cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cwinkler109
New Member
Member since: ‎11-01-2018
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-01-2018
Activity Feed
View All

Summary Index Limitations

by in Knowledge Management
‎07-09-2019 06:35 AM
‎07-09-2019 06:35 AM
Hello, I am using a summary index to track a handful of our key metrics per day over time. I am using the summary index for the purposes of improving search response times of panels on some of our dashboards. The data in the summary index contains daily averages and counts per customer for 8 of our KPI’s. The events are written across 8 different sources in our summary index. About 600k total events are being written to the summary index each day. Are there any performance/capacity repercussions to this? From what I understand the summary index has no data retention limitations. Is 600k events per day in the summary index acceptable? We are using Splunk Cloud. Thanks, Chris ... View more

Re: top10 for each span in a time chart

by in Splunk Search
‎04-01-2019 10:15 AM
‎04-01-2019 10:15 AM
This gives me what I was looking for: index=myindex earliest=-7d latest=now | eval date=strftime(_time, "%Y-%m-%d") | top 10 eventId by date | chart useother=0 values(count) over date by eventId where top100 ... View more

Re: top10 for each span in a time chart

by in Splunk Search
‎03-26-2019 12:24 PM
‎03-26-2019 12:24 PM
I tried the recommended approach in that post but it returns the same 10 eventId's for every day in the span. In other words, yesterdays top 10 eventId's should be different than todays. The query outputs the same eventsId's for each each day which is not showing the data I am looking for. index=myindex earliest=-7d latest=now | timechart span=1d count useother=f usenull=f by eventId WHERE max in top10 I'll keep investigating..... ... View more

How to get top10 for each span in a time chart?

by in Splunk Search
‎03-26-2019 10:43 AM
‎03-26-2019 10:43 AM
Hello. I'm trying to create a bar chart visualization that shows the top10 eventId's by count for each day over the past 7 days. The search I have is returning more than 10 results per day. index=myindex earliest=-7d latest=now | timechart span=1d count by eventId where top10 I see similar questions posted on answers.splunk.com but none of the posts provide a clear answer. Thanks in advance. ... View more
Labels

Lookups slow performance

by in Splunk Search
‎02-25-2019 08:00 PM
‎02-25-2019 08:00 PM
Background We are a new SplunkCloud customer and are building out our instance, setting up our indexes, field extractions, etc. I’m currently working on Lookups and and seeing unexpected performance characteristics from the searches I am running. I created an automatic lookup that links the data in one of our indexes to a lookup table that has about 15k rows and 7 columns of data. The automatic lookup links the index to the lookup table via a “guid" field. Issue: This search takes 48 seconds to complete and has a scan count of 16million index=my_index guid=my_guid This search takes 300ms to complete and has a scan count of 410 index=my_index my_guid Why is the first search doing all of this extra work? We are about to roll out access to Splunk to about 150 employees. I want to make sure I understand the proper way to recommend people to run searches against this index that is linked to the lookup table. Thanks in advance, Chris ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM