Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About madhav_dholakia
madhav_dholakia
Contributor
Member since:
04-27-2020
11-20-2025
Community Statistics
| Posts | 109 |
| Solutions | 4 |
| Karma Given | 45 |
| Karma Received | 7 |
| Member Since | 04-27-2020 |
Activity Feed
- Got Karma for Re: Splunk Cloud Monitoring Console. 04-08-2025 09:58 AM
- Posted Re: Splunk Cloud Monitoring Console on Dashboards & Visualizations. 04-08-2025 12:13 AM
- Karma Re: Splunk Cloud Monitoring Console for isoutamo. 04-08-2025 12:11 AM
- Karma Re: Splunk Cloud Monitoring Console for richgalloway. 04-08-2025 12:11 AM
- Posted Saved Search ( Scheduled Report) in Simple XML Dashboard on Splunk Search. 04-08-2025 12:01 AM
- Posted Splunk Cloud Monitoring Console on Dashboards & Visualizations. 04-01-2025 06:30 AM
- Posted Re: Dashboard Studio - Search Result as Token on Dashboards & Visualizations. 03-18-2025 02:57 AM
- Posted Dashboard Studio - Search Result as Token on Dashboards & Visualizations. 03-12-2025 07:34 AM
- Got Karma for Re: Default Token Values in Dashboard Studio. 02-11-2025 05:31 PM
- Posted Re: Default Token Values in Dashboard Studio on Dashboards & Visualizations. 02-10-2025 11:23 PM
- Posted Default Token Values in Dashboard Studio on Dashboards & Visualizations. 02-06-2025 07:50 PM
- Karma Re: get the chart of count and percentage by, in one column for bowesmana. 01-28-2025 04:27 AM
- Karma Re: How can I subtract two results from stats? for kdoonan. 01-02-2025 06:36 AM
- Karma Re: renaming fields in search for landen99. 01-02-2025 04:35 AM
- Karma Re: Removing all-null columns from stats table for PickleRick. 01-02-2025 04:34 AM
- Karma Re: How to write a search to convert columns to rows? for javiergn. 01-02-2025 04:33 AM
- Posted Dashboard Studio - UK Map Visulisation on Dashboards & Visualizations. 12-26-2024 04:49 AM
- Posted Re: Integrating Power BI to Splunk on Getting Data In. 12-09-2024 06:26 AM
- Posted Re: Integrating Power BI to Splunk on Getting Data In. 06-10-2024 02:07 AM
- Posted Re: Using Tokens in Alert Email on Alerting. 06-09-2024 10:59 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-31-2022
07:28 AM
Hi @richgalloway tried sending an email using this search but no luck. index=main | head 5 | sendemail to="firstname.lastname@email.address" server="localhost" subject="Test Mail" message="This is an example message" sendresults=true inline=true format=raw sendpdf=true Also, when checking below search, it doesn't show any errors: index="_internal" source="/opt/splunk/var/log/splunk/python.log" sendemail INFO sendemail:184 - Sending email INFO sendemail:1516 - Generated PDF for email we have tried checking the emails for two different domains (where we have received emails until yesterday) and no issues with email blocking/black listing. can you please suggest what else could be checked? Thank you.
... View more
07-31-2022
07:23 AM
Hi, we are also facing the same issue since this morning around 11 AM BST. No scheduled alert/report emails are not being sent. also tried the test email but it didn't work as well. thank you.
... View more
07-20-2022
07:01 AM
Hello,
I am writing a search for a dashboard panel and it shows expected result when I use it as a search, but when added in Dashboard, the date time format is changed.
This search gets all the requesters with more than 25 tickets created in the last 13 months.
index="tickets" host="TICKET_DATA" source="D:\\Tickets_Data_Export.csv" "Department Name"="ABC" earliest=-14mon@mon
| sort 0 -_time
| foreach * [ eval newFieldName=replace("<<FIELD>>", "\s+", ""), {newFieldName}='<<FIELD>>' ] | fields - "* *", newFieldName
| eval TicketCategory=if(isnull(TicketCategory),"Non-Chargeable",TicketCategory)
| eval ID=substr(ID, len(ID)-5, 6)
| dedup ID
| eval tempDt=strptime(CreatedDate, "%Y-%m-%d %H:%M:%S")
| eval YYMM=strftime(tempDt,"%Y-%m")
| where tempDt>=relative_time(now(),"-13mon@mon") and tempDt<=relative_time(now(),"@mon")
| chart count as Count over RequesterName by YYMM where Count in top13
| addtotals
| where Total>=25
| sort 0 -Total
Outpout when run on Search Screen vs Output when added as a panel in Dashboard Studio is attached here.
