Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Clovisa
Clovisa
Path Finder
Member since:
03-09-2018
06-05-2020
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 9 |
| Karma Received | 0 |
| Member Since | 03-09-2018 |
Activity Feed
- Karma Re: Is it safer to create separate indexes than to add search restrictions ? for p_gurav. 06-05-2020 12:49 AM
- Karma Re: Is it safer to create separate indexes than to add search restrictions ? for robgora_deloitt. 06-05-2020 12:49 AM
- Karma Re: How do I get the 1st day on the current year ? for cmerriman. 06-05-2020 12:49 AM
- Karma Re: Heavy forwarder - routing to different indexes depending on field value for hortonew. 06-05-2020 12:49 AM
- Karma Re: How to modify timewrap legend? for niketn. 06-05-2020 12:49 AM
- Karma Re: How can I concatenate tables from the same search at different time periods ? for renjith_nair. 06-05-2020 12:49 AM
- Karma Re: How to build a srchFilter when two indexes are allowed? for kmorris_splunk. 06-05-2020 12:49 AM
- Karma Re: splunk license warnings?? for DalJeanis. 06-05-2020 12:48 AM
- Karma Re: throttle alert once per day for jplumsdaine22. 06-05-2020 12:47 AM
- Posted Re: How to build a srchFilter when two indexes are allowed? on Splunk Search. 07-17-2018 06:55 AM
- Posted How to build a srchFilter when two indexes are allowed? on Splunk Search. 07-17-2018 06:20 AM
- Tagged How to build a srchFilter when two indexes are allowed? on Splunk Search. 07-17-2018 06:20 AM
- Posted Re: How to do a timechart of a week with a timewrap on the previous year? on Splunk Search. 07-06-2018 08:07 AM
- Posted How to do a timechart of a week with a timewrap on the previous year? on Splunk Search. 07-06-2018 07:38 AM
- Tagged How to do a timechart of a week with a timewrap on the previous year? on Splunk Search. 07-06-2018 07:38 AM
- Tagged How to do a timechart of a week with a timewrap on the previous year? on Splunk Search. 07-06-2018 07:38 AM
- Posted Re: How to build a two way table? on Splunk Search. 07-04-2018 01:03 AM
- Posted How to build a two way table? on Splunk Search. 07-04-2018 12:40 AM
- Tagged How to build a two way table? on Splunk Search. 07-04-2018 12:40 AM
- Tagged How to build a two way table? on Splunk Search. 07-04-2018 12:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-17-2018
06:55 AM
Perfect thanks 🙂
... View more
07-17-2018
06:20 AM
Hello,
I am trying to build a role that would allow the users to access to two indexes (index1 and index2). The index1 has a field called parameter and I want the role to restrict search filter to parameter=value . But when I do this (see code below), I don't have access anymore to my index2. How could I avoid this ?
Thanks !
[role_test]
cumulativeRTSrchJobsQuota = 0
cumulativeSrchJobsQuota = 0
importRoles = user
srchIndexesAllowed = index1, index2
srchIndexesDefault = index1
srchFilter = parameter=value
srchMaxTime = 0
... View more
07-06-2018
08:07 AM
I think the week numbers are different from one year to the other in my case so it doesn't work
... View more
07-06-2018
07:38 AM
Hi ! I am trying to display a timechart that gives the data of a week, and the data of the same week but one year earlier.
I have done something with timechart and timewrap that gives me that comparison, but also gives me the comparison of all the rest of the year. How can I just isolate a specific week ? Thanks !
My current request :
index="sales_2017" OR index="sales_2018"
| timechart span=d count
| timewrap y
What I got :
What I would like to have :
... View more
07-04-2018
12:40 AM
Hi !
I am trying to build a two way table like :
| | Male | Female | Total |
| Child | 2 | 3 | 5 |
| Teenager | 2 | 1 | 3 |
| Adult | 10 | 11 | 21 |
I see how to count by gender or by age but I don't see how I can have both in the same table. Your help will be very appreciated, thanks!
