×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
madhack
Explorer
Member since: ‎03-15-2013
‎03-17-2025
Community Statistics
Posts 5
Solutions 1
Karma Given 0
Karma Received 1
Member Since ‎03-15-2013
Activity Feed
View All

Re: How to search the average of a distinct count ...

by in Splunk Search
‎10-05-2016 09:16 AM
‎10-05-2016 09:16 AM
Timechart is losing the builtin special date fields. If you really want to average it across the same hour for all days, you could use eval's strftime() to re-calculate the hour: sourcetype=usage | timechart span=1h dc(USERNAME) as dc | eval hour=strftime(_time, "%H") | stats avg(dc) by hour ... View more

Re: Lookup table does not exist from indexer but e...

by in Splunk Search
‎09-11-2013 06:45 PM
‎09-11-2013 06:45 PM
There are users who only have access to host02 and not host01 for various reasons. I only index on host02 but I search on both host01 and host02. Am I to understand that this is not a supported configuration? ... View more

Re: Lookup table does not exist from indexer but e...

by in Splunk Search
‎09-11-2013 05:38 PM
‎09-11-2013 05:38 PM
The splunk user owns it. That first bit in UNIX permissions refers to the owner. splunk@evgconlnx06:~/etc/apps/euc$ head -1 lookups/internal_domains.csv domain,is_internal I can read the file as the splunk user, and I can perform the lookup manually and automatically under any situation as long as I'm doing it on the local search head and not across a search peer. File permissions aren't the issue, I'm afraid... ... View more

Re: Lookup table does not exist from indexer but e...

by in Splunk Search
‎09-11-2013 04:33 PM
‎09-11-2013 04:33 PM
There isn't any Windows involved; I should have specified that both hosts are Linux. The CSV was created using a Python script on another Linux box and scped over. The file is on both hosts owned by splunk:splunk mode 600. The app was pushed via deployment server. splunk@host01:~/etc/apps/euc$ ls -l lookups/internal_domains.csv -rw------- 1 splunk splunk 3073 Sep 10 22:48 lookups/internal_domains.csv splunk@host02:~/etc/apps/euc$ ls -l lookups/internal_domains.csv -rw------- 1 splunk splunk 3073 Sep 11 22:24 lookups/internal_domains.csv ... View more

Lookup table does not exist from indexer but every...

by in Splunk Search
‎09-11-2013 03:47 PM
1 Karma
‎09-11-2013 03:47 PM
1 Karma
I've configured a CSV lookup and an automatic lookup on Splunk 5.0.4 that work on one of my search heads (let's call it host01). When I push the app to the indexer search peer (host02) that holds the data, host01 starts showing errors about the lookup not existing: [host02] The lookup table 'internal_domains' does not exist. It is referenced by configuration 'source::maillog|host::mailhost|sendmail_syslog'. All of my searching has led me to believe this kind of thing is normally a permission issue on any of the pieces involved (lookup table file, lookup defintion, or automatic lookup) but the ONLY "*.meta" files I can find that contain any information about this lookup on my indexer are in my app, and it has this: [props] export = system [lookups/internal_domains.csv] export = system version = 5.0.2 modtime = 1367367795.814840000 access = read : [ * ], write : [ admin, power ] owner = nobody [transforms/internal_domains] export = system version = 5.0.3 access = read : [ * ], write : [ admin, power ] modtime = 1371773947.230195000 owner = nobody [props/sendmail_syslog/LOOKUP-direction] access = read : [ * ], write : [ admin, power ] owner = nobody version = 5.0.4 modtime = 1378938232.175058000 The most confusing part is that if I log in to host02 and do the exact same search, I don't get any errors and the automatic lookup happens, regardless of what app I do it from. Meanwhile, the errors didn't start showing up on host01 until I'd pushed the definitions to host02. I'm sure I must be missing something obvious. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-17-2025 03:03 PM
Karma from
View All