i currently have an existing alert that notifies if the servers are down. Say i have two columns: server_name and event_status. event_status=60002 indicates if the servers are down. event_status=60001 indicates if the servers are up Please note that there are other values for event_status, but we are only focused on these two. Existing alert for server down: (base search) server_name=dfw* "EventCode=60002" earliest=-1h@h | dedup server_name | table server_name //this is scheduled to run every 5 minutes and triggers once if there is any result i would now want to have another alert that indicates if the servers are back to EventCode=60001 (from 60002) Can you please help me? ... View more

I am using a csv file to input data in my local Splunk Enterprise. I have a very big csv file that is around 100mb. The data in my csv file contains the following count of events: January: 36,055 February: 37,613 March: 41,521 April: 33,697 May : 39,980 June: 36,994 July: 31,963 After loading the data into Splunk, the data in Splunk contains the following count of events: January: 29,416 February: 32,042 March: 37,516 April: 33,458 May : 39,975 June: 15,935 July: 22,766 Note: My index usage is only 243MB/488.28GB I tried cutting my csv file to only May June and July data and uploaded it to Splunk. csv count: May : 39,980 June: 36,994 July: 31,963 Splunk count: May : 39,980 June: 36,994 July: 31,963 So this means I have no problem with the formatting of the timestamp in my csv file. Could you help me find the configuration that causes this truncation? or atleast help me on how to investigate it? I will appreciate any response regarding the matter. ... View more

I would like to have a lookup that categorizes events depending on detected keywords from a specific field and I'd like to have my splunk search query as simple as possible. In order to do this i have thought of creating a lookup file that does the categorization. My keyword criteria includes AND and OR Boolean such as Keyword1 category is different from Keyword1 AND Keyword2 category.. This is the most critical part of the lookup file I'm making. I was told by a friend that I should use python to read booleans from the lookup. Can I do this without doing an python coding (because i really find it difficult to code in python) or if Python coding is the only option, can you tell me how to kickstart my development? Here is the table that i have in mind. Group................Keywords...................Area..... Cluster......Subcluster A..................... boy AND girl................. A1........... C1.................. S1 B..........................boy............................A2..............C2...................S2 ... View more

Hi, I would like to know if it is possible to permanently show the values of the chart portions (the one appearing once you hover the mouse pointer) by clicking it? I am using HTML. I have disabled the charting.drilldown to make sure that it won't load the search query when I click the chart portions. Thanks! ... View more