@inventsekar I have updated the limits.conf under system/local and it does not impact anything. Issue is still  persist. [default] max_mem_usage_mb = 500 [searchresults] maxresultrows = 86400 ... View more

@isoutamo Thankd for sharing me all the valuable accepted solution link. I will go through each of the link. ... View more

@jawahir007 Thanks for providing this SPL. So My retention is currently at 437 days and I have to reduce the retention by 30 days, which means I have to set the retention at 407 days. I also need to adjust this in above query earliest=-437d latest=-407d. Is that right ? ... View more

@jawahir007 its very tedious to specify the status of 11 month old bucket start and end time.  suppose data age of event is 427 days and I want to delete 30 days of data then it data age now would be 397.Now how can I identify the epoch of start and end time of bucket ? ... View more

@isoutamo  Yes From MC i can take refrence of number of bucket counts atleast. ... View more

@richgalloway @jawahir007  Thank you both for the nice explanation.  As part of my migration activity, I want to clean up or remove all the unnecessary sourcetypes from Splunk so that we may use less disk space and move data more quickly from the old server to the new one. But as per your suggestion, delete command will never reduce disk space and in migration the entire data will have to be copied. Am I understanding it correctly ? Some more addition on my first ask. 1. All the sourcetypes coming from one source. 2. All the sourcetypes belongs to only one index. 3. We are using transforms and props to build the sourcetypes. When a particular type of pattern events comes; then transforms create the sourcetype( as mentioned regex inside ) 4. All the parsing and filtering will take care by python script. 5. Both unnecessary and necessary sourcetypes are included in that one index.   Thanks    ... View more

  l   ... View more

@mistydennis  ### Steps to Use Single Value Visualization in your dashboard. 1. **Run the Query**: Use the query you provided to generate the `OnTarget` value. 2. **Select Visualization**: - After running the query, go to the **Visualization** tab in the search results. - From the available visualizations, choose **Single Value**. 3. **Configure Conditional Coloring**: - Click on **Format** in the Visualization tab. - Under **Color**, enable **Color by value**. - Add your conditions: - **If value is "Yes"**: Set the color to green. - **If value is "No"**: Set the color to red. 4. **Save and Use**: - Apply the settings, and you will see the value displayed either in green or red based on the result ("Yes" or "No"). - You can then save this as part of your dashboard if needed. upvote is appreciated. ... View more

@PickleRick  I know that my way of asking queries is wrong in bits and pieces and a master like you did not like it. I value the Splunk Answers platform and I am also familiar with the contributions you have been making to users on the Splunk Answers platform over the years. You could have simply told me you don't want to respond on my half of the details post. I have been posting at least 100 + queries on Splunk answers throughout my Splunk career and I have not received a reply like today. You are such a valuable member of the Splunk trust, your reply has shattered my confidence. By writing like this type of unpleasant reply you diverted the attention of other users and experts who want to reply me and as a result essence of the query post is lost. I have seen your behaviour from my last two posts.  I exit this thread chat while maintaining the decorum of the Splunk Answers platform. Thanks for all the help. ... View more

@PickleRick Thanks for your help so far. I have received this unpleasant response 2 times from you .Let me tell you that I do not post queries to waste anyone's time. If you don't want the response on my queries then please don't respond. But this kind of reply from you makes me feel more embarrassed that I am really wasting people's time in Splunk Answers platform. You are not working for me and I am not working for you. According to me, this is a platform where I can ask my query, whoever wants to respond to it should do so. ... View more

@ITWhisperer  I have removed so many duplicates events. Because of it delta_time difference is decreased to 1.9 hours as compared to yesterday. Is the duplicate events also be the potential cause ?   ... View more

Here I am taking the TIME_FORMAT in props.conf from the eventtime field present in raw data (Toronto’s time zone is EST (UTC -5:00). Is there any changes here I need to change. ... View more

@ITWhisperer  I ran query for on the source data which fills the summary index and below is the results.   ... View more

