×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dwfarris
Explorer
Member since: ‎06-05-2014
‎03-04-2021
Community Statistics
Posts 8
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎06-05-2014
Activity Feed
View All

Re: How come the sum(len(_raw)) of my data does n...

by in Installation
‎02-16-2021 07:04 AM
‎02-16-2021 07:04 AM
Hello, thanks for this information, looks like it depends on the data, also license usage can increase if UF resends several times. Did you find a valid solution to find the volume of a specific data/search (other than index/host/source breakdown)? Best regards. ... View more

Re: Problem with timestamp in props.conf file.

by Splunk Employee in Getting Data In
‎06-05-2018 05:58 AM
‎06-05-2018 05:58 AM
If it works in the UI but not in the configuration then this might be as simple as where the configuration lives. The time is selected at the first point it's cooked (I think). If the props.conf you created is just in the Search Head (the UI) then it would make sense that this is not working. You need this props.conf to live at the indexer or whereever the data gets cooked first. So, if it's collected with a heavy forwarder, this would need to go there. If it's collected with a Universal Forwarder then make sure these props configs are on the indexers. If that doesn't solve it, would you let us know your deployment set up so we can take that into account as to why it worked in the UI but not in the conf? Another option might be to use a SED cmd to replace the GMT with EST (or nothing at all). I forget if that happens before the timestamp is calculated (I think it does). ... View more

Re: Problem computing error rate from two differen...

by in Splunk Search
‎02-19-2016 01:35 PM
‎02-19-2016 01:35 PM
Thanks, I used @SloshBurch's and with some mods got it to work. (thanks somesoni1, but did not try yours) Agree, don't like joins/appends, but that came closest to describe problem of my several initial attempts. . . I did have to modify it, so for others that might come across this, I could not use the raw="*string*" . Those wildcards would not work. SAME structure, but had to use like instead for string comparison. This search works fine now: index=prod_stuff source="good_stuff*" | bucket _time span=1s | stats count as totalCount, count(eval((like(_raw,"%ERROR%") OR like(_raw,"%string1%") OR like(_raw,"%string2%")) AND NOT like(_raw,"%string3%") AND NOT like(_raw,"%string4%") AND NOT like(_raw,"%string5%") AND NOT like(_raw,"%string6%"))) as totalErrors by _time, host | eval errorRate=round(totalErrors/totalCount*100,2) | xyseries _time,host,errorRate ... View more

Re: Why does this python search script run twice?

by SplunkTrust in Splunk Search
‎01-11-2016 01:28 AM
‎01-11-2016 01:28 AM
I do have the same issue with outputcsv that seems to stream the results. I have not yet tried it but... maybe if you run the proper search as subsearch ( in [] ) and have the own backup command run in the main search this issue is mitigated because the subsearch is run completely first? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-04-2021 06:00 PM
Karma from
View All
Karma given to
View All