cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
thirumaleshsplu
Explorer
Member since: ‎05-31-2018
yesterday
Community Statistics
Posts 8
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎05-31-2018
Activity Feed
View All

Re: Get the difference between strings

by in Splunk Search
2 weeks ago
1 Karma
2 weeks ago
1 Karma
What you are doing is good enough - there are some minor optimisations you can do to use a base search for all 3 panels, e.g. the base search and searches for the 3 panels could look like this <search id="base_tstats"> <query> | tstats count where index=* by index _time span=1d </query> </search> <search base="base_tstats"> <query> | stats sum(count) as events by index | where events=0 </query> </search> <search base="base_tstats"> <query> | stats sum(count) as events by index | where events>0 </query> </search> <search base="base_tstats"> <query> | stats count as days latest(_time) as _time by index | where days=1 AND _time=relative_time(now(),"@d") </query> </search> One way to check for manual index creation is to look in the audit log, but I'm not sure what happens when you edit indexes.conf and restart or what happens in a clustered environment, but you could check that if you really need to know about true creations as opposed to assumed creations.   index=_audit operation=create action=indexes_edit   Audit: [ timestamp=03-30-2021 21:11:42.415 , user=userrname , action=indexes_edit , info=granted object= "index_name " operation=create ][ n/a]   ... View more

Re: events are accumulate and not splitting after ...

by SplunkTrust in Getting Data In
‎04-01-2020 02:04 PM
‎04-01-2020 02:04 PM
| makeresults | eval _raw="{\"@timestamp\":\"2020-04-01T16:51:01.921Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"7.4.2\",(deleted actvally event)\"} {\"@timestamp\":\"2020-04-01T16:51:01.921Z\",\"@metadata\":(deleted actvally event)\"}} {\"@timestamp\":\"2020-04-01T16:51:01.921Z\",\"@metadata\"(deleted actvally event)\"}}" | rex mode=sed "s/(?ms)({\"@time)/#\1/g" | makemv delim="#" _raw | stats count by _raw | rex "\"(?<timestamp>\d\S+Z)\"," | eval _time = strptime(replace(timestamp,"Z","+0000"), "%FT%T.%3Q%z") I check your log by this query. props.conf SHOULD_LINEMERGE = false LINE_BREAKER = (.){\"@time TIME_PREFIX = timestamp\":\" TIME_FORMAT=%FT%T.%3QZ TZ = UTC please add fields extraction(TRANSFORMS,REPORT....) and see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables ... View more

Re: Phantom integration giving the ssl error, how ...

by Splunk Employee in Splunk Phantom
‎11-04-2019 09:29 AM
‎11-04-2019 09:29 AM
Did the link and advice from @ansusabu and/or @WalshyB help you get this solved? ... View more

I was added http status in ITSI KPI, however i am ...

by in Splunk IT Service Intelligence
‎12-03-2018 09:53 AM
‎12-03-2018 09:53 AM
I am not able to see the https codes in itsi kpi, instead of it am able to see it as sec. ... View more

Re: How many events per second a heavy forwarder c...

by in Getting Data In
‎05-31-2018 01:58 PM
‎05-31-2018 01:58 PM
No, that question cannot be answered without information on what types of data you want to collect and process. I don't recall ever seeing much detailed information on processing capacity of HFs, but if you can find specs for an indexer, you can assume a HF can do more, since HF does the same except it doesn't have to write to disk and does not have to deal with searches. How many EPS are equivalent to 200GB/day depends on event size of course, but with for instance an average event size of 1KB, it results in ~2400 EPS or so. But again: a single/few very beefy box(es) like you're asking for probably doesn't make much sense for a Heavy Forwarder layer in between your data sources and Splunk Cloud. From a data distribution point of view, you typically want at least as many forwarders as you have indexers, preferably more (can also be accomplished by enabling additional pipelines on forwarders). You may want to check with your Splunk Sales / PS rep for the latest guidelines on that and an assessment on what would best fit your environment. ... View more
Contact Me
Online Status
Offline
Date Last Visited
yesterday
Karma given to
View All