Hi @jaibalaraman  You have a field "Uptime" and then using the eval you are calculating the same field.  Could you pls suggest us with more details, thanks.  | mstats max(System.System_Up_Time) AS "Uptime" WHERE index="permon_metrics" host=system1* BY host span=1m | dedup host | rex field=host "\w{6}(?<function_abbr>\w{4})" | search function_abbr=ADDS | sort Uptime asc | eval UptimeNew = round((now() - _time) / (60 * 60), 1) | table Uptime UptimeNew function_abbr host   ... View more

Hi @uagraw01 Looks like this issue is about memory. Could you pls check memory usage on this Splunk instance, thanks.  ... View more

Hi @Real_captain May i know if the issue is resolved or not yet, thanks.  ... View more

Hi @ilhwan  > but I don't see a magnifying glass on any of the panels Pls mouse over on the panel to the lower right corner of the panel. then you can see the magnifying glass.    For example, on DMC, Indexing--->Indexes and Volumes ---> Indexes and Volumes: Instance got this panel.  when i mouse over, then only the magnifying glass appears.    ... View more

Hi @Real_captain , troubleshooting a rex command is often a difficult task.  Particularly when we dont know what is the issue itself.  to understand the error msg (search command required before "^"...), if you could copy paste a sample log line, that would be great (remove sensitive details like hostnames, ip address, etc).  maybe try this step by step troubleshooting..  first this rex command: | rex "(?P<POH>[^"]+)" | table POH then second this rex command: | rex "\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH at last, this rex command: | rex "^(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH>[^"]+)" | table POH   ... View more

Hi @Real_captain, could you pls avoid creating duplicate posts on your yesterday's post, could you pls provide us some more suggestions, details.. then troubleshooting your issue will become easier. thanks.  ... View more

Hi @emmanuelkatto23  >>> Are there particular search query optimizations I should consider to speed up the execution time, especially with complex queries? On the DMC Distributed Management Console, you can find many dashboard(s)/Panels... using these  you can find which Searches took long time to run, which searches took more resources, etc. There are many other considerations like avoiding the join's etc.  1) Pls suggest us which Splunk Apps you use, 2) which Splunk things(user searches, reports or alerts or dashboards) are taking high Splunk performance..  then you can start fine-tuning one by one, thanks.  ... View more

Hi @Real_captain  This straight forward method may not work if your data format is changed.  Using the "split" Command will be simple and effective method.  |makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" | rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)" | table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7     ... View more

Hi @Real_captain , the mode=sed was not from the field extraction wizard. may i know why you thought to use the mode=sed, pls suggest.  As you can see,  Syntax: mode=sed Description: Specify to indicate that you are using a sed (UNIX stream editor) expression. sed-expression Syntax: "<string>" Description: When mode=sed, specify whether to replace strings (s) or substitute characters (y) in the matching regular expression.  https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex#Syntax not sure, but lets try:   | rex field=Message "(?:[^,\n]*,){7}\s+"\w+_\w+_\w+_\w+_\w+":\s+"(?P<POH1>[^"]+)"     Sample log lines will be helpful to troubleshoot this, thanks.   ... View more

Hi @Xander13  the error - Error calling execve(): Permission denied was discussed in this post. could you pls check this once, thanks.  https://community.splunk.com/t5/Getting-Data-In/When-trying-to-start-Splunk-I-m-getting-an-quot-execve/m-p/119749     ... View more

Hi @whitecat001 ... this looks like a mistaken eval field assignment or table printing issue.  pls share with us your search query(remove any sensitive details) and/or the other user's search query. then troubleshooting this will become easy one, thanks.  ... View more

Hi @ilhwan  >> an uptime report for Splunk  maybe more details needed pls. by linux uptime, you will have how many users logged in, cpu usage, system startup time, last shutdown time, load average, etc are you looking a similar report for Splunk or something else, more details pls.  for the question about monitoring console, the monitoring console got lots of nice and useful dashboards, like longer running searches, high CPU intensive searches, which user is running more Splunk, and lot more.  All you need to do is, 1) get a list of things of what you are looking for. 2) check if DMC got some dashboard panels with the details you are looking for.  3) make your own dashboard with panels from existing DMC panels or your own SPL.    hope this gave some ideas, thanks.    ... View more

Hi @timothylindt  My two cents here: 1) if the Salesforce Add-on does not support FIPS, then Splunk doc team should have updated on the add-on docs (the opposite is what happened in this case - if its supporting, then many times they forget to mention it) 2) if this issue impacted previous Splunk Admins, then they should have asked this question(as the SalesForce is a popular app) 3) if the FIPS is not supported by the add-on, then you can contact Splunk Support as the Add-on is a Splunk Supported Add-on.    Some detailed for other Splunk newbies about the FIPS: FIPS - Federal Information Processing Standards (FIPS) THP - Transparent Huge Pages (as some users may get confused with FIPS and THP) How to enable FIPS, how to verify, etc https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/SecuringSplunkEnterprisewithFIPS   ... View more

Hi @Mallika1217 , linkedin profile? ... not able to understand your question.. pls some more details..  do you want to get notified about a particular splunk app/add-on? ... View more

Hi @raculim .. @PickleRick 's suggestion works fine, tested (9.3.0)   ... View more

ok, its the right time for me work with these Slack addons/apps and Splunk Enterprise.  ... View more

Hi @qs_chuy .. good catch. let me check this and revert back.  my mindvoice to me... some more "detailed understanding" required between -  the tstats, datamodels, accelerated, non-accelerated, thx ... View more

Hi @rsAU  The above reply should work fine for your situation.  if still any issues, pls update us  1) your full search query (remove any confidential info) 2) maybe a screenshot is better  ... View more

Hi @Ram2 ...May i know what happens when you try this props: SHOULD_LINEMERGE=false LINE_BREAKER=([\r\n]+) TIME_PREFIX=^   ... View more

Hi @Ram2  Same questions of @PickleRick : Looks like you are reading app logs from linux, thru Splunk UF (or HF) 1) pls confirm are you using UF or HF (or directly reading at indexer?) 2) are you ingesting these logs thru some Splunk TA / App / Add-on's? ... View more

Closing this post, to move it from unanswered to answered, thanks  ... View more

Hi @FAnalyst  >>>now I want to open .spl file to look into these Use Cases Yes, as said on above two replies, you can untar the file (.spl = tar file) and look into it, check the contents, try to understand the searches, etc >>>but do not want to upload the file as an app  Yes, you no need to upload it to Splunk.  i feel you want to edit some usecase and then upload then tar it as a .spl file(tar file) and then upload it to Splunk. it is also possible. careful while editing(pls preserve the format), all should be good, thanks.    Best Regards Sekar    ... View more

Hi @SanjayM  As you said, there are no matches in Splunkbase for Dell Unity Storage.  i see only two possible ideas: You can ask to Dell Support for any roadmaps if they have.  OR Perhaps you can create one for yourself and contribute it to Splunkbase also (may help will be available if you are stuck somewhere) thanks,   Best Regards Sekar ... View more

Hi @Splunkers2 May we know if you use the CIM pls.  pls copy paste the Splunk Search query you used(remove sensitive data beofre), thanks ... View more

Hi @Mitesh_Gajjar  More details needed pls - The Splunk Version   - the daily license limit - approx how long back the Splunk was installed(to find out how much data is currently stored inside the Splunk) - details about indexer/SHC pls (to understand how many indexers are in Indexer Cluster) - the SF and RF pls  and the most important - the internal splunk logs may i know if you have created a Support ticket to Splunk pls.  Best Regards Sekar ... View more