We were testing performance and for some reason a join with an inputlookup is faster than a direct lookup. Sample query: | dedup serviceid | rename serviceid as service_id | join type=outer service_id [| inputlookup service_runtime ] VS index=itsi_summary | dedup serviceid | rename serviceid as service_id | lookup service_runtime service_id I thought the lookup would be faster and basicly execute the join with the inputlookup itself. But after trying a few hundred times 99% of the time the join with inputlookup is faster. In what cases should we use lookup instead of a join with an inputlookup? ... View more

I have the following query that runs fine: index=someindex original_index=someindex earliest=1553986800 latest=1554069600 | eval date_display = strftime(1553986800, "%a %B %d %m") | stats values(date_display) as date_determined | return $date_determined When I use this search as a subsearch like... index=some_license_index earliest=1553986800 latest=1554069600 | eval determine_date = [ search index=some_index original_index=some_index earliest=1553986800 latest=1554069600 | eval date_display = strftime(1553986800, "%a %B %d %m") | stats values(date_display) as date_determined | return $date_determined ] | stats sum(bytes) as "License Usage" by original_source ...I get the following error: Error in 'eval' command: The expression is malformed. When I change it to... index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600 | eval determine_date = [ search index=ahm_summary_license_usage original_index=swtr_logs earliest=1553986800 latest=1554069600 | eval date_display = 1234 | stats values(date_display) as date_determined | return $date_determined ] | stats sum(bytes) as "License Usage" by original_source ...It works fine (note the eval in the subsearch) ... View more

Is it possible to make a dashboard.js for all pages (global)? I want to run a specific script that adds a machine id to the header on every page in the splunk environment. The script works perfectly at the moment for a specific app but im not able to run it on every page. ... View more

Lets say I have the following json data onboarded. { "slaves": [{ "id": "1234", "hostname": "12556" }, { "id": "1245", "hostname": "1266" }] "masters": [{ "id": "2234", "hostname": "22556" }, { "id": "2245", "hostname": "2266" }] } The result that I want is that for each slave I get an event with sourcetype indexnamex:slave and for each master I want to put each event in sourcetype indexnamex:master So in indexnamex:slave I want 2 events indexnamex:slave Event1 {"id": "1234","hostname": "12556" } indexnamex:slave Event2 { "id": "1245", "hostname": "1266" } And in indexnamex:master also two events indexnamex:master Event 1 { "id": "2234", "hostname": "22556" } indexnamex:master Event 2 { "id": "2245", "hostname": "2266" } I can not split on e.g. hostname x } as it is the same for slaves and masters. Is it possible to do splitting in multiple steps? e.g. first split on "slaves" : and "masters": and after that split do a split on what is left? If not are there any other options? note: the example is simpler than my real data as it is 10k lines. ... View more

Im trying to come up with the values for the amount of max concurrent historical searches because we get the error: the maximum number of concurrent historical searches on this instance has been reached I know in the limits.conf we can set the values that are used to set the limit: from splunk docs https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf?utm_source=answers&utm_medium=in-question&utm_term=limits.conf&utm_campaign=refdoc " max_searches_per_cpu = < int> The maximum number of concurrent historical searches for each CPU. The system-wide limit of historical searches is computed as: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches " When I check resourse management I dont even see 1 machine with 1% load all are around 0.5% We have 3 searchheads 2 indexes 1 mgmt. How should i determine the values for "max_searches_per_cpu " and "base_max_searches" as It seems unnecessary to me that we get errors when our load is so low. ... View more

I do not understand what is meant by concurrent historical searches. Can someone else explain what it means to me? I read the entire Splunk limits.conf, where you can specify it, but I think i missed the explanation of what a concurrent historical search actually is. Which searches are counted? subsearches/joins? Is it possible to view the number for a specific search? The calculation in the docs says: max_hist_searches = max_searches_per_cpu x number_of_cpus + base_max_searches So does the number of cores in your CPU not matter? We have 4 searchheads with 8 cores, so by default, we can do: 1 * 4 + 6 = 10 concurrent historical searches with those machines? For each machine we add we get only 1 concurrent historical search extra? ... View more

Based on (https://answers.splunk.com/answers/709936/get-value-from-nested-json.html#answer-709944) I came up with a query: index=dcos sourcetype=dcos:node:metrics | rename datapoints{}.name as name, datapoints{}.value as value | eval x=mvzip(name,value) | mvexpand x | eval x=split(x,",") | eval name=mvindex(x,0) | eval value=mvindex(x,1) | table _time, name, value, host | sort - _time | search name=system.uptime What I expected was a list with the system.uptime every minute for all 3 hosts, however it is not consistent and sometimes I only get the value for 1 host for a specific minute (see screenshot). I checked to see if the data was onboarded allright and has the value I run my filter on (| search name=system.uptime) and all data has the value and is onboarded correct every minute. When I run index=dcos sourcetype=dcos:node:metrics | spath datapoints{} output=datapoint | mvexpand datapoint | eval _raw=datapoint | kv | search name="system.uptime" | table name value _time host | sort - _time I get the expected results ( I cant show it this website only allows 2 images) :S: ... View more