I'm having an issue with a .csv file containing data from an Oracle database view that is being extracted nightly and ingested into Splunk. I'm not involved in the Splunk configuration side of things at my job. I requested the data be sent to Splunk so that I can integrate it into various dashboards I'm developing.
The issue is that Splunk has shifted the field names one column to the right, so to speak. Say the column names from the source view are A, B, C, D, E, F, G, H, ......, Y, Z.
A, B, C, and D have corresponding fields in Splunk and they contain the appropriate values. However, starting with column E, the corresponding field in Splunk that contains the values for the E column is named F instead. This trend continues (Splunk field that contains values from column F in the source view is named for column G, etc...) until the penultimate field, which is named for the final column from the source view (Z) but contains values from column Y. Then, there is a field named EXTRA_FIELD_21. This field contains the values for column Z in the source view.
Apologies for the description, I'm finding the issue difficult to articulate. Basically, EXTRA_FIELD_21 should be named E instead and field values should be 'shifted' to the right by one starting with that field.
Any idea what may be causing this? All commas and equals symbols have been removed from the view. There is nothing but letters and dashes in the view column E. Thanks in advance for any insight!
... View more
So, I have some error logs indexed in Splunk and I'm running a basic search looking for errors by their assigned number. The problem is that the error messages in the logs are broken up as multiple lines. The first line will look like "Error Occurred: # of the error" and the second will be a description of the error. They come into Splunk as two separate events.
Currently, my search returns the events that come from the first line. These are mostly useless. I want to also see the error descriptions, which will always be the immediate next event in the index. Is there a way to have Splunk do a search, return the results, and for each result also return the immediate next event?
I've been reading up on transaction but I have not been able to make it work. Transaction groups search results but the error description events are not results of the search. I can't include them in the search because they differ depending on the error. There aren't any shared attributes between all of the various error descriptions.
I want to be able to say "return these events AND the event directly after each of them no matter what those adjacent events are and it doesn't matter if they satisfy my search criteria". If this isn't possible, so be it, but I'd like to know that for certain. Please let me know if I can clarify in any way and thanks in advance for any replies!
... View more
As you can see in the screenshot I've included, there is a lot of excess whitespace within my dashboard panels. Ideally, the height of the three panels in this row would automatically fit the table with the most results. They are currently set to a maximum of 10 results, if that is relevant. I believe my desired functionality is unlikely to be possible. However, is there some way to reduce it at least?
Aesthetically, it is quite unappealing.
... View more