Thats the answer, thanks! ... View more

I have the same need right now. I am wondering if do you have resolved that after this time? I am trying to round,2 but looks like that Splunk visualization do that in their own, going default to round,3 I appreciate any help. Thank you ... View more

It seems user was trying to override content of lookup file with a search but the search didn't return any rows and hence the file was lost. To find out the search, try to search for outputlookup command in your splunkd.log. You can use following search. Add the specific lookup file that you want to verify in the search. index=_internal "outputlookup" ... View more

If it really is a bug, add the bug tag and also open a P2 support case with your entitlement. ... View more

Hi, I might be missing something but if I'm not mistaken when you run FROM you can simply reference the fields by using their short name and not the full name as you would have to do when using tstats for instance. In your example, the following should just work fine: | from datamodel:DataModel1.RootTransaction1 |where Extracted1 = "abc" And that might be the reason it's working fine when you use rename. PS: when using field names from within an eval you have to use single quotes instead of double quotes if they contain special characters. ... View more

you advised the reason is to "differentiate between event fields" and Transaction fields. Fine if that is the reason. but in the transaction search, only "RootTransaction1.Extracted1" field exist and "Extracted1" field is gone. What is there to be differentiate against, please? I would say nothing to differentiate from, at least nothing on search consumer's point of view. So why bother renaming? ... View more

Try this one: index=* sourcetype=sourcetype1 OR sourcetype=sourcetype2 | stats dc(sourcetype as sourcetypes values(sourcetype) as sourcetype by tradeID | search sourcetype=sourcetype1 AND sourcetypes= 2 ... View more

This will give you the wrong results, because it is a OR search. ... View more

We can all celebrate v6.6.1: http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/ReleaseNotes/NewSplunkCloudFeatures Because this: New SQL-like IN SPL operator New SPL operator that acts as a shorthand for multiple disjunctions of one field. See Comparison and Conditional functions and search in the Search Reference manual. So this: http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/ConditionalFunctions#in.28VALUE-LIST.29 And this: You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions with other commands. There is also an IN operator that is similar to the in(VALUE-LIST) function that you can use with the search and tstats commands. The following syntax is supported: ...| where in(field,"value1","value2", ...) ...| where field in("value1","value2", ...) ...| eval new_field=in(field,"value1","value2", ...) ... View more

Hi I found more detailed symptom now. If instead I specify the TradeID field, but rather search like below sourcetype=foo 123456 The event shows up! I check the event on GUI, and found that the GUI displays the event text (the log is in JSON format) as raw text, instead of showing as "syntax highlighted", and only SOME, but not other fields like TradeEvent and TradeID in the JSON log are listed under the log text. I double checked and pasted the log text into JSONLint, and it is a valid JSON message. Why does Splunk not index this message like other JSON event messages in my sourcetype? p.s. to your question, yes the TradeID is in _raw log, and not a lookup field. The full spath is TradeEventObject.TradeID ... View more

found reason why. It is that only when in eval statement, the CalculatedField2 failed to return any value. but in the first statement, the calculated field worked fine. ... View more

hello leonjxtan the field you are looking for is _indextime latency is _indextime -_time here is a full answer from this portal: https://answers.splunk.com/answers/11870/how-can-i-view-the-indexing-latency-for-incoming-events-in-real-time.html it explains it in detail and provides some examples as well hope it helps ... View more

You should click Accept on this answer to close the question. ... View more

we would need to remove the header and footer of the json file that you have received via rest api. So that, it will be structured as json. use SEDCMD regex in props.conf. Even am looking for help how can i generate the regex. ... View more

It looks like as of at least Splunk Version 7.0.3.4 if you go into Lookups -> Lookup definitions and select the "Advanced options" checkbox there's now a Match type field. I just added "WILDCARD(fieldname)" there and it worked. ... View more

Negative latency typically would be improper timezone/timestamp recognition as @srinivasup noted or possibly an invalid system clock time on a host. i.e. if a host clock is running 5 seconds slow, you could see -5 second latency. ... View more