... View more
07-03-2018
08:19 AM
It is perfect, thanks a lot 😄
... View more
07-03-2018
05:36 AM
Hi, I am trying to compare the top sales of the latest week to the top sales of the previous week.
I am trying to get a table that looks like :
Product | Rank | Rank previous week
Table | 1 | 2
Chair | 2 | 1
index=sales earliest=-2w latest=-w
| stats count as Sales by Product| sort -Sales
| table Product
| streamstats count as Rank
I succeeded in having the latest rank or the previous rank (see query above) but I don't see how I can combine them. Do you know how I could do this ? Thanks !
... View more
- Tags:
- splunk-enterprise
06-26-2018
12:31 AM
Hi ! I am trying to modify the legend generated by the timewrap command. I saw that we could slightly change it with the parameter "series" but it's not really giving me what I want.
Let's say I want to have a sum of prices from this request :
index=sandbox earliest=-13d | timechart sum(prices) as "Sum of the prices" span=d | timewrap 1w series=relative
The legend will be Sum of the prices_1week_before and Sum of the prices_latest_week . I would like to have something like Sum of the prices for the week before and Sum of the prices for the latest week .
How can I get this ? Thanks !
... View more
05-23-2018
02:11 AM
Hi, I am having the same issue as this one (https://answers.splunk.com/answers/27128/directory-and-config-file-permissions-keep-getting-reset-by-splunk-need-744.html) : my config files permissions keep being reset by Splunk.
It is pretty old and seems unresolved, do you know if there is a way to avoid this ? Thanks !
... View more
05-11-2018
08:09 AM
No problem, thanks for trying 🙂
In fact I have very few duplicate events, but I can't avoid them more by playing with the data source.
... View more
05-11-2018
07:53 AM
Thanks for your help. I receive the events via an HTTP entrypoint, and it is json. An simplified equivalent of the requests that are sent is :
curl -k "splunk:8088/services/collector" \
-H "Authorization: Splunk 1c0afd4d-d802-gg2c-9fc2-0f428217adf7" \
-d '{"event": {"Owner": "Toto", "Title": "Hello", "Date":"2018-02-02 11:45:23"}, "sourcetype": "sales", "time":"2018-02-02 11:45:23"}'
I will use dedup if it is my last option, but I feel like it will be redundant to write this for every request
... View more
05-11-2018
07:34 AM
Hi,
I noticed that if I send two times the exact same event, _time included, they are not merged. While investigating, I discoverd the _indextime field that could explain why they are considered as two different events.
Is it possible to set the _indextime with the value of _time ? Will it "merge" my identical events ? And if not, is there a way to do it at indexation time ?
Thanks !
... View more
04-09-2018
09:05 AM
Hello, I would like to visualize data starting from the 1st of January of the current year.
I see how to get the current year, but how can we combine it with "1st of January" ?
index=main | eval year=strftime(now(),"%Y")
... View more
04-06-2018
03:02 AM
It wasn't initially, I just moved it and tried but I still don't have the right timestamp
... View more
04-06-2018
01:34 AM
Hi,
I noticed something strange. When I upload the following JSON by the Splunk Web interface, using he json_sales sourcetype described below, the "Date" field is set as timestamp (which is what I want).
But when I try to push the same JSON line via HTTP event collector, the timestamp that is set is the indexation time. Where does it come from? How can I set the "Date" field as a timestamp while using HTTP? Thank you!