Column YYMM format is different in both cases - date time formatCan you please help how I can get the column names in YYYY-MM (and not full date n time format) in Dashboard Studio panel?
Column YYMM displays YYYY-MM correctly when I select "Parallel Coordinates" visulization, but this is something not fit for my use case.
Thank you.
... View more
Labels
- Labels:
-
Dashboard Studio
-
panel
-
table
06-16-2022
06:19 AM
thanks, @VatsalJagani - these files are <10KBs and updated every 15 days/month. With a time_before_close param set, I don't think file writing will take more time looking at the file size.
... View more
06-16-2022
04:39 AM
1 Karma
since this paramter (time_before_close) is added, we haven't seen this issue for over a month now. thank you @VatsalJagani & @isoutamo for your help on this. I have got another question on similar line here Thank you.
... View more
06-16-2022
04:35 AM
Hi All, We have a universal forwarder running on Windows Server which is sending data to our Splunk Instance in Cloud. Below are some details of .conf files and logs: inputs.conf [default] host = DB_DATA [monitor://D:\ABC\DB_Monitoring\Cust] disabled=0 index=rjsql sourcetype = csv crcSalt = <SOURCE> time_before_close = 60 props.conf [default] NO_BINARY_CHECK=true CHARSET=AUTO [source::D:\ABC\DB_Monitoring\Cust\*.csv] CHECK_METHOD = modtime There are some files which are either 1) no being indexed at all 2) only headers are indexed - this doesn't happen with all the files, only some of them. Logs from _internal (for file which has got only header indexed) Tailing processer file status btool output: Can you please suggest what else I could check here and resolve this intermittent issue? Thank you.
... View more
Labels
- Labels:
-
field extraction
04-19-2022
09:02 PM
Thanks, @VatsalJagani This parameter is more to say Splunk to wait until the other systems finish writing the file, not for the purpose of what you want here. Yes, in my case files aren't large so might not be taking more time to be written, but I think I can give it a try just in case of there is any lock on the file and if a wait of n seconds might help. Thanks for this, I will try this and share an update after monitoring for a couple of days, as the issue is intermittent. Thank you.
... View more
04-19-2022
05:55 AM
thanks, @isoutamo - there are scripts running on 3rd party tool which place different CSV files on the given location (hourly/daily/weekly). as per the example I have shared, if I am checking the data for the last month - I can see memory.csv data for all days except 25th - so it was working before the 25th and also after the 25th. There is another file space.csv, it has got data for all days in March, except 20th. So, it happens intermittently and no changes in scripts have been made in the recent past. is there any option to set that can enable a wait of say, 120 seconds after the file is updated, and before it is indexed so in case of the below scenario, the lock is released (hopefully) by the time the file is being read and indexed? Also as this is a windows file there could be exclusive lock when it is created and later on that has removed when it's ready for read by other processes Thank you.
... View more
04-19-2022
05:38 AM
thanks, @VatsalJagani - yes, the files are getting replaced. What I thought is: below option in props.conf will always index the file (if it has a change in last modified date), irrespective of header change or CRCLength - can you please suggest if this understanding is not correct? CHECK_METHOD = modtime Also, I do not suspect a permission level issue on the file, because at the next run, it is indexed successfully. Also, this issue occurs for different files at different time so not sure if any additional logs can help to understand the root cause. Thank you.
... View more
04-19-2022
02:57 AM
Hi All,
We are using Splunk Cloud and have a Universal Forwarder setup on a windows machine - it reads CSV files from a particular folder and sends to indexer.
inputs.conf:
[monitor://D:\Test\Monitoring\Abc]
disabled=0
index=indexabc
sourcetype = csv
crcSalt = <SOURCE>
props.conf:
[source::D:\Test\Monitoring\Abc\*.csv]
CHECK_METHOD = modtime
various CSV files are being placed under D:\Test\Monitoring\Abc hourly/daily and this setup works without any issues most of the times for all the CSV files.
but there are some instances where data from a single file for a particular hour/day is missing in the index "indexAbc" - this doesn't happen with a particular file but various files.
for example, there is a CSV called memory.csv which updates daily at 23:47 and when I checked data for the previous month (timechart span=1d), it doesn't show data for 25th March - I have checked the 3rd party script which sends data to this windows server and it has done that successfully.
when a CSV file is read and indexed, i see below entry in the splunkd.log but this is not available for the 25th march for which the data is missing:
03-26-2022 23:47:49.495 +0000 INFO WatchedFile [6952 tailreader0] - Will begin reading at offset=0 for file='D:\Test\Monitoring\Abc\memory.csv'.
for period 25th March 23:40 to 23:50, I have checked splunkd error in _internal index and the results are given below:
Can you please suggest what could be causing this intermittent issue and whet troubleshooting steps I can follow?
