Hello splunkers, I have some scheduled alerts with a notification via email if one of the alert triggers. I'm tying to set the different scheduled job ttl period by each one. I'm confused the difference between dispatch.ttl and action.email.ttl in savedsearched.conf. Which parameter should I use to set the job ttl for scheduled email alert? Thank you ... View more

Hi I'm looking for a sample search that calculates count of events which match within 500m radius of lat/long on lookup table. Sample events: 2017/02/02 10:00:01 event_id="1" latitude="34.49293" longitude="132.399270" Lookup sample "MASTER" for location (CSV): shop,address,latitude,longitude AAA,563 2nd St,34.492109,132.399582 BBB,201 3rd St,34.395424,132.488734 Expected output table: shop,address,latitude,longitude,event match count AAA,563 2nd St,34.492109,132.399582,1 BBB,201 3rd St,34.395424,132.488734,0 I tried and could create the following search that find events within 500m radius of lat/long on lookup table. sourcetype=hoge [| inputlookup MASTER.csv | eval w_lng = longitude - (500 / 30.8184*0.000277778) | eval w_lat = latitude - (500 / 25.2450*0.000277778) | eval e_lng = longitude + (500 / 30.8184*0.000277778) | eval e_lat = latitude + (500 / 25.2450*0.000277778) | table shop_name address longitude latitude w_lng w_lat e_lng e_lat | eval search = "(longitude >= " . w_lng ." AND latitude >= " . w_lat . ") AND (longitude <= " . e_lng ." AND latitude <= " . e_lat . ")" | fields search] But I'm not sure how to create the expected output table. Any sample search would be really appreciated.. ... View more

Hi all, Am planning a multi site clustering (2 site) installation of Splunk 6.3 as the small start deployment. Now I'm confused that I can start 2 peers ( 1 peer on 1 site ) or need 3 peers at least ( 2 peer on origin, 1 peer on the other ). The following answer is saying 2 peers. Multi-Site Cluster: What would I configure for replication and search factor with 1 peer at each site? The following another answer might be saying 3 peers. link text Hoping someone could help clarify, thank you! ... View more

I'd like to understand the mathematical meaning of the below search on documentation. Is this my understanding right that it calculates the outliers of 4.6% up or down based on the normal distribution? sourcetype=access_* | eval URILen = len(useragent) | eventstats avg(URILen) as AvgURILen, stdev(URILen) as StdDevURILen| where URILen > AvgURILen+(2*StdDevURILen) Use the stats command and functions: http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Usethestatscommandandfunctions If I want to get the 0.3% outliers, can I do this by just changing the condition like this? ... | where URILen > AvgURILen+(3*StdDevURILen) ... View more