cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mpdude
Explorer
Member since: ‎03-01-2016
‎02-10-2022
Community Statistics
Posts 7
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎03-01-2016
Activity Feed
View All

Re: Transaction where one field changes over time?

by SplunkTrust in Splunk Search
‎02-10-2022 10:51 AM
‎02-10-2022 10:51 AM
Indeed, they don't. That complicates things because in this particular case you can infer from the delivery number and sequence in the overall log that it is from the msgid=1 transaction. But in general - are you sure that those deliveries won't interleave with other ones? From different msgids? ... View more

Re: Can Splunk process data that is "updated" over...

by in All Apps and Add-ons
‎11-27-2019 09:00 AM
‎11-27-2019 09:00 AM
This kind of thing is often done using DB Connect : https://splunkbase.splunk.com/app/2686/ Be aware that v3 is a complete rewrite of v3 and there are many feature changes. If v3 isn't working for you, try v2. The easiest way to use it is to use dbxquery to access the data in the DB when you need it, but you can also pull it in and index it with Splunk if you like. ... View more

Re: "Join" information from two log sources

by in Splunk Search
‎11-25-2017 02:55 PM
‎11-25-2017 02:55 PM
Are you sure about | dedup count by tx_id, extra ? That seems to yield an empty result. What exactly should the dedup remove? I would like to keep the duplicate "error" event, maybe I got this wrong...? ... View more

Re: Should I use an index-time field extraction?

by SplunkTrust in Splunk Search
‎04-22-2016 05:06 AM
7 Karma
‎04-22-2016 05:06 AM
7 Karma
The easy answer is "it depends". Comparing your two cases, assuming the set of matched events is identical, it depends on how the field-value-pair apache_virtualhost=some.virtual.host works. In the general case, Splunk retrieves all events containing "some.virtual.host" , performs field extractions, and then filters for the actual field-value pair - potentially discarding many events. If "some.virtual.host" is fairly unique to those events that actually match, this kind of filtering will be fast. If it's an IP this kind of filtering may be fairly slow - 10.1.2.3 is retrieved as 10 AND 1 AND 2 AND 3 , so 10.3.2.1 would also be retrieved off disk, fieldextracted, and then discarded. If apache_virtualhost is a calculated field, this optimization of only retrieving potential matches cannot be used and all events have to be retrieved. In general, good reasons for using index-time field extractions can be: you have to search NOT field=value frequently value frequently appears outside of field , common case is small integers value is not a whole token, but rather part of a token, common case would be the country code as part of an IBAN (first two chars). There are good reasons against too, some of those are: loss of flexibility, no schema on the fly at search time increased storage cost, some downstream speed cost due to "bigger is slower" potential for name conflicts - a field name is either indexed or it's not (see fields.conf for the relevant config) so you can't have one sourcetype where it's search time and another where it's index time For insight into how the search works, first set infocsv_loglevel=DEBUG in limits.conf to gain the lispy output in the job inspector, then look at the slides after the end of my .conf 2015 talk at http://conf.splunk.com/session/2015/conf2015_MMueller_Consist_Deploying_OptimizingSplunkKnowledge.pdf - the bonus slides talk about how events are identified for retrieval off disk. The key indicator for "indexed fields may help" is a high scanCount compared to a low eventCount in the job inspector. If those two are similar, indexed fields won't be able to help much in most scenarios. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-10-2022 12:51 PM
Karma from
View All
Karma given to
View All