Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About kml_uvce
kml_uvce
Builder
Member since:
07-30-2011
09-21-2025
Community Statistics
| Posts | 243 |
| Solutions | 29 |
| Karma Given | 2 |
| Karma Received | 77 |
| Member Since | 07-30-2011 |
Activity Feed
- Posted Re: Matching a substring with a lookup field on Splunk Search. 09-21-2025 08:03 PM
- Posted Re: ingesting syslog data on Deployment Architecture. 09-21-2025 07:12 PM
- Posted Re: can we do the event sampling before indexing the data on Getting Data In. 07-13-2022 10:28 AM
- Posted Re: can we do the event sampling before indexing the data on Getting Data In. 07-13-2022 10:18 AM
- Posted Can we do the event sampling before indexing the data? on Getting Data In. 07-13-2022 09:39 AM
- Posted Re: How can we find out volume of logs queried in Splunk? on Splunk Search. 06-24-2022 12:09 PM
- Posted How can we find out volume of logs queried in Splunk? on Splunk Search. 06-24-2022 10:58 AM
- Got Karma for Re: Query to display count boolean fields as seperate columns. 06-08-2022 09:54 AM
- Got Karma for Re: how to build a dashboard with drop-down menu with multiple unique strings. 06-05-2020 12:48 AM
- Karma Re: How configure Splunk to get the correct timestamp from SQL data files? for danielvalle. 06-05-2020 12:47 AM
- Got Karma for Re: How to overcome sub search limitation (only 10k records).. 06-05-2020 12:47 AM
- Got Karma for Re: How to delete a sourcetype from one of my indexes?. 06-05-2020 12:47 AM
- Got Karma for Re: Help in field extraction. 06-05-2020 12:47 AM
- Got Karma for Re: How to format my data set to sort as a list of individual events by date field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to format my data set to sort as a list of individual events by date field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to format my data set to sort as a list of individual events by date field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to find the difference between two dates/times and add a new column to a table to show the difference?. 06-05-2020 12:47 AM
- Got Karma for Re: How to find the difference between two dates/times and add a new column to a table to show the difference?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk Universal Forwarder not monitoring files as expected?. 06-05-2020 12:47 AM
- Got Karma for Re: How can I get the top products in the following events?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-21-2025
08:03 PM
I do not think you can do this using lookup but you can achieve this like | eval email="abc1@gmail.com" | inputlookup user_emails | where like(all_emails, "%" . email . "%") | table all_emails user_address
... View more
09-21-2025
07:12 PM
@maheshnc Yes that is possible , you can configure the syslog device to send data to HF and then forward it to the indexers.
... View more
07-13-2022
10:28 AM
@richgalloway I am looking for sampling like 10:1 or 100:1 ratio in events to filter out events , not looking for simple filter that we can do in heavy forwarder
... View more
07-13-2022
10:18 AM
Thanks @richgalloway : can we do the sampling in forwarder in splunk versions 7.2 or old version
... View more
07-13-2022
09:39 AM
Can we do the event sampling in forwarder before indexing the event in indexer to reduce the event size ?
... View more
Labels
06-24-2022
12:09 PM
I am looking for data returned to the SH and data returned to the user,I want to know that how much data is queried(not total but unique) vs how much data is not used or not queried by any user or scheduled search.
... View more
06-24-2022
10:58 AM
How can we find out volume of logs queried in Splunk
... View more
Labels
- Labels:
-
search job inspector
11-24-2018
07:59 AM
move your current search head(etc/apps) to new search head , and change current (search head + indexer) as indexer
... View more
11-21-2017
09:24 PM
you can extract fields by using props.conf and transforms.conf or extract from web-gui, you can also give different names like param1, param2 etc
... View more
09-21-2017
01:05 PM
Can we do summary index replication in indexer cluster by using replication_factor and search factor
... View more
01-20-2017
11:13 AM
there are multiple ways to know this
search directly in indexer in command line :
http://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CLIsearchsyntax
... View more
01-20-2017
10:52 AM
1 Karma
Use dynamic dropdown, take help from:
https://answers.splunk.com/answers/148500/how-to-set-up-three-dynamic-dropdowns-on-dashboard-in-simple-xml-on-splunk-6-0-1.html
... View more
01-04-2017
11:40 AM
Hi
We are doing upgrade from 6.3.2 to 6.5.1. We have a search head cluster and indexer cluster in our Splunk setup.
