cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Abha11
Explorer
Member since: ‎06-10-2020
‎12-06-2021
Community Statistics
Posts 11
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎06-10-2020
Activity Feed
Topics I've Started
View All

Re: AWS Add Account Hangs and Error

by in All Apps and Add-ons
‎02-06-2023 02:44 AM
‎02-06-2023 02:44 AM
Hi Can you please tell us how u resolved the issue? ... View more

Re: Multiple regex conditions in transforms.conf

by SplunkTrust in Getting Data In
‎12-07-2021 12:56 AM
‎12-07-2021 12:56 AM
Hi as https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf said you can play REGEX towards _raw or other MetaData fields by using SOURCE_KEY. Based on that approach you probably can apply multiple transforms stanza for one event to achieve your needs. The same technique is usually used when most of data want to put nullQueue and only some events are needed for indexing. props.conf TRANSFORM-setProd = trans-1, trans-2prod [, trans-3 ...] TRANSFORM-setTest = trans-1, trans-2test [, trans-3 ...] Then in transforms.conf just set all to prod/test (or what is your main target), then based on log source change that to correct environment and if needed do additional transforms. Actually you could leave out trans-2xxx away in that environment. Important thing (or at least it's easiest to understand and ensure that those are applied in correct order) is put all needed transformations on one entry in props.conf. r. Ismo ... View more

Re: Status indicator by colour value

by SplunkTrust in All Apps and Add-ons
‎09-06-2021 01:19 AM
‎09-06-2021 01:19 AM
Assign a value to 1 if the host is up and 0 if not, then sum the values and set your colour based on the value of the sum ... View more

Re: Issues with props and transforms

by in Splunk Search
‎08-27-2021 02:59 PM
‎08-27-2021 02:59 PM
Hi @isoutamo  @Thank you so much for your reply to my question.  so I had restarted HF after applying the props and transforms, but no luck. I also checked via btool that props and transforms  were found by Splunk correctly, with the debug I could see they were sitting in my splunk add on for aws.  I tried not to use this props and transforms and created and used another sourcetype and I could see my data came in.  however I need to use transforms to set host source and sourcetype based on event data.  samd props and transforms working on another HF I copied it from. Not sure what is going wrong here since on using these splunk starts to write events to STDOUT.   any help appreciated! ... View more

Re: What is this issue with the monitor stanza in ...

by SplunkTrust in Splunk Search
‎01-28-2021 06:08 AM
‎01-28-2021 06:08 AM
Hi escape should be \. not ./ Based on documentation and experience that \ should be there between drive letter and top level directory ... View more

How to index Nix metrics via Splunk Add-on for Spl...

by in Deployment Architecture
‎10-05-2020 06:55 AM
‎10-05-2020 06:55 AM
I want to monitor our Linux Splunk instances and am using the Splunk Add-on for Nix to collect metrics data and am sending it to em_metrics index and monitoring them as SAI entities via SAI on search head.  We have a clustered environment. I am trying to get data from 3 members indexer cluster and 3 members SH cluster. We have universal forwarders installed on all of our instances. I tried to deploy the add-on to UF’s but I couldn’t see the entities on SAI (no data coming through from the hosts).  Now I have installed Nix add-on to the indexer cluster and SH cluster and have changed the inputs to send data to em_metrics index being used in SAI.  The issue that I am facing is for the indexer/SH cluster it is only displaying indexer master and SH cluster captain entities in SAI. I can see the IP's of other members in the dimensions of entities, but I want each host as a seperate entity.  Could anyone please guide me through if I am doing something wrong or how I can achieve what I want to see SAI app? I have been stuck for a few days, so any help is appreciated.  Thanks. ... View more

Re: Nix data from splunk HF via splunk TA_nix not ...

by in All Apps and Add-ons
‎10-04-2020 07:32 PM
‎10-04-2020 07:32 PM
Hi @inventsekar ,   Thank you for your response. i am trying to collect Hf health metrics from HF straight.  I installed Splunk_TA_nix in $splunk_home$/etc/apps and trying to configure the inputs via HF UI.  Yes other logs are fine from this HF There is a SAI app installed on one of our SH and I want this HF instance as an entity in there.  ... View more

Re: I want to write a search that should give me c...

by in Splunk Search
‎06-11-2020 07:25 AM
‎06-11-2020 07:25 AM
Hi, Maybe you can try using the query below as base for your need:   ... | eval expected_date = strftime(now(), "%m-%d-%Y 7:15") | eval expected_timestamp= strptime(expected_date, "%m-%d-%Y %H:%M") | eval event_date = strftime(_time, "%m-%d-%Y %H:%M") | eval event_timestamp = strptime(event_date, "%m-%d-%Y %H:%M") | eval diff = event_timestamp - expected_timestamp | eval result = case(diff = 0, "1", diff >= 1800, "3", 1=1, "2") | table _time, expected_date, event_date, diff, result   The output result was: _time expected_date event_date diff result 2020-06-11 07:45:00 06-11-2020 7:15 06-11-2020 07:45 1800.000000 3 2020-06-11 07:50:00 06-11-2020 7:15 06-11-2020 07:50 2100.000000 3 2020-06-11 07:00:00 06-11-2020 7:15 06-11-2020 07:00 -900.000000 2 2020-06-11 07:20:00 06-11-2020 7:15 06-11-2020 07:20 300.000000 2 2020-06-11 07:15:00 06-11-2020 7:15 06-11-2020 07:15 0.000000 1 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎12-06-2021 10:01 PM
Karma from
View All