hi, I am querying an REST API to ingest the large JSON output. But facing issues with parsing JSON output. I am not interested int the metadata of the response I am only looking to ingest the data { "key": "9988", "doc_count": 14 }, as an event. If I use the native reponsehandler Splunk is ingesting the data as one large even and stops at max events. I tried using custom handler, but Splunk does not index any data. I tried to handle the out with custom sourcetype with no luck ` class DataHandler: def __init__(self,**args): pass def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint): if response_type == "json": output = json.loads(raw_response_output) for server in output["distinctValues"]["buckets"]: print_xml_stream(json.dumps(server)) else: print_xml_stream(raw_response_output) ` JSON Response sample { "total": 15, "querytime": 6, "aggregations": { "distinctValues": { "doc_count": 0, "sum_count": 0, "buckets": [{ "key": "3412", "doc_count": 15 }, { "key": "5423", "doc_count": 81 }, { "key": "6543", "doc_count": 16 }, { "key": "6655", "doc_count": 18 }, { "key": "2344", "doc_count": 10 }, { "key": "1234", "doc_count": 16 }, { "key": "9898", "doc_count": 10 }, { "key": "4321", "doc_count": 14 }, { "key": "9988", "doc_count": 14 }, { "key": "3454", "doc_count": 11 }, { "key": "3242", "doc_count": 14 }, { "key": "9283", "doc_count": 6 }, { "key": "8472", "doc_count": 1 }, { "key": "9922", "doc_count": 6 }, { "key": "8293", "doc_count": 5 }] } }, "results": [] } ... View more

Is there a better way to report the count of hosts reporting to Splunk week over week other than running the query using index=* I am not looking for the no of forwarders, I am looking distinct count of host value in all the indexes, |metadata type=hosts do not help as it cannot be used for week over week calculation index=* earliest=-2w@w latest=@w | bucket span=1d _time | stats count by _time host | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week") | eval _time=if(marker=="last week", _time + 7*24*60*60, _time) | timechart count by marker ... View more

When I try to calculated field for calculate a new field eval is not coming back with any results. How can I use a calculated field to calculate a new field. ... View more

"inputlookup" command works fine when I use in Splunk UI, but same search comes back with no results when I search through REST API: curl -w "@curl-format.txt" -s -k -u admin:changes https://localhost:8089/servicesNS/admin/search/search/jobs -d search="| inputlookup lookupdefinition” -d output_mode=json ... View more

I have two sets of data, both sets have a common field with common value, when i use join command i am able to find the ones which has a matching data, but what i wanted is to find the set of data which dont have a matching hit. sample query index=index1 sourcetype=type1 status=503 | join requestid [search index=index1 sourcetype=type2 status=200 ] | table _time requestid I want to get all the 503 which dont have a corresponding status 200, but have a same request id. when I use join i am getting the ones which have a corresponding 200 but not the ones which dont have one. I am not able to find a command which can do it. Any help is appreciated. ... View more

I am using Universal Forwarder as Intermediate forwarder, it is forwarding the monitored data without any issues but it is not forwarding any data _internal index or Splunk logs. Intermediate Forwarder Configuration: Outputs.conf [tcpout:index] server=sra-index-01:9997,sra-index-02:9997,sra-index-03:9997,sra-index-04:9997,sra-index-05:9997 inputs.conf [splunktcp://9997] disabled=0 ... View more