.xxx.com.csv" OR source="C:\xxx\rdusflaude010-3-1.xxx.com.csv" OR source="C:\xxx\rdusomaha010-2-1.xxx.com.csv" OR source="C:\xxx\rdusreno010-1-1.xxx.com.csv" OR source="C:\xxx\rdustucson010-1-1.xxx.com.csv" OR source="C:\xxx\rduswarren010-1-1.corp.xxx.com.csv" OR source="C:\xxx\rdcnshangh030-5-1.csv" OR source="C:\xxx\rdcnxian010-1-1.xxx.com.csv" OR source="C:\xxx\rddehannov010-5-1.xxx.com.csv" OR source="C:\xxx\rdusnyork020-4-1.xxx.com.csv" OR source="C:\xxx\rdinchenna020-1-1.xxx.com.csv" OR source="C:\xxx\rdinndelhi010-18-1.xxx.com.csv" OR source="C:\xxx\rdinsecund010-5-2.xxx.com.csv" OR source="C:\xxx\rdmyklumpu010-19-1.xxx.com.csv" OR source="C:\xxx\rdmyklumpu010-19-1.xxx.com.csv" host="SEZ00VVM-153" index="xxx" sourcetype="csv" |dedup _raw| rex field=source "(?<country>.*?)$"|lookup siteinfo.csv country OUTPUT start_hour end_hour receivebandwidth sitename tier router start_wday end_wday|eval date_wday=strftime(_time,"%u")|search tier=tier1|where date_hour>=start_hour AND date_hour<= end_hour AND date_wday>=start_wday AND date_wday<=end_wday|eval Intraffic=In/1048576|eval Outtraffic=Out/1048576|eval result=(Intraffic)+(Outtraffic)|bin _time span=1d| stats values(receivebandwidth) as maxin ,perc95(result) AS Percentile by router _time |eval total=Percentile/maxin*100|timechart limit=100 span=1d avg(total) As siteTotalPct by router so based on the source path name i am getting all the sitename tiers etc but my query has become so big adding all the 200 source paths can some one help me how to get rid of this ... View more

Hi Team I am facing issues with the following scenario 1.I have 200 csv files daily indexing into SPLUNK. 2.These 200 csv files are the network utilization reports coming from different routers configured for example waterloo.csv (waterloo network utilization report)(EST timezone) 2.Sydney.csv(sydney network Utilization)(Australian timezone) 3.CEBU.csv(cebu netowrk Utilization)(sydney timezone) 4.Hyderabad.csv(Hyderabad network Utilization)(IST) etc i have created few dashboards using this files but the time stamps that are shown are in EST only how to change the timezone for each different source file that is getting indexed Thanks and Regards, Deepthi Bulusu. ... View more

Hi Team I have a folder that consists of logs added every day i have given this folder as input to splunk to continuously monitor the folder and do few actions as per the search query but splunk is not picking up the newly indexed data but when i append the new data to existing files splunk starts picking up can anyone help me with this Thanks and Regards, Deepthi bulusu ... View more

Hi , I have 10 machines installed with the Splunk forwarder and I need a search to alert and send an email whenever my machines restart consecutively within a 1 hour span of time. Thanks and Regards, Deepthi Bulusu ... View more

Hi, I have 10 machines running a splunk forwarder now and I want to know the status of services on these machines. For example, I have an Antivirus service running on ten machines. Whenever this service is stopped, I should get an alert, and when the service is started again, then I should get another alert. Another example for the same 10 machines, if anyone connects an external USB device, I should get an alert and the details of this USB device connected, and another alert when it is disconnected. Thanks and Regaards, Deepthi ... View more