Hi, can i configure from the "searches & reports" such that it trigger alert when the results=0 or i need to write a script to trigger such alert. If can configure from "searches & reports" how to go about configuring it. thks
... View more
Hi, i need to count the stat based on different type of source and field (based on 1st 3 char of the filename of the field). E.g. My ultimate goal is to get a timechart of line graph showing stat based on different filetype. thks
12/7/16 12: 14 filename="ABC132323.txt" source="abc.log"
12/7/16 17: 14 filename="DEF.txt" source="def.log"
11/3/16 01: 14 filename="QDAD21.txt" source="wed.log"
08/7/16 12: 14 filename="ABC.txt" source="abc.log"
01/7/16 12: 14 filename="QD444.txt" source="abc.log"
result:
filename count
ABC* 2
DEF* 1
QD* 2
... View more
Hi, would like to check whether does the splunk hadoop connect app are compatability and support for Cloudera 4.4? Does https://www.youtube.com/watch?v=TmYHsabpk_Q still valid?
... View more
If i run the below command and the ssl is false, do i still need to update the root certificate?
index=_internal source=metrics.log group=tcpin_connections | dedup hostname | table hostname sourceIp fwdType version destPort ssl
... View more
Hi,
Not sure if splunk is able to do it, if i want the event to be forwarded to splunk index only when there is changes in the info before the 1st semi-colon? thks
... View more
Hi,
I have a file that contains the following format and I wish to only index information before the 1st two semi-colons and remove the data after the 2nd semi-colon. thks
original files:
abc;3244;19Jul2015 12:32;
ab1;testing 123;19/07/2015 12:32
To be forwarded to indexer:
abc;3244
ab1;testing 123
... View more
Hi,
I wish to exclude certain events not to forward to indexer, as below. How to configure that? thks & rgds
.......Directory=.....
....Module=abc....
... View more
Hi,
If i wish to find out the duration for the first event and the last event in hour, minutes and second, what would be the likely approach?
... View more
Hi,
If i want to display all the columns in the lookup, and the stats of the column from the event as shown in next example, the lookup file have only one column "ownername", what will be the approach?
result of the search:
ownername # of car
tom
harry 1
Kim 2
John
... View more
Hi, I can display what i want using my own query, it just that i wish to display for each column e.g display count=9 for jbridge error, 675 for splunkd error etc. thks
... View more
HI,
I have the following search:
sourcetype=* | chart count(eval(status="info")) AS info, count(eval(status="Error")) AS error, count(eval(status="warn")) AS warn by sourcetype
If I wish to display the count in a column chart, what will be the changes for my search? thks
... View more
Hi,
I wish to monitor linux server info like number of CPU, processor, linux version etc in Splunk. What will be the recommended info to get from linux server and how do I do this? thks
... View more
Hi,
Based on the search:
sourcetype="splunkd" | stats count by log_level
it will provide the table below. If I wish to display the table cell/row such that ERROR will be the color red, warn is orange and info is green, how do I get these colors displayed in a dashboard in Splunk 5.0.4? thks
log_level count
ERROR 149
INFO 564123
WARN 225
... View more
i want to compare secondname in lookup table with name in the event. And gender in lookup table with gd in the event. So there might be a case whereby gd and/or name in the event is empty.
... View more
Hi, for better understanding your answers.
Lookup filename: test33
Firstname,secondname,gender
If my event contain only the name and gd,
if index=index name [|inputlookup test33|table secondname,gender]|table name, gd correct?
thks
... View more
Hi,
If my event does not contain the user field, and i need to have the automatic lookup for the user info based on the user=1234 as the example below, what will be the approach? thks
2/26/15 10:03:30 AM 1.1.1.1 - 1234 xxxxx
... View more
Hi,
When I add a new automatic lookup, if I put * at the Apply to: Sourcetype, it does not work, but if i put the specific sourcetype, it works. Does it mean that i need to create a lot of automatic lookups for the same lookup table?
thks
... View more
Hi,
I have a search and if within an event, I have two values that I want to tag to the same field, what will be the likely method to use?
Example:
12/17/14 12:23:34 AM Name=abc........Name=qwe
thks
... View more
Hi,
I have two sourcetypes forwarded to an index, but I just want to delete one of the sourcetypes from this index. What is the approach? thks
... View more