cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
czhang_splunk
Splunk Employee
Member since: ‎08-20-2015
‎06-05-2020
Community Statistics
Posts 11
Solutions 2
Karma Given 2
Karma Received 4
Member Since ‎08-20-2015
Activity Feed
View All

Re: Why wildcard search is much slower than "where...

by Splunk Employee in Monitoring Splunk
‎10-20-2016 01:52 AM
‎10-20-2016 01:52 AM
That's interesting. I removed the "sourcetype="aws:description" in both of my searches, and I got the very similar results as yours. Could you please try to limit your result set a lit bit and try again? For example, add sourcetype="foo" and make sure all events has msg field? Thanks for your time! ... View more

Why wildcard search is much slower than "where lik...

by Splunk Employee in Monitoring Splunk
‎10-20-2016 12:33 AM
‎10-20-2016 12:33 AM
I have two searches return the same result in my single Splunk instance environment, but there is huge performance different between two searches. Searches: 1. index=main sourcetype="aws:description" placement="us-west-2*" 2. index=main sourcetype="aws:description" | where like(placement, "us-west-2%") Results: 1. This search has completed and has returned 2,013 results by scanning 36,909 events in 35.372 seconds. 2. This search has completed and has returned 2,013 results by scanning 561,295 events in 11.913 seconds. The raw events are in JSON format. placement field has the values of us-west-2a, us-west-2b, and us-west-2c. The performance gap becomes even larger if there is larger data set. Could anyone explain why wildcard search is much slower? Is it always best practice to use where + like? Thanks! UDPATE Thank everyone for the help. Figured out the reason by reading http://conf.splunk.com/sessions/2016-sessions.html#search=fields%2C%20indexed%20tokens%20and%20you& ... View more

Re: Splunk App for AWS: How do I resolve error "Th...

by Splunk Employee in All Apps and Add-ons
‎05-02-2016 07:35 PM
1 Karma
‎05-02-2016 07:35 PM
1 Karma
Hi Sankar74, The Overview page has been updated on Splunk App for AWS - 4.1.1, which removed the usage of macro aws-description-instance . I guess you have edited the Overview page when you have App 4.0.0 installed, is that correct? In that case there will be a copy of old Overview page under APP FOLDER/local/data/ui/views/overview.xml . You can make a copy of your old overview.xml and delete it. Then you will be available to view the latest Overview page. Let me know if this solves your problem. Thanks! ... View more

Re: IAM Activity, User Activity, CloudTrail API Ac...

by Splunk Employee in All Apps and Add-ons
‎04-21-2016 11:07 PM
‎04-21-2016 11:07 PM
Hi asbet, For your question 2, could you please just click on the number (55) to drilldown to the search to see what 55 users are? Thanks ... View more

Re: Splunk App for AWS: How to create an alert to ...

by Splunk Employee in All Apps and Add-ons
‎04-11-2016 05:56 PM
1 Karma
‎04-11-2016 05:56 PM
1 Karma
hi r1tual, could you please double check whether you have configured AWS Config in App? If so, there should be some events with sourcetype="aws:config:notification". Every time you create/delete/modify the resource in AWS, there will be a aws:config:notification event logged the diff of your modification. ... View more

Re: Splunk App for AWS: How to create an alert to ...

by Splunk Employee in All Apps and Add-ons
‎04-11-2016 05:56 PM
‎04-11-2016 05:56 PM
Would you please mark this as the answer? Thanks! ... View more

Re: Splunk App for AWS: How to create an alert to ...

by Splunk Employee in All Apps and Add-ons
‎04-10-2016 08:41 PM
‎04-10-2016 08:41 PM
hi r1tual, could you please double check whether you have configured AWS Config in App? If so, there should be some events with sourcetype="aws:config:notification". Every time you create/delete/modify the resource in AWS, there will be a aws:config:notification event logged the diff of your modification. ... View more

Re: Splunk App for AWS: How to create an alert to ...

by Splunk Employee in All Apps and Add-ons
‎04-09-2016 04:22 AM
‎04-09-2016 04:22 AM
Is that OK to use AWS Config Notification to monitor the SG changes? Basically you can use sourcetype="aws:config:notification" "configurationItem.resourceType"="AWS::EC2::SecurityGroup" to detect whether there is any update of SGs. ... View more

Re: Splunk App for AWS: Why is all_account_ids.csv...

by Splunk Employee in All Apps and Add-ons
‎12-22-2015 12:15 AM
2 Karma
‎12-22-2015 12:15 AM
2 Karma
Hi cmeo, Basically when you add an AWS account in Configure page of AWS App, the account id will be written into all_account_ids.csv. Have you seen any error when adding AWS account? A quick and dirty workaround is: go to lookup folder under app dictionary and edit all_account_ids.csv manually. The file format should be: > name,account_id > [your AWS account friendly name],[12-digit AWS account ID] An example: > name,account_id > Calvin,000000000000 It would be great if you could go to Splunk/var/log/splunk/saas_app_aws.log to see if there is any error related to aws_account_manager.py Hope this helps! Thanks! ... View more

Re: Possible incorrect lookup statement in Splunk ...

by Splunk Employee in All Apps and Add-ons
‎11-23-2015 02:23 AM
‎11-23-2015 02:23 AM
Hi, thank you for the feedback! I have tested it on both 6.2.2 and 6.2.7. It works on 6.2.7, but broken on 6.2.2 😞 So I would say it is a bug on 6.2.2 ... View more

Re: Splunk App for AWS not pulling all Volume reso...

by Splunk Employee in All Apps and Add-ons
‎11-18-2015 05:04 PM
‎11-18-2015 05:04 PM
Hi Madan, Are your EBS volumes in a single AWS region or they are in multi regions? If they are in more than one regions, then you have to configure AWS Config for each region in the AWS App. Let me know if it solves your question. Thanks! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
Karma given to
View All