About ashajambagi

ashajambagi · ‎10-08-2020

are you using deployment server?

ashajambagi · ‎10-08-2020

@chevalier51 Epoch converter shows the date to be 2010,try increasing the MAX_DAYS_AGO TIME_FORMAT=%s%3N TIME_PREFIX=dailyTime\D+ MAX_TIMESTAMP_LOOKAHEAD=13 MAX_DAYS_AGO=5000

ashajambagi · ‎10-08-2020

Hey try this TIME_PREFIX=dailyTime\D+

ashajambagi · ‎10-08-2020

Hi @justeso1 , Try using | fillnull https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Fillnull

ashajambagi · ‎10-08-2020

Hi @user2020dy You need to specify dns_query in the second search [search `umbrella`|fields category dns_query]

ashajambagi · ‎10-08-2020

Hi @FinnHatlen If the other two values are added to some other field, you could write an eval and use coalesce function to include it in message_text. https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/ConditionalFunctions#coalesce.28X.2C....29

ashajambagi · ‎10-08-2020

Hi @zacksoft You need to add .csv at the end of the file name i.e gemini.csv

ashajambagi · ‎10-06-2020

Hi All, I have recently deployed Splunk TA Stream on universal forwarder to collect DNS data. Stream App is configured on heavy Forwarder. The universal forwarder is forwarding the data to indexer cluster. The streamfwd.exe service on DNS server is consuming 1GB of memory. Is it a normal behavior of streamfwd.exe service to use memory in GB? UF host details : Windows 2012 R2 , Memory : 32 GB , 64bit Below configurations on Universal Forwarder: limits.conf maxKbps = 4096 inputs.conf [streamfwd://streamfwd] splunk_stream_app_location = https://<HF_IP>:8000/en-us/custom/splunk_app_stream/ disabled = 0 stream_forwarder_id = sslVerifyServerCert = false

ashajambagi · ‎09-29-2020

Hi @havatz You can refer to below document for the parameter “max_infocsv_message”.You may need to fine tune the parameter. https://docs.splunk.com/Documentation/Splunk/7.2.1/Admin/Limitsconf Also,Is there a specific reason for escaping those “ “ in the query ?

ashajambagi · ‎09-28-2020

Hi @moberoi You have to configure inputs in Settings > Data Inputs > Google Spreadsheet

ashajambagi · ‎09-27-2020

Hi @moberoi Did you define inputs to import or export from Google sheet in Data inputs?

ashajambagi · ‎01-26-2020

did you get any license violation warnings?

ashajambagi · ‎01-21-2020

2<\/Level> Without the escaping, the regex isn't working

ashajambagi · ‎01-20-2020

2<\/Level> tried this?

ashajambagi · ‎01-20-2020

try this [localmssql_output] connection = localmssql_conn customized_mappings = id:id:4,name:Name:12,Dept:Team:12 disabled = 0 interval = /1 * is_saved_search = 0 query_earliest_time = -24h@h query_latest_time = now scheduled = 1 search = | makeresults \ | eval id = 7,name="Testing",Dept="Test",table_name = "OfficePOCs"."dbo"."Office" ui_query_catalog = OfficePOCs ui_query_schema = dbo ui_query_table = OfficeV1 unique_key = id using_upsert = 1 query_timeout = 30

ashajambagi · ‎01-20-2020

try this | eval TID=if(Type=="Inbound",obj_type,corrID) | eval inboundTime=if(Type=="Inbound",_time,null()) | eval outboundTime=if(Type=="Outbound",_time,null()) | eval ResponseTime=outboundTime-inboundTime | convert ctime(inboundTime) AS inboundTime | convert ctime(outboundTime) AS outboundTime |convert ctime(ResponseTime) as ResponseTime | stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

ashajambagi · ‎01-20-2020

The error is related to unique key. Can you share $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/db_outputs.conf ?

ashajambagi · ‎01-20-2020

if this helps https://answers.splunk.com/answers/176992/browser-unsupported-on-ie-after-upgrade-to-62.html

ashajambagi · ‎01-20-2020

Did you map primary key in DB which you used as unique key in upsert?

ashajambagi · ‎01-20-2020

try this | eval TID=if(Type=="Inbound",obj_type,corrID) | eval inboundTime=if(Type=="Inbound",time,null()) | eval outboundTime=if(Type=="Outbound",time,null()) | eval ResponseTime=outboundTime-inboundTime | convert ctime(_time) AS time | stats values(inboundTime) AS starttime values(outboundTime) AS endtime values(ResponseTime) as ResponseTime by TID

Posts	69
Solutions	7
Karma Given	10
Karma Received	13
Member Since	‎01-10-2019

Online Status	Offline
Date Last Visited	‎10-19-2021 02:40 PM

Memory Usage by streamfwd.exe

Splunk App setup.xml

Re: Splunk rest api - get a list of UF agent stat...

Re: XML epoch time to time

Re: XML epoch time to time

Re: Return 0 when there is no data.

Re: Join command not working

Re: Sort and compare message_text - noob needs hel...

Re: How to I save my search query output as a look...

Memory Usage by streamfwd.exe

Re: query error tstat

Re: Google Import/Export app configuration

Re: Google Import/Export app configuration

Re: How to unlock an expired 50G Dev license?

Re: Syntax of $XmlRegex property for white listing...

Re: Syntax of $XmlRegex property for white listing...

Re: Splunk DB Connect - Error after enabling "Upse...

Re: How to subtract windows time stamps?

Re: Splunk DB Connect - Error after enabling "Upse...

Re: WEB UI not accessible after upgrade to 8.0.1

Re: Splunk DB Connect - Error after enabling "Upse...

Re: How to subtract windows time stamps?