About uagraw01

uagraw01 · ‎11-20-2024

@bowesmana Thanks for the solution and investing your valuable time. But still micro seconds are not matching.

uagraw01 · ‎11-19-2024

Hi @bowesmana raw text is look like as below. {"traceid":"00000000000000000033000000000000","spanid":"0000000000000000","datacontenttype":"application/json","data":{"retentionMinutes":43200,"batchSize":1000,"windowDurationSeconds":600},"messages":[],"specversion":"1.0","classofpayload":"com.vl.decanter.decanter.generici.domain.command.PurgeCommand","id":"ccbae519-foa4-4c0c-ad75-261720d764e5","source":"decanter-scheduler","time":"2024-11-19T09:30:00.058376Z","type":"PurgeEventOutbox"}

uagraw01 · ‎11-18-2024

@ITWhisperer Thanks for information. Yes, My actual data is in the json format. Could you please suggest what I need to do with props so the events can parse properly with timestamp filed of the events.

uagraw01 · ‎11-18-2024

@ITWhisperer That timezone difference I can exclude by using TZ setting attribute in props. But I am having another issue with nano seconds. Other issue is the nano second issue.

uagraw01 · ‎11-18-2024

@PickleRick I already tried and added attribute under props but this also not working. "TIMESTAMP_FIELDS = time" and added KV_MODE=json

uagraw01 · ‎11-18-2024

@ITWhisperer On EST time the server is . @bowesmana I have tried below settings but nothings works for me. Is there any workaround I need to apply. CHARSET = UTF-8 #AUTO_KV_JSON = false DATETIME_CONFIG = #INDEXED_EXTRACTIONS = json KV_MODE = json LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true MAX_TIMESTAMP_LOOKAHEAD = 550 TIME_PREFIX = time:\s+ TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z category = Custom pulldown_type = true Example Pattern of event : { [-] classofpayload: com.v.decanter.deca.generic.domain.command.PurgeCommand data: { [-] batchSize: 1000 retentionMinutes: 43200 windowDurationSeconds: 600 } datacontenttype: application/json id: 32e31ec6-2362-4b46-966e-ec4bdbb3llbe messages: [ [-] ] source: decanter-scheduler spanid: 0000000000000000 specversion: 1.0 time: 2024-11-18T04:15:00.057785Z traceid: 00000000000000000000000000000000 type: PurgeEventOutbox }

uagraw01 · ‎11-17-2024

@richgalloway 1. Props is installed on search app 2. The setting is on Indexer itself and I am using below endpoint. 3. Endpoint is : services/collector/raw 4. I will try and add %Z in my current props. Thanks

uagraw01 · ‎11-17-2024

Hello Splunkers!! I want my _time to be extracted and match with time filed in the events. This is token based data. We are using http token to fetch the data from the kafka to Splunk and all the default setting are under search app including ( inputs.conf and props.conf). I have tried props in the second screenshot under search app but nothing works. Please help me what to do to get the required _time match with time field? I have applied below settings but nothing work for me. CHARSET = UTF-8 AUTO_KV_JSON = false DATETIME_CONFIG = INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6NZ TIME_PREFIX = \"time\"\:\" category = Custom pulldown_type = true TIMESTAMP_FIELDS = time

uagraw01 · ‎11-13-2024

Is it possible to hide these two options also from the setting in Splunk ?

uagraw01 · ‎11-12-2024

@sainag_splunk I selected below options, this made the settings hidden but the search option became unavailable to the user? I want below two options also make available to user.

uagraw01 · ‎11-12-2024

Hello Splunker!! Hope all is good. I have created a new role in a splunk. I have added some users to that role. I need to restrict that role user to not be able to see the "All Configuration" option in the settings. Please help me, what settings should I change to get my results? What I have did so far, but nothing works for me. [role_Splunk_engineer] list_all_configurations = disabled edit_configurations = disabled Thanks in Advance.

uagraw01 · ‎11-11-2024

Hello Splunkers!! Splunk is receiving the data from my Qracle database table from DBconnect. All of the events are being created correctly when the query is run in the SQL editor. Some events are missing when they arrive in Splunk. What can be done if certain occurrences are missed? Please assist me in determining possible causes. Note : My current "Max Rows to Retrieve" is on 10000.

uagraw01 · ‎11-09-2024

@PickleRick Thanks for your wonderful suggestion in the shared doc link. However, timestamp specification setting is only available in "Batch type" not available in "Rising Column Type". Is there any other suggestion or idea to apply this with rising column type also to avoid duplication ingestion of events?