In doc http://docs.splunk.com/Documentation/Splunk/6.5.1/Indexer/Upgradeacluster
First It says
"When you upgrade a 6.x indexer cluster, such as 6.2, to a later 6.x cluster, such as 6.3 or 6.4, you must take all cluster nodes offline. You cannot perform a rolling, online upgrade."
And later it says
"Perform the following steps:
1. Stop the master.
2. Stop all the peers and search heads.
When bringing down the peers, use the splunk stop command, not splunk offline."
So first it says you need to take all cluster nodes (Peer nodes) offline, and then second it says do not splunk offline command. It is confusing, so please help me. Should I use the splunk offline command or splunk stop command for peer nodes and search head nodes in a search head cluster?
... View more
01-25-2016
09:58 AM
Hi
Can I export splunk indexed data(not search data) from splunk to HAdoop by using Hadoop-connect app ?
My requirement is to move warm or cold or thawaed buckets to Hadoop.
... View more
01-14-2016
11:42 AM
Thanks Chris
Can you please give me some scenario/use cases where we should use HUNK and where we should use Splunk Hadoop Connect ?
... View more
01-14-2016
11:04 AM
which one is better in terms of easy to use ?
Also to read/search data from Hadoop to splunk ,HUNK does not require to index data in splunk but in hadoop connect we need to first index data from Hadoop before reading/searching ?
... View more
01-14-2016
09:31 AM
I think , I can also move data from splunk to hadoop by archiving old data in indexes and send it to hadoop
but in hadoop connect I can send aggregated search result data in Hadoop If I want but in HUNK I can not do this , I am not sure about it..
Also to read data from Hadoop to splunk ,HUNK does not require to index data in splunk but in hadoop connect we need to index data from Hadoop before reading ?
I heard HUNK is not stable , is this true ? please share your thoughts on this..
... View more
01-14-2016
08:40 AM
my requirement is to move data from splunk to hadoop and also search the data in hadoop
... View more
04-28-2015
04:03 PM
try this
|transaction dest_port|table dest_port, src_ip, dest_ip
... View more
04-13-2015
09:55 PM
I am running a search in a report in HUNK and it's working fine, but when I am running this search in a dashboard, it's giving me a map reduce error. Please let me know what is the issue.
... View more
03-31-2015
08:48 PM
try this to extract fields properly
http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html
... View more
default user name : admin and password: changeme
If you forgot the password then delete passwd file and restart splunk and use default user name and password
... View more
03-30-2015
10:10 PM
1 Karma
When you use universal forwarder then it reads data from files, script etc in inputs.conf file http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/inputsconf
and it sends data to indexer given in outputs.conf file
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Outputsconf
data in indexer is stored in indexes in location $SPLUNK_HOME/var/lib/splunk in indexer
http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Splunk-launchconf
... View more
02-27-2015
01:29 PM
1) you can use restpi of splunk and fetch data by writing search and take _raw data from search and send to logstash and then send data to Elasticsrarch.
or
2) run search in splunk and store data (_raw) in csv file and read csv file by logstash and send data to Elasticsrarch
your search||outputlookup csvfile
field extraction you can do in logstash.
If it takes too much time to fetch the data then you can divide your time (earliest and latest) in search
... View more
02-26-2015
12:20 AM
try this
index=index name [|inputlookup test33|rename secondname AS name|rename gender AS gd|table name, gd]|table name, gd
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-21-2025
07:03 PM
|
