×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Christian
Path Finder
Member since: ‎09-07-2010
‎06-05-2020
Community Statistics
Posts 27
Solutions 2
Karma Given 39
Karma Received 7
Member Since ‎09-07-2010
Activity Feed
View All

Re: extract multiple fields(number unknown) and su...

by in Splunk Search
‎05-30-2015 07:22 AM
‎05-30-2015 07:22 AM
I don't know of a way to do it as separate field names but it can be done as a multi-value field like this: ... | rex "^[^,]*,[^,]*(?<myField>.*)$ | eval myMvField=split(myField,",") Then install this: http://jordan.broughs.net/archives/2012/06/mvsum-for-splunk-summing-multi-valued-fields-within-a-single-event ... View more

Re: inputs.conf behaviour doesn't corespond with d...

by in Getting Data In
‎11-10-2011 05:47 AM
‎11-10-2011 05:47 AM
thx the refrence articel answers my qustion ... View more

Re: How to get first 10 search results on timechar...

by in Splunk Search
‎04-27-2011 12:51 AM
‎04-27-2011 12:51 AM
well it depends on your query, head will return you the first 10 rows of your search so you either sort it before or using the top command http://www.splunk.com/base/Documentation/latest/SearchReference/top , which is probably the easier way 🙂 sorry didn't think on that before ... View more

Re: Determine query speed

by Splunk Employee in Splunk Search
‎04-26-2011 01:57 PM
‎04-26-2011 01:57 PM
No, that will tend to measure decompression as well. Choose an extremely rare term, something that occurs in fewer than 1 in a million events, and time it a search for it over a given time range of data, e.g., search for "vbumgarburnerization". ... View more

Re: Extended Dashboard

by in Dashboards & Visualizations
‎03-21-2011 04:16 PM
1 Karma
‎03-21-2011 04:16 PM
1 Karma
You can change the host field at index time with a "TRANSFORMS" property: ## props.conf [mysourcetype] TRANSFORMS-force_host_for_mysourcetype = force_host_for_mysourcetype ## transforms.conf [force_host_for_mysourcetype] DEST_KEY = MetaData:Host REGEX = \d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\s+server=(\S+) FORMAT = host::$1 You can create a dashboard using the following search. The dashboard creation itself can be a bit tricky. We may have to incorporate the "rangemap" search command and map 0=low 1=severe. sourcetype=mysourcetype | stats last(state1) as state1, last(state2) as state2, last(state3) as state3, last(state4) as state4 by server, env, os | addtotals fieldname=stateTotal ... View more

Re: CSV Field export doesn't work

by in Getting Data In
‎01-21-2011 04:57 PM
‎01-21-2011 04:57 PM
And here's the general description on which config has to go where: http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F ... View more

Re: Can Splunk interpret json?

by Splunk Employee in Splunk Search
‎09-07-2012 05:59 PM
5 Karma
‎09-07-2012 05:59 PM
5 Karma
Answers prior to the release of Splunk 4.3 in January 2012 are somewhat out of date. In that release, indexed JSON can now be extracted as structured JSON fields, either automatically via a new KV_MODE = json setting, or on-demand using the new spath search command. There is no need to create a new search command, and you don't need to flatten or reformat the input. ... View more

Re: Slow Search Performance on AIX

by in Splunk Search
‎09-16-2010 02:08 PM
3 Karma
‎09-16-2010 02:08 PM
3 Karma
Hello all, thanks for you support, I think we solved the Problem. The Problem was neither I/O or CPU I was just the parameter maxclient% which controls how much memory can be consumed for filesystem cache. Just to complete this question the well formated output of vmstat -v 4194304 memory pages 4040624 lruable pages 2224021 free pages 2 memory pools 485051 pinned pages 80.0 maxpin percentage 1.0 minperm percentage 80.0 maxperm percentage 31.6 numperm percentage 1277976 file pages 0.0 compressed percentage 0 compressed pages 31.6 numclient percentage 80.0 maxclient percentage 1277976 client pages 0 remote pageouts scheduled 370 pending disk I/Os blocked with no pbuf 0 paging space I/Os blocked with no psbuf 2228 filesystem I/Os blocked with no fsbuf 3261 client filesystem I/Os blocked with no fsbuf 894 external pager filesystem I/Os blocked with no fsbuf 0 Virtualized Partition Memory Page Faults 0.00 Time resolving virtualized partition memory page fault The Problem with the License Calculation still exists but seems to be a different Problem. Search Performance is for the moment OK. Setting vmo Parameter vmo -p -o maxperm%=80 vmo -p -o maxclient%=80 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
Karma given to