×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bbialek
Path Finder
Member since: ‎12-17-2015
‎06-05-2020
Community Statistics
Posts 11
Solutions 0
Karma Given 3
Karma Received 9
Member Since ‎12-17-2015
Activity Feed
View All

Re: How do you calculate ratios of counts to field...

by in Knowledge Management
‎10-04-2018 08:46 AM
‎10-04-2018 08:46 AM
As suggested in another thread, using eval in a count instead of 'by' clause worked for me: search msgType=*| timechart span=1h count(eval(msgType=="IN")) as IN, count(eval(msgType="OUT")) as OUT | eval ratio=OUT/IN ... View more

Re: How do you add dummy events to a search result...

by in Splunk Search
‎01-31-2018 04:11 PM
1 Karma
‎01-31-2018 04:11 PM
1 Karma
Here is something that can help you... First, generate dummy columns and single row of results: index=nothing_to_see_here |stats count| eval col1="beep" | eval col2="boop"|table col1 col2 ┌──────┬──────┐ │ col1 │ col2 │ ├──────┼──────┤ │ beep │ boop │ └──────┴──────┘ Append data from another dummy search: index=nothing_to_see_here |stats count | eval col1="beep" | eval col2="boop" | table col1 col2 | append [search index=nothing_to_see_here | stats count | eval col1="science" | eval col2="magic" | table col1 col2 ] ┌─────────┬───────┐ │ col1 │ col2 │ ├─────────┼───────┤ │ beep │ boop │ │ science │ magic │ └─────────┴───────┘ ... View more

Re: Is it possible to delete unreferenced buckets ...

by in Deployment Architecture
‎07-19-2016 12:29 PM
‎07-19-2016 12:29 PM
The command resulted in "In handler 'clustermasterpeerindexes': master is not enabled on this node". ... View more

Is it possible to delete unreferenced buckets whil...

by in Deployment Architecture
‎07-19-2016 08:16 AM
‎07-19-2016 08:16 AM
I'm not sure how it came to be, but it looks like my _internal index's cold path has changed. This left a bunch of cold buckets in the old location which seems unreferenced by any index as seen by | dbinspect index=* . As noted here: https://answers.splunk.com/answers/108941/deleting-a-bucket.html#answer-108942 hot/warm/cold buckets should not be removed while the server is running, but in this case, it seems it can be done. Can someone confirm? ... View more

How to match the beginning of a log line in a Splu...

by in Splunk Search
‎06-27-2016 04:08 PM
1 Karma
‎06-27-2016 04:08 PM
1 Karma
I have events from an application containing various logger type messages, I.e: INFO, WARN, ERROR... Searching just for the string 'ERROR' returns false positives as some INFO messages contain a matching string pertaining to error detection and such... How do I match these events similar to 'grep ^ERROR '? ... View more

Re: Splunk Forwarder SSL error - "SSL23_GET_CLIENT...

by in Getting Data In
‎06-23-2016 08:33 AM
‎06-23-2016 08:33 AM
I was getting this error when my inputs and outputs conf had encrypted sslPassword but I've forgotten to include the $SPLUNK_HOME/etc/auth/splunk.secret. ... View more

Re: Get bucket IDs corresponding to events

by in Getting Data In
‎06-22-2016 12:49 PM
‎06-22-2016 12:49 PM
On Splunk 6.4, _cd doesn't seem to be a field... Does anyone know how to identify which bucket an even is in on the newer versions? ... View more

Re: getting unique values of the field

by in Splunk Search
‎02-15-2016 04:16 PM
3 Karma
‎02-15-2016 04:16 PM
3 Karma
This seems to work when trying to find unique values for a field, like 'host': * | chart count by host ... View more

Re: LDAP Configuration, Invalid credentials issue.

by in Reporting
‎02-04-2016 04:43 PM
‎02-04-2016 04:43 PM
I was getting the following error when loading LDAP configuration from system/local/authentication.conf file: Error binding to LDAP. reason="Invalid credentials" The problem was due to me having bindDNpassword in a form of a hash instead of plain text. It turns out you need Splunk do the hashing on it own. ... View more

Re: Error starting splunkweb after ks installation

by in Security
‎02-04-2016 07:01 AM
‎02-04-2016 07:01 AM
I was having Splunk time out after 'writing RSA key' when I was accepting the license by removing the ftr file. Instead, having the following in my init's start function works: /opt/splunk/bin/splunk" start --accept-license --no-prompt --answer-yes ... View more

Re: How to count number of events in a search resu...

by in Splunk Search
‎12-17-2015 08:58 AM
3 Karma
‎12-17-2015 08:58 AM
3 Karma
Here is a way to count events per minute if you search in hours: * | timechart count(_raw) span=1h ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
Karma given to