@PickleRick @ITWhisperer  I can see there is a huge delayed in hours in the source data which fills the summary index is around 8.67 hours. Green arrows: To showcase the index and event time Below is the attributes I am using in props. DATETIME_CONFIG = KV_MODE = xml NO_BINARY_CHECK = true CHARSET = UTF-8 LINE_BREAKER = <\/eqtext:EquipmentEvent>() crcSalt = <SOURCE> NO_BINARY_CHECK = true SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 754 TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3QZ TIME_PREFIX = \<\/State\>\<eqtext\:EventTime\> SEDCMD-first = s/^.*<eqtext:EquipmentEvent/<eqtext:EquipmentEvent/g category = Custom pulldown_type = true TZ = UTC ===================================== Sample logs I am attaching below.  <eqtext:EquipmentEvent xmlns:eqtext="http://Asas.com/FM/EqtEvent/EqtEventExtTypes/V1/1/5" xmlns:sbt="http://Asas.com/FM/Common/Services/ServicesBaseTypes/V1/8/4" xmlns:eqtexo="http://Asas.com/FM/EqtEvent/EqtEventExtOut/V1/1/5"><eqtext:ID><eqtext:Location><eqtext:PhysicalLocation><AreaID>7073</AreaID><ZoneID>33</ZoneID><EquipmentID>81</EquipmentID><ElementID>0</ElementID></eqtext:PhysicalLocation></eqtext:Location><eqtext:Description> Applicator tamper is jammed</eqtext:Description><eqtext:MIS_Address>0.1</eqtext:MIS_Address></eqtext:ID><eqtext:Detail><State>WENT_OUT</State><eqtext:EventTime>2024-08-16T12:14:24.843Z</eqtext:EventTime><eqtext:MsgNr>6232609270406364028</eqtext:MsgNr><Severity>LOW</Severity><eqtext:OperatorID>WALVAU-SCADA-1</eqtext:OperatorID><ErrorType>TECHNICAL</ErrorType></eqtext:Detail></eqtext:EquipmentEvent> <eqtext:EquipmentEvent xmlns:eqtext="http://Asas.com/FM/EqtEvent/EqtEventExtTypes/V1/1/5" xmlns:sbt="http://Asas.com/FM/Common/Services/ServicesBaseTypes/V1/8/4" xmlns:eqtexo="http://Asas.com/FM/EqtEvent/EqtEventExtOut/V1/1/5"><eqtext:ID><eqtext:Location><eqtext:PhysicalLocation><AreaID>7073</AreaID><ZoneID>33</ZoneID><EquipmentID>81</EquipmentID><ElementID>0</ElementID></eqtext:PhysicalLocation></eqtext:Location><eqtext:Description> Applicator tamper is jammed</eqtext:Description><eqtext:MIS_Address>0.1</eqtext:MIS_Address></eqtext:ID><eqtext:Detail><State>ACK_BY_SYSTEM</State><eqtext:EventTime>2024-08-16T12:14:24.843Z</eqtext:EventTime><eqtext:MsgNr>6232609270406364028</eqtext:MsgNr><Severity>LOW</Severity><eqtext:OperatorID>WALVAU-SCADA-1</eqtext:OperatorID><ErrorType>TECHNICAL</ErrorType></eqtext:Detail></eqtext:EquipmentEvent>   Please help me what I can do fix it. ... View more

@PickleRick As per the below screenshot I can see huge delays in the indexing. So is this the cause that data is not visible on time.  What actions I need to perform for summary index?   ... View more

@yuanliu  This also working fine. Thanks for your suggestion. ... View more

@bowesmana Actually there is a lookup From which I want to extract such kind of pattern.  yesterday I performed so many hit and trial and finally the below one is working as expected. | input lookup dsa.csv | eval parts = split(Description, ".") | eval part1 = mvindex(parts, 0) | eval part2 = mvindex(parts, 1) | eval part3 = mvindex(parts, 2) | eval modified_part2= if(len(part2) == 1, "0" . part2, part2) | eval modified_part3 = if(len(part3) == 1, "0" . part3, part3) | eval modified_description = part1 . "." . modified_part2 . "." . modified_part3 | table Description, modified_description ... View more