Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Kozokkon
Kozokkon
Engager
Member since:
05-25-2018
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 05-25-2018 |
Activity Feed
- Karma Re: SPL - Hard multisearch with reference to other events for niketn. 06-05-2020 12:49 AM
- Posted Re: Trigger to create a new custom _raw before indexing data on Deployment Architecture. 06-17-2018 11:54 PM
- Posted Re: Trigger to create a new custom _raw before indexing data on Deployment Architecture. 06-17-2018 11:52 PM
- Posted Re: Trigger to create a new custom _raw before indexing data on Deployment Architecture. 06-17-2018 11:49 PM
- Posted Trigger to create a new custom _raw before indexing data on Deployment Architecture. 06-15-2018 04:46 AM
- Tagged Trigger to create a new custom _raw before indexing data on Deployment Architecture. 06-15-2018 04:46 AM
- Posted Re: SPL - Hard multisearch with reference to other events on Splunk Search. 06-04-2018 11:00 PM
- Posted SPL - Hard multisearch with reference to other events on Splunk Search. 06-04-2018 06:14 AM
- Tagged SPL - Hard multisearch with reference to other events on Splunk Search. 06-04-2018 06:14 AM
- Posted splunk db connect doesn't show existing sourcetypes on All Apps and Add-ons. 05-25-2018 06:20 AM
- Tagged splunk db connect doesn't show existing sourcetypes on All Apps and Add-ons. 05-25-2018 06:20 AM
- Tagged splunk db connect doesn't show existing sourcetypes on All Apps and Add-ons. 05-25-2018 06:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-17-2018
11:54 PM
That was kinda a hack, i set alert per every new event and made a spl where I totally recreate my _raw output as I want and set it to save to another index.
... View more
06-17-2018
11:52 PM
Mine idea was to parse already received information to another index with own redefined structure and variables and make searches on them.
... View more
06-17-2018
11:49 PM
In short: I'm receiving JSON so everything is parsed and saved as field. I need to anonymized some information and reduce some fields for search optimization.
... View more
06-15-2018
04:46 AM
Good afternoon,
I want to ask if there is a way how to create own _raw data and to fire some kind of SPL query when some new event come to splunk ( the best would be if it is possible to make it before indexing ).
The whole idea is: When a new event comes, splunk will create a brand new event and save it in different index with little set of information from previous event + some extra info (for ex. actual timestamp).
I tried to make this work with alert, by "alerting" each new event to a new index. But the problem is that solution is extremely slow. I tried to upload 20k of new data at once and it took about hour to parse all of these.
Here is the pic of my idea:
That line between server and indexes is splunk server, the best would be if it gonna happen at pre or during indexing time, but if it happens after I wouldn't mind. 🙂
... View more
- Tags:
- splunk-enterprise
06-04-2018
11:00 PM
Oh wow, thank you!
... View more
06-04-2018
06:14 AM
Good afternoon,
I've got a quite hard task to solve with SPL.
Here are JSON data:
{"name":"A", "pairs":["A","B"]},
{"name":"B", "pairs":["B","C"]},
{"name":"C", "pairs":["C","B"]},
{"name":"D", "pairs":["D","E"]},
{"name":"E", "pairs":["D","E"]}
Each JSON object is event
Name - is name of object
Pairs - are reference to other objects
Expected input:
The person write as input name=A
Expected output:
Splunk will return all related events referenced by pairs and will search recursively by pairs
so results will be:
// 1. raw event
{"name":"A", "pairs":["A","B"]}
// 2. raw event
{"name":"B", "pairs":["B","C"]}
// 3. raw event
{"name":"C", "pairs":["C","B"]}
Alternative results:
It will be OK if Splunk will return joined mv field with values :
pairs = ["A","B","C"] // pairs as multi value field with values A B and C
Is this possible to get such result with single SPL query?
... View more
- Tags:
- splunk-enterprise
05-25-2018
06:20 AM
Good afternoon,
When I'm creating a new input for my dbconnection i can't select existing source-types. Even more, when I'm trying to create new one it doesn't show up in list of all source-types.
I need to specify source-type due some data transformations in transforms.conf and props.conf. Now it just ignores my transformation specifications.
This is example, it doesn't pop up even default splunk source-types
... View more
