cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Unhacker
Explorer
Member since: ‎10-29-2013
‎06-05-2020
Community Statistics
Posts 3
Solutions 1
Karma Given 1
Karma Received 2
Member Since ‎10-29-2013
Topics I've Started
No posts to display.
View All

Re: Real time search suddenly incorrect

by in Splunk Search
‎06-23-2014 12:16 PM
‎06-23-2014 12:16 PM
Huh, I had a symptom like this once, and I discovered an admin had changed the local time zone setting on their server - events I received appeared to come from the future! Tellingly, I found all events when searching "All Time", but not in real- or relative-time. When a search for "(...) earliest=-5m latest=+5h (...)", returned results, the conclusion was obvious: I was receiving events from a time-traveling server, or someone had messed-up a time zone somewhere. Maybe that helps? Check out time zones at your event sources? Good luck, time traveler! 😉 ... View more

Re: timespan between earliest and latest per day p...

by in Splunk Search
‎06-23-2014 08:39 AM
1 Karma
‎06-23-2014 08:39 AM
1 Karma
I could be misinterpreting you zendataCH, but this is what I came-up with - for data, I used a source that contains its own 'time' field, and found it convenient to operate on those instead. If your events contain their own timestamp, that might work for you too. I used the 'min' and 'max' stats commands, but grouped them by both the username /and/ the day of the week. Sample Syntax: sourcetype=juniper | stats min(time), max(time) BY user,date_wday This returns approximately the following: ALTOID thursday 2014-06-19 14:14:00 2014-06-19 20:23:06 ANYPAY monday 2014-06-23 06:40:17 2014-06-23 07:03:05 APEFAN thursday 2014-06-19 14:10:44 2014-06-19 14:22:31 ANKLES friday 2014-06-20 09:59:33 2014-06-20 15:58:59 (...) I haven't figured-out calculating the difference in time between the two events yet, but I bet an eval is the answer for that. Your mileage, of course, may vary. Good luck! ... View more

Re: The Splunk For Bluecoat view "bcoat_overview" ...

by in All Apps and Add-ons
‎11-11-2013 12:48 PM
1 Karma
‎11-11-2013 12:48 PM
1 Karma
Btw this was exactly the fix I needed, in my case. Not sure if anyone else has mentioned this, but I found that with it configured as shipped, I not only "saw no results" in the app but futhermore it would peg the frak out of my server while it searched (in vain). Simply loading the BC App has pummel the thing to a 60 load average (yes - SIXTY). Good thing I wasnt running it on Windows or it would've burst into flames. But not that it works you've made me a Supa Stah (thanks!!) 😛 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All