About Kavey

Kavey · ‎06-07-2016

It is a Splunk in standalone

Kavey · ‎06-03-2016

I already did that but the problem is that it is not a disk space problem...

Kavey · ‎06-02-2016

Hi, I am having a problem with the disk usage quota. Actually, I have this error message whenever I try to make a search. The thing is, I deleted everything in the job manager and even though nothing remains in there, I still have this message. How can I solve this issue? Thanks in advance.

Kavey · ‎04-27-2016

Thank you not exactly what I want but it is working perfectly.

Kavey · ‎04-26-2016

Hi, I have a form where the user can choose a date which is actually a month of a specific year (MM-YYYY) used as a token for the time modifier "earliest". Then I would like to add an offset of one month to the chosen date for "latest". I know I could do something like: mysearch earliest="epochtime_date" | eval latest=earliest+2592000 | ... However, I would like to have the best performance possible by minimizing as much as I can the time range of my search so I need to have a search more like: mysearch earliest="epochtime_date" latest="earliest_one_month_offset" | ... I've been doing research, but I couldn't find anything. Do you think it would possible? Thank you!

Kavey · ‎04-25-2016

I didn't choose that method but it is a way to achieve what I want, thank you

Kavey · ‎04-25-2016

Thanks, that method helped too! 🙂

Kavey · ‎04-25-2016

Thank you I didn't know about that feature it is indeed what I was looking for. However is there any other way to do this simply within the query ?

Kavey · ‎04-25-2016

Hi, thanks for replying! I already thought about it but I would like not to use a subsearch since it will affect the performance... Moreover the number of events that could be returned might be big

Kavey · ‎04-25-2016

Hi, here is my problem : I have a sourcetype A with a field X and Z and a sourcetype B with a field Y and Z. The thing I would like to do is using the field X and Z of sourcetype A and field Y of sourcetype B. What is the simplest way to achieve this? Thank you in advance for helping me 🙂

Kavey · ‎04-18-2016

Thank you for your help, I think that could do the trick but is it possible to extract with a specific format directly (like 2016-04) without using eval so I can order it by date?

Kavey · ‎04-15-2016

Hi everyone, I am currently trying to extract the date from the filename so I can use it for all events include in that file. After some research, I found out that it is possible to do it with the file datetime.xml, like it has been said in those 2 topics : - http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/ - https://answers.splunk.com/answers/7800/how-to-override-date-use-filename-instead-of-extracted-value-from-record.html However, I would like to know if there was an easier way to do it without touching this file? Thank you in advance for your help!

Posts	12
Solutions	0
Karma Given	4
Karma Received	4
Member Since	‎04-15-2016

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

Why am I getting "Maximum disk usage quota has bee...

How to add an offset of one month to a date token?

Dealing with multiple fields from different source...

How to extract the date from the file name without...

Re: Why am I getting "Maximum disk usage quota has...

Re: Why am I getting "Maximum disk usage quota has...

Why am I getting "Maximum disk usage quota has bee...

Re: How to add an offset of one month to a date to...

How to add an offset of one month to a date token?

Re: Dealing with multiple fields from different so...

Re: Dealing with multiple fields from different so...

Re: Dealing with multiple fields from different so...

Re: Dealing with multiple fields from different so...

Dealing with multiple fields from different source...

Re: How to extract the date from the file name wit...

How to extract the date from the file name without...