×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
duckware
Explorer
Member since: ‎01-24-2021
‎02-04-2021
Community Statistics
Posts 5
Solutions 1
Karma Given 1
Karma Received 0
Member Since ‎01-24-2021
View All

Re: How to tell if event is within X seconds (both...

by in Splunk Search
‎02-04-2021 02:41 AM
‎02-04-2021 02:41 AM
I figured out a way (for my usage case). In my case, I just needed to mark events with X seconds of another event.  In one direction, this can be done with delta.  But then using sort to reverse direction, and running another delta gets the other direction. So when events E1 and E2 are with 5 seconds of each other, running a delta one direction marks E2 as being within 5 seconds (of E1). That leaves E1 not marked.  But then sort to reverse direction of the events and delta again then marks E1 as being within 5 seconds (of E2). ... View more

How to tell if event is within X seconds (both for...

by in Splunk Search
‎02-02-2021 10:56 AM
‎02-02-2021 10:56 AM
Using 'delta' I am able to figure this out, but in one time direction.  Now I need the other time direction. In the current event, I essentially need to get the answer to: Is there another event within X seconds (both forwards and backwards) of the current event. Is there a way to do this? ... View more

Re: Some events are in Splunk, but are not searcha...

by in Splunk Search
‎01-24-2021 03:19 PM
‎01-24-2021 03:19 PM
Confirmed!  key=value past 10 KB in JSON event and Splunk can't find it. ... View more

Re: Some events are in Splunk, but are not searcha...

by in Splunk Search
‎01-24-2021 01:25 PM
‎01-24-2021 01:25 PM
I may have just noticed a pattern?  The 'not found' events are on 'large' sized JSON events (>10KB) where the keys are near the end of the JSON event.  When I search on totally different keys (near the front of that specific event), the one event is found. Hopefully this is enough to get my administrators to fix the issue, but off hand, do you know what setting needs to be changed to get Splunk to index the entire JSON event (not just up to a point)? ... View more

Some events are in Splunk, but are not searchable

by in Splunk Search
‎01-24-2021 10:19 AM
‎01-24-2021 10:19 AM
Every event in an index has field XYZ (with a non-null positive number, no exceptions), and yet this search: index=<index> XYZ=* only finds 99.8% of the events.  The way to find the 'missing' 0.2% of the events is by this search: index=<index> NOT XYZ=* Looking at the missing event's _raw, the data is there, and extracting values from _raw (spath) works -- just not via field names in Splunk Search.  This 'error' only impacts around 0.2% of the events. Has anyone seen anything like this before?  The event is in Splunk, just not searchable.  What do I ask the administrators here to investigate?   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-04-2021 06:01 AM
Karma given to
View All