Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Sharzi
Sharzi
Explorer
Member since:
01-30-2021
01-03-2025
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 21 |
| Karma Received | 1 |
| Member Since | 01-30-2021 |
Activity Feed
- Karma Having incoming TCP/UDP Traffic send to more than one index... for balbano. 01-03-2025 06:22 AM
- Karma Re: Alert based on Cron Expression: Run At every 15th minute from 1 through 59 for richgalloway. 03-18-2024 06:52 AM
- Karma Re: Can asterisks (*) be used in search names within the savedsearches.conf? for richgalloway. 03-14-2024 11:14 AM
- Got Karma for Re: Can asterisks (*) be used in search names within the savedsearches.conf?. 03-14-2024 10:59 AM
- Posted Re: Can asterisks (*) be used in search names within the savedsearches.conf? on Splunk Enterprise. 03-14-2024 10:55 AM
- Karma Re: Can asterisks (*) be used in search names within the savedsearches.conf? for richgalloway. 03-14-2024 10:51 AM
- Posted Can asterisks (*) be used in search names within the savedsearches.conf? on Splunk Enterprise. 03-14-2024 09:11 AM
- Tagged Can asterisks (*) be used in search names within the savedsearches.conf? on Splunk Enterprise. 03-14-2024 09:11 AM
- Tagged Can asterisks (*) be used in search names within the savedsearches.conf? on Splunk Enterprise. 03-14-2024 09:11 AM
- Karma Re: Copy Dashboard from one App to another for smoir_splunk. 08-09-2023 08:45 AM
- Karma Re: How can we move alerts from one app to another? for harsmarvania57. 08-03-2023 07:54 AM
- Karma Re: Why doesn't summary index data get written sometimes? for VatsalJagani. 04-19-2023 10:13 AM
- Posted Re: Why doesn't summary index data get written sometimes? on Knowledge Management. 04-19-2023 08:40 AM
- Posted Re: Why doesn't summary index data get written sometimes? on Knowledge Management. 04-19-2023 06:19 AM
- Tagged Why doesn't summary index data get written sometimes? on Knowledge Management. 04-17-2023 01:48 PM
- Posted Why doesn't summary index data get written sometimes? on Knowledge Management. 04-17-2023 01:33 PM
- Tagged Why doesn't summary index data get written sometimes? on Knowledge Management. 04-17-2023 01:33 PM
- Tagged Why doesn't summary index data get written sometimes? on Knowledge Management. 04-17-2023 01:33 PM
- Karma Re: summary index noob question for lguinn2. 04-17-2023 11:02 AM
- Karma Re: How can I determine if a field is an integer (whole number) for woodcock. 08-15-2022 01:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-14-2024
10:55 AM
1 Karma
Thank you @richgalloway for your reply! Since all of the monitoring searches are under my username, would you know a solution to set dispatch.ttl based on the username, not the search names? so all searches under my username would have dispatch.ttl=3p .
... View more
03-14-2024
09:11 AM
Hi, I have multiple searches that follow a naming convention like "Server1_Monitoring", "Server2_Monitoring", and so on. I used an asterisk in the search name stanza to match all of them in the savedsearches.conf file, like: [Server*_Monitoring] dispatch.ttl=3p I restarted the search head after the change, but it didn't work. Is there any way to avoid listing all the searches explicitly in savedsearches.conf? Thank you!
... View more
- Tags:
- conf
- savedsearch
Labels
- Labels:
-
administration
-
configuration
04-19-2023
08:40 AM
Thank you @efavreau! It might be the case since we recently reduced the instance type of several of our nodes from c5.9xlarge to c5.4xlarge (due to very low CPU usage and "over-provisioned" flag), and there is also the IOWait warning. So I'm wondering what you upgraded to solve the issue.
... View more
04-19-2023
06:19 AM
Hi @VatsalJagani , Thank you for your reply. We spread out the schedule, but we still have the same issue. Since the searches are running with no error, would you think the backfill script solves this issue? Thanks,
... View more
04-17-2023
01:33 PM
Hi,
I've faced an issue with summary indexing since last week. I have around 25 saved searches running 15 mins past the hour and save the results in the Summary index. Based on the jobs, these searches run fine with no error, but sometimes, summary index data is not written for some of these searches.
I check the _internal log and found the following:
reason=The maximum number of concurrent historical scheduled searches on this instance has been reached, Status=Continued
The concurrency limit on the search head is 39, and I changed max_searches_per_cpu to 2 on both SH and indexers, but no improvement!
My issue is similar to this post, but the solution is for version 5.
Could someone please help me with this? Thank you!
... View more
Labels
- Labels:
-
summary indexing
11-05-2021
12:27 PM
I had the same problem, but I wasn't aware of "$trellis.value$"! It solved my problem. Thanks!
... View more
10-26-2021
01:21 PM
Hi, I'm trying to use a lookup file inside an if statement, and it doesn't return any data. I would appreciate it if anyone could help me. Thanks! The lookup file has 4 columns (TenantName, tenantId, Region, DB) and my base search is returning 5 columns (_time, TenantName, tenantId, Region, Status). I need to find the database name (or DB) for each record, and it should be done by using tenantId in base search wherever tenantId is not "Unknown". <base search> | table _time TenantName tenantId Region Status | eval Database=if(tenantId!="Unknown", [| inputlookup myLookup | where tenantId=tenantId | return $DB], [| inputlookup myLookup | where TenantName=TenantName | return $DB])
... View more
09-10-2021
12:10 PM
Try: | eval Date=strftime(CreatedDate/1000, "%y%m%d%H%M%S") or | eval Date=strftime(CreatedDate/1000, "%d/%m/%y %H:%M:%S") Also, you can use either %y or %Y for the year.
... View more
03-15-2021
08:47 AM
Hi @richgalloway , We don't have any transaction command in our search query, but as you said, the problem was "latest". I changed the "latest" and now it is working fine! Thanks.
... View more
03-12-2021
10:48 AM
Hello, I recently faced an issue when populating a summary index. I scheduled a saved search to run every hour (with the last 60 minutes time range) and populate a summary index. The search takes around 5 minutes every time to be completed. My problem is that every time this scheduled search runs to populate the index, events in the last 30 seconds of the time range will be discarded from the results by Splunk. For example, for a one-hour time range like 9:00:00 to 10:00:00, the index is only populated with the events from 9:00:00 to 9:59:30. This issue caused some gaps and discrepancies in our index data. Is there any way to solve this? I searched a lot but couldn't find any answer 😞 Thanks.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-03-2025
12:40 PM
|
Karma given to