uagraw01 · ‎11-08-2024

@PickleRick I am putting props setting under /app/local Note : Data is ingesting to Splunk from DB connect app. So I have applied all the props settings under /db_connect_ap/local

uagraw01 · ‎11-08-2024

@yuanliu You have not used both below attributes. Can I also skip these two? Not using it will not have any impact on the consistency of data parsing, right? TIME_FORMAT MAX_TIME_LOOKAHEAHD Thanks in advance and acknowledging your valuable time.

uagraw01 · ‎11-08-2024

@yuanliu Hi, I have made the suggested changes but still _time is not matching with the raw event field (EVENTTS) timestamp. Please suggest me to do the needful.

uagraw01 · ‎11-07-2024

@yuanliu You mean like as below ? TIME_PREFIX= EVENTTS=\"

uagraw01 · ‎11-07-2024

@yuanliu EVENTTS="2024-11-07 18:29:43.175" I want to match _time with above timestamps.

uagraw01 · ‎11-07-2024

Hello Splunkers!! I want to extract the _time and match it to the events fields' timestamp while ingesting to Splunk. However, even after applying the props.conf attributes setting, the results still do not match after ingestion. Please advise me on the proper settings and assist me in fixing this one. Raw events: 2024-11-07 18:45:00.035, ID="51706", IDEVENT="313032807", EVENTTS="2024-11-07 18:29:43.175", INSERTTS="2024-11-07 18:42:05.819", SOURCE="Shuttle.DiagnosticErrorInfoLogList.28722.csv", LOCATIONOFFSET="0", LOGTIME="2024-11-07 18:29:43.175", BLOCK="2", SECTION="A9.18", SIDE="-", LOCATIONREF="10918", ALARMID="20201", RECOVERABLE="False", SHUTTLEID="Shuttle_069", ALARM="20201", LOCATIONDIR="Front" Existing props setting: CHARSET = UTF-8 DATETIME_CONFIG = LINE_BREAKER = [0-9]\-[0-9]+\-[0-9]+\s[0-9]+:[0-9]+:[0-9]+.\d+ NO_BINARY_CHECK = true category = Custom TIME_PREFIX = EVENTTS=" TIME_FORMAT = %Y-%m-%d %H:%M:%S.%N MAX_TIMESTAMP_LOOKAHEAD = 30 TZ = UTC In the below screeshot still we can see _time is not properly extracted with the matching timestamp of the field name "EVENTTS".

uagraw01 · ‎10-23-2024

Hello Splunkers!! In a scheduled search within Splunk, we have set up email notifications with designated recipients. However, there is an intermittent issue where sometime recipients do not consistently receive the scheduled search email. To address this, we need to determine if there is a way within Splunk to verify whether the recipients successfully received the email notifications. Please help me identify how address and how to check this things in Splunk. index=_internal source=*splunkd.log sendemail I have tried above search but above search is not providing the information about receipents email address.

uagraw01 · ‎10-15-2024

@ITWhisperer Yes, I replace join with lookup command. Do you want me to try something more to optimize further?

uagraw01 · ‎10-15-2024

@ITWhisperer After apply your suggested command I also replaced lookup command and now search is taking 10.5 seconds to complete the results. Thanks for your help.

uagraw01 · ‎10-15-2024

@ITWhisperer Although this method is correct, it takes one second longer than the dedup command. Thanks in advance.

uagraw01 · ‎10-15-2024

@ITWhisperer Thanks for your response. With dedup command it is giving expected 2 results. 1 for storage and 2 for retrieval. Without dedup command it is giving me 5 results. Note : There are no such impact seen after removing the join inputlookup with "lookup command".

uagraw01 · ‎10-14-2024

@ITWhisperer After executing suggested command I am getting below results. The count should 2 only. 1 for the storage and 1 for the retrieval.

Posts	551
Solutions	2
Karma Given	160
Karma Received	6
Member Since	‎06-03-2020

Online Status	Offline
Date Last Visited	Tuesday

Enabling of Splunk PDF scheduler

Late indexed

Issue with file csv monitoring

kvstore issue

Issue in Splunk with the time brackets

Splunk error

Unable to load images in splunk dashboard

KV store termination issue frequently

Splunk Users not visible

Splunk DB connect issue

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Re: Time field is not matching with _time

Time field is not matching with _time

Re: Splunk user role restriction

Re: Splunk user role restriction

Splunk user role restriction

Splunk DB connect to Splunk

Re: Timestamp fixing

Re: Timestamp fixing

Re: Timestamp fixing

Re: Timestamp fixing

Re: Timestamp fixing

Re: Timestamp fixing

Timestamp fixing

Email receipents from saved searches

Re: Splunk query optimization

Re: Splunk query optimization

Re: Splunk query optimization

Re: Splunk query optimization

Re: Splunk query optimization

Are you a member of the Splunk Community?