I have a table lookup to map product numbers to more-readable and usable names. I would like to be able to map number 272829 to "Joes Widget (round blue)" - where the parenthesized part shows underneath "Joes Widget" in the resultant table. Is this doable? What would the string in the CSV file look like? Thanks ... View more

I'm trying to use the write_http plugin for collectd to send the metrics to Splunk so that I can use the Splunk collectd app to view the results. I can see the data in Splunk by querying index=collectd and that's fine. The collectd index is in my default list of searchable indices. My write_http stanza looks like: Plugin write_http Node "node-http-1" URL "https://xxx..xxx.xxx.xxx:9989/services/collector/raw?channel=f3d00af7-d987-49a8-be4d-f3c605b0dda5" Header "Authorization: Splunk f3d00af7-d987-49a8-be4d-f3c605b0dda5" Format "JSON" Metrics true StoreRates true VerifyPeer false VerifyHost false LogHttpError true Node Plugin How can I confirm that collectd is sending to the Splunk server on port 9989? And I do have iptables turned off. Both machines are Linux servers: Linux nfldevspc01 2.6.32-696.18.7.el6.x86_64 #1 SMP Thu Dec 28 20:15:47 EST 2017 x86_64 x86_64 x86_64 GNU/Linux ... View more

I doing a search and timecharting the results which I then stream into timewrap. My timechart contains (for instance) bob.com, charlie.com and delta.com After I pipe this into timewrap, I get the following ordering: bob.com.2018_01_02, charlie.com_2018_01_02, delta.com_2018_01_02, bob.com_2018_01_09, charlie.com_2018_01_09, delta.com_2018_01_09 Why aren't I seeing results from "today" 2018_01_23? And how can I sort the columns so the "bob"s, "charlie"s, and "delta"s are adjacent to each other? My SPL is as follows: ... | eval lc_domain = lower(metadata_recipient_email_domain) | timechart limit=0 span=1d count by metadata_recipient_email_domain | timewrap 1week | sort metadata_recipient_email_domain ... View more