Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 137 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 11-03-2024 04:54 AM
- Got Karma for How to merge two fields into one field?. 10-23-2024 09:31 AM
- Got Karma for Re: How to remove data from a bucket for a specified period of time?. 09-05-2024 08:26 AM
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-17-2012
04:38 AM
I have been able to solve this problem in two ways.
1) By determining the max execution time of every scheduled search and then configure the schedule search time of each search accordingly. This approach has its limitations.
2) By creating a script that assures that the set of searches are executed in the define sequential order based on the result set data flow.
It will be nice if the user could use the search scheduler to define the execution order of a set scheduled searches base on the result set data flow as presented in the example.
Thanks.
Lp
... View more
03-15-2012
11:22 AM
Then, download a protocol analyzer to analyze the TCP connection data flow.
Example:
http://www.wireshark.org/
... View more
03-15-2012
04:38 AM
Yes. I have a sequential inter-dependency as I presented in the example.
Thanks.
... View more
03-14-2012
07:07 AM
1 Karma
I have 5 queries that have to be run in sequential order.
Is there a way in Splunk to schedule 5 searches like presented in the example?
Example:
Schedule Search 1 -> Runs every 2 hours.
Search 2 -> Runs after schedule search 1 is executed.
Search 3 -> Runs after search 2 is executed.
Search 4 -> Runs after search 3 is executed.
Search 5 -> Runs after search 4 is executed.
Any ideas will be appreciated.
Thanks,
Lp
... View more
- Tags:
- scheduled-search
03-08-2012
11:17 AM
I noticed that this problem occurs with Chrome version: 17.0.963.78 m in windows Platform. We tried the beta version of Chrome under MAC OSX and it works as it should be.
... View more
03-07-2012
08:03 AM
Ron,
I used your example but it seems that Splunk can only handle 6 digits precision using the top search command.
... View more
03-07-2012
07:31 AM
2 Karma
You can do it by defining the roles of each set of users in Splunk. More information:
http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/Aboutusersandroles
Manager » Access controls
... View more
03-05-2012
08:35 AM
It is not the case. You can test it by running any query that aggregates any data set. Example:
|stats count by house.
your result set is:
house count
house_1 10
house_2 7
.......
If you export this result set in csv, the content of the csv file does not show the count column.
... View more
03-05-2012
07:42 AM
5 Karma
In Splunk once the search completed the user has the option to export the result set by selecting the following menu "Actions: Export Results".
In splunk version 4.3 seems to be broken. The user is able to export the result set in CVS format but the content of the csv file is not consistent.
It works without any problem in 4.2.1.
Is there any work around?
or
Is it a known bug?
Thanks
... View more
- Tags:
- bug
02-29-2012
11:36 AM
Hi,
I have a log source that is causing some problems. I think it is caused by events like this ones:
29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS ========
29-02-2012 18:00:58 UTC udb_persona_ingest INFO - ========= JOB COUNTERS END ========
how can I configure splunk to not index this particular event that is linked to a sourcetype.
Thanks in advanced.
Lp
... View more
- Tags:
- props.conf
02-28-2012
05:11 AM
If eltime is the result of a transaction command your transaction command should group all the values of eltime in a multi-value list. Then, you should be able to get the maximum. like for example:
|transaction eltime delim="," mvlist=eltime|eval maximum_eltime=max(eltime)|table maximum_eltime
... View more
02-27-2012
05:47 AM
1 Karma
did you tried:
|stats max(eltime) as largest_value_of_eltime.
... View more
02-22-2012
11:00 AM
Splunk support the statistical function "mode(X)". According to the Splunk documentation this function returns the most frequent value of field X.
I was able to experience that Splunk reports the correct mode from a set of numbers that are unique.
Is there an undocumented stats command or query that reports the multimode from a set of numbers that are not unique.
Example:
The mode of the set [1, 3, 3, 3, 3, 3, 7, 7, 12, 12, 17] is 3. The mode of set [3, 3, 6, 7, 7, 89, 89] is 89, 7, and 3 "Multimodal".
Thanks,
Lp
... View more
- Tags:
- stats
02-21-2012
11:28 AM
If you provide a log event sample for each source log I will be able to help you.
... View more
02-21-2012
07:25 AM
Did you try:
|timechart span=1d ....
The span=1day argument buckets your aggregated variable into daily result set.
... View more
02-09-2012
06:08 AM
http://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf
... View more
02-09-2012
04:55 AM
1 Karma
I have a table of ~11 million rows and 53 columns. The table looks like:
entity_id | week_1 | week_2 | ..... | week_52
abcd | 35874 | 587489 |.......| 5478
While we discover new entities with splunk the table can grow up to ~30 million rows.
I was wondering the following:
-. What is the maximum number of lookup output fields that MySQL connector can support?
-. Can I have up to 52 or 365 look up output fields?
-. what is the recommended maximum number of rows a lookup table can have?
-. If new entities and weekly data are discovered can Splunk MySQL connector insert the new entities and weekly data in the lookup table that is stored in MySQL?
-. In case we need to update, delete or insert some weekly data can Splunk MySQL connector perform updates, delete, and insert of this magnitude?
-. Is there any other approach you might recommend?
Thanks,
Lp
... View more
02-08-2012
12:05 PM
Excellent.
Is it configured like in a regular indexer?
If not: Could you provide an example configuration to run a script every 4 hours?
Regards,
Lp
... View more
02-08-2012
11:57 AM
2 Karma
Hello,
Is it possible to scheduled a script input in a universal forwarder?
Thanks in advance.
Luciano
... View more
- Tags:
- scri
- scripted-inputs
02-02-2012
05:35 PM
9 Karma
You can use the search command dedup. Example:
|dedup name_of_your_field
More information:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/dedup
... View more
02-01-2012
05:00 AM
1 Karma
1) Check that in you local inputs.conf the host is equal to the FQDN.
2) Check that the hostname of your RHEL server is set to the FQDN you configured in inputs.conf.
3) Restart splunk if you have made any changes in inputs.conf.
4) Check the sourcetypes reporting foo by executing this search command:
index=main |stats count by host source sourcetype
The result set should show you what logs are reporting foo.
... View more
01-31-2012
07:40 AM
I would recommend to normalize all the splunk instances to clearly identify all host, source logs, and sourcetypes.
In this way, you have the capability to know what type of information each set of users can access. With this information in place, you could define the Splunk object access rights for each set of users by using roles.
Explore Access Control Matrix to document the rights for every set of users.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma given to
