cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mciudad
Explorer
Member since: ‎02-05-2015
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 24
Karma Received 0
Member Since ‎02-05-2015
Activity Feed
View All

What do the status flags mean in a Search Head Clu...

by in Deployment Architecture
‎09-23-2016 04:25 AM
‎09-23-2016 04:25 AM
When showing the Search Head Cluster status, we get something similar to this: ./splunk show shcluster-status Captain: dynamic_captain : 0 elected_captain : Fri Sep 23 09:00:37 2016 id : B997E10B-0E99-4363-9887-66DE2BF8C379 initialized_flag : 1 label : shcaptain.cdn mgmt_uri : https://10.17.240.141:8089 min_peers_joined_flag : 1 rolling_restart_flag : 0 service_ready_flag : 1 But I'm having trouble finding documentation on that output. - What's the difference between "initialized_flag" and "service_ready_flag"? - What are the conditions for these flags to be 0 or 1? - How many peers have to join for the "min_peers_joined_flag" to be 1? By "peers" it mean Splunk Indexers or members of the Search Head Cluster? Thanks! ... View more

How to ignore empty fields in a split in stats/tst...

by in Splunk Search
‎08-17-2015 09:14 AM
‎08-17-2015 09:14 AM
Hi, I'm trying to find the cardinality of the fields for my indexes. The problem is that some fields sometimes have a value and sometimes they don't, so when I split with tstats/stats using the "by" clause, if one of the fields is empty, it returns nothing. Example: | tstats count where index=summary by host works perfectly. But if I add the field "asset" which for the last 7 days has had no values: | tstats count where index=summary by host, asset it returns "No results found". How can I make Splunk ignore that "asset" field so if it's empty it shows the data with rest of the splits? Thank you. ... View more

How to update the search head configuration from t...

by in Deployment Architecture
‎06-29-2015 06:33 AM
‎06-29-2015 06:33 AM
I'm trying to update the configuration of all the peers from my cluster master. With the indexers, it's eash to put the configuration file in $SPLUNK_HOME/etc/slave_apps/_cluster/local and then the indexer receives it, but I can't find any way to update the search head. Is there any similar (or not similar) way of doing it? Thank you. ... View more

Re: How to fill the gaps from days with no data in...

by in Splunk Search
‎06-22-2015 07:20 AM
‎06-22-2015 07:20 AM
Thank you, you were right! What if there is no data in any day? In that case it returns "No results found. " but it should return just 0 bytes per day. ... View more

How to fill the gaps from days with no data in tst...

by in Splunk Search
‎06-22-2015 03:55 AM
‎06-22-2015 03:55 AM
Hello, I'm trying to get the statistics of the bytes transferred each day with a query like this: | tstats prestats=t sum(bytes) from datamodel=DM earliest=-7d@d latest=@d by _time span=1d | timechart span=1d sum(bytes) as "Bytes" And the results are something like this, skipping the days with no data: _time Bytes 2015-06-16 5509565371 2015-06-17 15556005605 2015-06-18 15556685676 2015-06-19 9722873606 What I need is to fill the days with no data with 0s, something like this: _time Bytes 2015-06-15 0 2015-06-16 5509565371 2015-06-17 15556005605 2015-06-18 15556685676 2015-06-19 9722873606 2015-06-20 0 2015-06-21 0 How could I make that possible without lowering the performance? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to