hi, I am querying an REST API to ingest the large JSON output. But facing issues with parsing JSON output. I am not interested int the metadata of the response I am only looking to ingest the data { "key": "9988", "doc_count": 14 }, as an event. If I use the native reponsehandler Splunk is ingesting the data as one large even and stops at max events. I tried using custom handler, but Splunk does not index any data. I tried to handle the out with custom sourcetype with no luck ` class DataHandler: def __init__(self,**args): pass def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint): if response_type == "json": output = json.loads(raw_response_output) for server in output["distinctValues"]["buckets"]: print_xml_stream(json.dumps(server)) else: print_xml_stream(raw_response_output) ` JSON Response sample { "total": 15, "querytime": 6, "aggregations": { "distinctValues": { "doc_count": 0, "sum_count": 0, "buckets": [{ "key": "3412", "doc_count": 15 }, { "key": "5423", "doc_count": 81 }, { "key": "6543", "doc_count": 16 }, { "key": "6655", "doc_count": 18 }, { "key": "2344", "doc_count": 10 }, { "key": "1234", "doc_count": 16 }, { "key": "9898", "doc_count": 10 }, { "key": "4321", "doc_count": 14 }, { "key": "9988", "doc_count": 14 }, { "key": "3454", "doc_count": 11 }, { "key": "3242", "doc_count": 14 }, { "key": "9283", "doc_count": 6 }, { "key": "8472", "doc_count": 1 }, { "key": "9922", "doc_count": 6 }, { "key": "8293", "doc_count": 5 }] } }, "results": [] } ... View more

Is there a better way to report the count of hosts reporting to Splunk week over week other than running the query using index=* I am not looking for the no of forwarders, I am looking distinct count of host value in all the indexes, |metadata type=hosts do not help as it cannot be used for week over week calculation index=* earliest=-2w@w latest=@w | bucket span=1d _time | stats count by _time host | eval marker=if (_time<relative_time(now(),"-w@w"), "last week","this week") | eval _time=if(marker=="last week", _time + 7*24*60*60, _time) | timechart count by marker ... View more

When I try to calculated field for calculate a new field eval is not coming back with any results. How can I use a calculated field to calculate a new field. ... View more

"inputlookup" command works fine when I use in Splunk UI, but same search comes back with no results when I search through REST API: curl -w "@curl-format.txt" -s -k -u admin:changes https://localhost:8089/servicesNS/admin/search/search/jobs -d search="| inputlookup lookupdefinition” -d output_mode=json ... View more

I have two sets of data, both sets have a common field with common value, when i use join command i am able to find the ones which has a matching data, but what i wanted is to find the set of data which dont have a matching hit. sample query index=index1 sourcetype=type1 status=503 | join requestid [search index=index1 sourcetype=type2 status=200 ] | table _time requestid I want to get all the 503 which dont have a corresponding status 200, but have a same request id. when I use join i am getting the ones which have a corresponding 200 but not the ones which dont have one. I am not able to find a command which can do it. Any help is appreciated. ... View more

I am using Universal Forwarder as Intermediate forwarder, it is forwarding the monitored data without any issues but it is not forwarding any data _internal index or Splunk logs. Intermediate Forwarder Configuration: Outputs.conf [tcpout:index] server=sra-index-01:9997,sra-index-02:9997,sra-index-03:9997,sra-index-04:9997,sra-index-05:9997 inputs.conf [splunktcp://9997] disabled=0 ... View more

Hi Every one, I am doing a POC with the xenapp in out environment. I am able to install and get all the charts tables populate with data. But it uses three different Indexes, my question is does it really need three different indexes, is there any specific reason why it uses three different indexes. any help is greatly appreciated. ... View more