Thank you.
... View more
02-03-2022
04:48 AM
thank you very much, @PickleRick - before I check your comment, I got this working by referring to @gcusello's comment. but thanks for this, I am sure will use this sometime very soon.
... View more
02-03-2022
04:43 AM
Thank you very much, @isoutamo for this reference - it is very useful.
... View more
02-03-2022
04:42 AM
Hi @gcusello - with some minor changes in the updated query you shared, I got it working and now getting expected data. Thank you so much.
... View more
02-03-2022
04:05 AM
Hi @PickleRick, yes, so the first data set is all the tickets raised in an ITSM tool and the second data set is all the tickets marked as SPAM (subset of data set 1). Both the data sets contain the common field ID but is is not names as ID in the second data set (freshdesk_webhook.ticket_id) so I use "| rename" Dataset 1 Columns: ID, DepartmentName Status Priority Type etc. Dataset 2 Column: ID index="freshservice_tickets" (host="PMC_RAPTOR_DATA" "Department Name"!="ABC" AND "Department Name"!="DEF" AND Status!="Closed" AND Status!="Resolved" AND Priority="Urgent" AND Type="Incident") OR (source="fs_webhooks")
| rename freshdesk_webhook.ticket_id as ID
| stats count values(*) as * by ID and the above doesn't give the required results. Can you please suggest what I am doing wrong? Thank you.
... View more
02-03-2022
02:48 AM
Hi @gcusello, yes, events with source="fs_webhook" arent in the host="RMM_DATA" subset. I have tried this with COALESCE as you suggested, but it gives me IDs even if it is in both the data sets. index="tickets" (host="RMM_DATA") OR (source="fs_webhooks")
| rename freshdesk_webhook.ticket_id AS ticket_id
| where DepartmentName!="XYZ" DepartmentName!="MNO" Status!="Closed" AND Status!="Resolved" Priority="Urgent" Type="Incident"
| eval ID=coalesce(ticket_id, ID)
| fields ID Type DepartmentName "Created Date" Location Priority Subject Queue Status Analyst "Last Updated"
| stats values(*) AS * BY ID Below example is what I want to achieve: Data Set 1: ID: 123456, 234567, 345678 Data Set 2: ID: 123456, 345678 Expected Result: ID: 234567 Thank you.
... View more
02-03-2022
12:49 AM
Hello, I have got 2 data sets resides in same index but with different source/host: index="tickets" host="RMM_DATA"
index="tickets" source="fs_webhooks" first data set contains multiple ticket fields, including ID. the second data set only contains one field ID. I want to display all the events where ID value is available only in the 1st data set but not in the 2nd data set. The below query gives me LEFT JOIN - but I want to get IDs (and related fields) those only exist in the first data set. index="tickets" host="RMM_DATA"
| sort 0 -_time
| dedup ID
| where DepartmentName!="XYZ" AND DepartmentName!="MNO" AND Status!="Closed" AND Status!="Resolved" AND Priority="Urgent" AND Type="Incident"
| table ID Type DepartmentName "Created Date" Location Priority Subject Queue Status Analyst "Last Updated"
| join type=left ID [search index="tickets" source="fs_webhooks"
| rename freshdesk_webhook.ticket_id as ID
| sort 0 -_time
| dedup ID
| table ID]
| table ID Type DepartmentName "Created Date" Location Priority Subject Queue Status Analyst "Last Updated" Can you please suggest how I can achieve this? Thank you.
... View more
01-25-2022
02:30 AM
thanks @isoutamo - I have observed the same, it works after manual update. I have now also disabled a large number of unused inputs as well so should be better during the next maintenance window. Thank you.
... View more
01-19-2022
12:56 AM
Hi, We are using Splunk Cloud and DBConnect App is installed on IDM. I have noticed that some of the DB Inputs stop indexing data after Splunk Cloud Monthly Maintenance Activity. I first observed this on 22nd Dec - DBConnect version was 3.4.2 DBConnect was upgraded to 3.7.0 on 4th Jan and again after the Splunk Cloud Maintenance Activity on 10th Jan, some of the DB Inputs have stopped indexing data. Can someone please suggest if this is an expected behavior for some specific types of DB Inputs (if yes, what?) and/or what logs I could check to analyze this issue further? We are using MySQL and SQL Server DB Inputs. Thank you very much. Regards, Madhav
... View more
01-17-2022
12:14 AM
Thanks, @inventsekar - if I understand correctly, using earliest & latest is another way of setting the time picker (with a precedence over time picker range), isn't it? In this case, it will still look for the data starting from Jan 2021 to Jan 2022 and will be (almost) same performance as using time picker? I want to avoid searching for All Time or a longer period than the actual event period (based on created date) I am interested with. This because the huge data we have in this index. Thank you.