JSON
{"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}
props.conf
[json_sales]
INDEXED_EXTRACTIONS = json
KV_MODE = none
NO_BINARY_CHECK = true
TIMESTAMP_FIELDS = Date
TIME_FORMAT = %Y-%m-%d
category = Structured
disabled = false
pulldown_type = true
cURL
curl -k http://splunk:8088/services/collector -H "Authorization: Splunk 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX" -d '{"sourcetype": "json_sales", "event": {"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}}'
inputs.conf in splunk_httpinput/local
[http://Vente]
disabled = 0
index = sales
token = 1c0afd4d-d882-4a2c-9fc2-0f428216XXXX
sourcetype = json_sales
... View more
04-05-2018
06:46 AM
Is it an intuition or do you have some reasons in mind ?
... View more
04-05-2018
06:24 AM
Hi, I am wondering which one is the safest option to restrict access to my data and why.
Let's say that I sell shoes for resellers and for direct customers. I would like that customers could not see the shoes destined to the resellers.
Is it better to :
Forward all the shoes in a global "shoes" index and, when I configure the "customer" role, add a search restriction (like "Recipient=customer") or
Forward the customer part in a dedicated index and same for the reseller part, and then give access only to the corresponding index to the customer
Thank you !
... View more
04-05-2018
06:04 AM
Sadly even without it, the result is the same !
... View more
04-05-2018
05:15 AM
It is still giving me as timestamp the indexation time ... I'll put below all the file parts that could have an impact on this, I'm necessarily doing something wrong somewhere ! Thanks again 🙂
Request
curl -k http://splunk:8088/services/collector -H "Authorization: Splunk <my_token>" -d '{"sourcetype": "json_sourcetype", "event": {<my_json>}}'
inputs.conf (/opt/splunk/etc/apps/splunk_httpinput/local/inputs.conf , because it is a HTTP data input)
[http]
disabled=0
port=8088
enableSSL=0
[http://Vente]
disabled = 0
index = sales
token = <my_token>
sourcetype = json_sourcetype
indexes.conf
[sales]
homePath = $SPLUNK_DB/sales/db
maxTotalDataSizeMB = 512000
enableDataIntegrityControl = 0
thawedPath = $SPLUNK_DB/sales/thaweddb
enableTsidxReduction = 0
coldPath = $SPLUNK_DB/sales/colddb
props.conf
[json_sourcetype]
MAX_TIMESTAMP_LOOKAHEAD=10
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true
TIME_FORMAT=%Y-%m-%d
TIME_PREFIX={\"\Date\"\:\"
INDEXED_EXTRACTIONS=json
KV_MODE=none
... View more
04-05-2018
12:35 AM
Hi @richgalloway, thanks for your answer. I tried your configuration but it is still not working as you can see in the screenshot.
Could it come from somewhere else, in an other config file ?
... View more
04-04-2018
08:53 AM
Hi!
I have the following JSON and I would like to set the field "Date" as timestamp. Splunk is currently setting the date and time corresponding to when I index the data.
JSON
{"Date":"2018-02-26","Id commande":"L4512XXX","Type":"A","Quantité vendue":"1000","Support de vente":"Livre","Code pays":"FR","Référence":"REFXXX"}
In order to set the field Date as timestamp, here is my configuration file :
props.conf
[json_sourcetype]
KV_MODE = json
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = true
TRUNCATE = 0
TIME_PREFIX = Date":"
MAX_TIMESTAMP_LOOKAHEAD = 200
TIME_FORMAT = %Y-%m-%d
But it is not working at all, it stills takes the indexation date as if this config was not taken into account. Do you know where it could come from?
Thanks!
... View more
03-09-2018
05:39 AM
Hi everyone !
I'm new to Splunk and I'm trying to see what can be done with it. I was wondering if it was possible, with a heavy forwarder, to forward data to different indexes depending on the value of a specific field?
For example, if I have the indexes red_colored_vegetables and green_colored_vegetables, and the following data :
| Id | Vegetable | Color |
| 1 | Tomato | Red |
| 2 | Leek | Green |
| 3 | Salad | Green |
I want that 1 is forwarded to the index red_colored_vegetables and that 2 and 3 are forwarded to the index green_colored_vegetables.
Is it feasible?
Thanks !
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
