This "Best of Splunk" .conf 2017 talk on the python sdk v2 lists the 50k limit as a negative of v1
http://conf.splunk.com/sessions/2017-sessions.html#search=Extending%20SPL%20with%20Custom%20Search%20Commands%20and%20the%20Splunk%20SDK%20for%20Python&
... View more
Create a new field using eval and list it along with the other fields you care about in a table
|notablegeneratingsearch
|eval pci_id="10.1"
|table pci_id,alltheotherfieldsyoucareabout
Alternatively could use the tag field.
... View more
Run top on your search head while the user executes the search, I expect you to see utilization jump to 100% This sounds like a resource utilization problem where your hardware cannot keep up with the demand.
... View more
Try to get those field extractions done. You can do it inline with the following
|rex "Network\sUser::(?P\w+)).((?P\w+)) | table FirstName,Surname,count
... View more
My theory was, that on the intermediate forwarder's input.conf you can specify the following stanza
Forwarder-specific settings for splunktcp.
Receivers use this input stanza.
This is the same as the [tcp://] stanza, except the remote server is assumed
to be a Splunk instance, most likely a forwarder.
Under that stanza they should be able to specify forwarder specific settings for _INDEX_AND_FORWARD_ROUTING or _TCP_ROUTING parameters to route the events on a per forwarder basis.
... View more
Hi Bryanrobertson,
Yes you can specify _INDEX_AND_FORWARD_ROUTING or _TCP_ROUTING under the following stanza
See the inputs.conf doc for more details on that stanza
Hope this helps, goodluck! - David
... View more
The deployment server sure can!
Check out these docs for instructions on how to do it
http://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Useforwardermanagement
https://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Updateconfigurations
... View more
Hey Chrisw3,
Unfortunately, I do not believe this is a setting you can change. To test I went changed every value in limits.conf from 50000 to 50100. scrub still came back with only 50,000 results.
Additionally, I believe this is a constraint of the command itself. Because it is calling a python script on the backend which is using the 1.x SDK which limits transforming searches to 50k results. I believe the 50k limit is a limit of the SDK and is not configurable anywhere.
Sorry and goodluck! -David
... View more
This probably isn't the answer, but hopefully you can run with it.
Something along the lines of..
sourcetype=sourcetypeA
| stats values(*) as * by publishId
| join publishId type=left
[| search sourcetypeB
| spath
| (Do the field manipulation/extraction you want here, might have to use rex, eval, foreach or a combination of the 3)
| table fieldyoucareabout, publishId
... View more
Hello,
You are looking for the function of forwarder management which can be obtained through the use of a Deployment server
http://docs.splunk.com/Documentation/Splunk/7.0.3/Updating/Aboutdeploymentserver
If you do not have a deployment server you will need to install it manually on each forwarder (or use some other type of automated/scripted deployment software)
... View more
Hello
Give this a go
| foreach result [ macro_name_here ]
I successfully tested this methodology in my test environment by running the following (after changing the macro's permission)
index=_internal |head 10 | foreach result [ dmc_get_core_info ]
As expected this gave me a core_info field in each event
Goodluck! -David
... View more