... View more
01-02-2022
11:18 PM
Thanks, @inventsekar - I have used below query with time picker value between Feb, 2021 to Jul 2021, it gives 7 events but there are more than 30 open tickets created between Feb 2021 and Jul 2021. index="tickets" host="host_1"
| foreach * [ eval newFieldName=replace("<<FIELD>>", "\s+", "_"), {newFieldName}='<<FIELD>>' ] | fields - "* *", newFieldName
| eval CreatedDateParsed=strptime(Created_Date, "%Y-%m-%d %H:%M:%S")
| sort 0 -CreatedDateParsed
| addinfo
| where CreatedDateParsed>=info_min_time AND (CreatedDateParsed<=info_max_time OR info_max_time="+Infinity")
| dedup ID
| where Status!="Closed"
| eval min_time=strftime(info_min_time, "%Y-%m-%d %H:%M:%S")
| eval max_time=strftime(info_max_time, "%Y-%m-%d %H:%M:%S")
| eval index_time=strftime(_indextime, "%Y-%m-%d %H:%M:%S")
| rename Created_Date as Created, Last_Updated_Date as "Last Updated"
| table _time CreatedDateParsed ID Type Created "Last Updated" min_time info_min_time max_time info_max_time index_time
| sort 0 Created Using the time picker range as Feb 2021 to Till Date - is this the only option I have in this use case? Thank you.
... View more
01-02-2022
11:06 PM
Thanks, @ITWhisperer - I want to avoid searching for All Time or a longer period than the actual event period (based on created date) I am interested with. This because the huge data we have in this index. For example, if I am looking for tickets created between March 2021 and May 2021, I do not want to use time picker from March 2021 until now. Using the time picker range as Feb 2021 to Till Date - is this the only option I have in this use case? Thank you.
... View more
12-31-2021
01:28 AM
1 Karma
Hello, I am monitoring a csv file using universal forwarder and the first column in the csv file is Last_Updated_Date. This file is indexed based on this field (_time = Last_Updated_Date). This file also has a column called Created_Date. While writing a search, I want to use Created_Date as _time to filter the data and the search I have written is given below: index="tickets" host="host_1"
| foreach * [ eval newFieldName=replace("<<FIELD>>", "\s+", "_"), {newFieldName}='<<FIELD>>' ] | fields - "* *", newFieldName
| eval _time=strptime(Created_Date, "%Y-%m-%d %H:%M:%S")
| sort 0 -_time
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| dedup ID
| where Status!="Closed"
| eval min_time=strftime(info_min_time, "%Y-%m-%d %H:%M:%S")
| eval max_time=strftime(info_max_time, "%Y-%m-%d %H:%M:%S")
| eval index_time=strftime(_indextime, "%Y-%m-%d %H:%M:%S")
| rename Created_Date as Created, Last_Updated_Date as "Last Updated"
| table ID Type Created "Last Updated" _time min_time info_min_time max_time info_max_time index_time
| sort 0 Created When I run this search for a period, say 1st Feb 2021 - 31st Jul 2021, it gives results as below: When I checked this for a longer period, say All Time - it gives results as below: There are many open tickets (created between Feb and Jul) and not just two, as shown in the first screenshot, but it seems still the timepicker is using Last_Updated_Date to filter the events and not the Created_Date. Can you please suggest how I can fix this? Thank you.
... View more
06-24-2021
11:45 PM
Hi @achusa. I am facing the same issue - have you got a resolution for this? Is there any alternate (like making any changes in conf files) other than writing scripts/transforms to extract the required data? Thank you.
... View more
06-24-2021
11:39 PM
Hi, This was resolved with the help of Splunk Cloud Support by opening jdbc connection port and allowlisted the Application IP. Thank you.
... View more
05-26-2021
11:57 PM
Hi @s2_splunk , Please see below the driver details: Driver installed : 5.1 Application using JDK7 and java MySQL connector version - 5.1.18 We are using Splunk Cloud and the database is located on a different AWS server. Sorry, but can you please suggest how this can be checked: "Are you sure that bidirectional communication between your DBX instance (Cloud SH?) and your database server is possible (firewalls/proxies/etc.)." Thank you.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-20-2025
03:44 AM
|
