About grodaas

grodaas · ‎09-03-2012

Is it possible to add the "checkip" lookups from a web search? something like: index="html" | lookup ipcheck ....

grodaas · ‎09-03-2012

This does not seem to work for me. No matter what I do I can't get the Splunk to use the orgin sourcetype when reading from the summary index. This is the command that is stored in Manager » Searches and reports » View Recent » "latest" : index="pdns" | search "google" | eval orig_sourcetype=sourcetype | summaryindex spool=t uselb=t addtime=t index="testalarms" file="google_645699260.stash_new" name="google" marker="" I have also tried updating props.conf: [source::/opt/splunk/var/spool/splunk/*] sourcetype = pdns2 or [stash] sourcetype = pdns2 priority = 101

grodaas · ‎08-30-2012

When I do index time field extraction will Splunk create a new separate index for the values in the extracted field ( For example a B-tree index) or will Splunk add key=value pairs as keywords to the existing full-text indexes found in the *.tsidx files?

grodaas · ‎08-28-2012

I have multiple scheduled searches that run on large indexes and save the results to a summary index. There is no aggregation in the searches, only filtering. An example search would be something like "index=http google.com". My problem is that when I save the search to the summary index the sourcetype is changed to "stash". I would like to keep the old sourcetype. Is there a way to tell Splunk to keep the original sourcetype?

Posts	4
Solutions	0
Karma Given	2
Karma Received	2
Member Since	‎07-31-2012

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

index time field extraction

keep original sourcetype in summary index

Re: Using CIDR in a lookup table

Re: keep original sourcetype in summary index

index time field extraction

keep original sourcetype in summary index