cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Sharzi
Explorer
Member since: ‎01-30-2021
‎12-12-2022
Community Statistics
Posts 5
Solutions 0
Karma Given 13
Karma Received 0
Member Since ‎01-30-2021
Activity Feed
View All

Re: In a trellis layout, how come the "split by" f...

by in Getting Data In
‎11-05-2021 12:27 PM
‎11-05-2021 12:27 PM
I had the same problem, but I wasn't aware of " $trellis.value$"!  It solved my problem. Thanks! ... View more

use lookup file inside if statement

by in Splunk Search
‎10-26-2021 01:21 PM
‎10-26-2021 01:21 PM
Hi,  I'm trying to use a lookup file inside an if statement, and it doesn't return any data. I would appreciate it if anyone could help me. Thanks! The lookup file has 4 columns (TenantName, tenantId, Region, DB) and my base search is returning 5 columns (_time, TenantName, tenantId, Region, Status). I need to find the database name (or DB) for each record, and it should be done by using tenantId in base search wherever tenantId is not "Unknown". <base search> | table _time TenantName tenantId Region Status | eval Database=if(tenantId!="Unknown", [| inputlookup myLookup | where tenantId=tenantId | return $DB], [| inputlookup myLookup | where TenantName=TenantName | return $DB])   ... View more
Labels

Re: Convert 210910085155 to yymmddhhmmss or dd/mm/...

by in Splunk Search
‎09-10-2021 12:10 PM
‎09-10-2021 12:10 PM
Try: | eval Date=strftime(CreatedDate/1000, "%y%m%d%H%M%S") or | eval Date=strftime(CreatedDate/1000, "%d/%m/%y %H:%M:%S")   Also, you can use either %y or %Y for the year. ... View more

Re: Scheduled search for populating summary index ...

by in Splunk Search
‎03-15-2021 08:47 AM
‎03-15-2021 08:47 AM
Hi @richgalloway , We don't have any transaction command in our search query, but as you said, the problem was "latest". I changed the "latest" and now it is working fine! Thanks.   ... View more

Scheduled search for populating summary index igno...

by in Splunk Search
‎03-12-2021 10:48 AM
‎03-12-2021 10:48 AM
Hello, I recently faced an issue when populating a summary index. I scheduled a saved search to run every hour (with the last 60 minutes time range) and populate a summary index. The search takes around 5 minutes every time to be completed. My problem is that  every time this scheduled search runs to populate the index, events in the last 30 seconds of the time range will be discarded from the results by Splunk.  For example, for a one-hour time range like 9:00:00 to 10:00:00, the index is only populated with the events from 9:00:00 to 9:59:30. This issue caused some gaps and discrepancies in our index data.  Is there any way to solve this? I searched a lot but couldn't find any answer 😞 Thanks. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-12-2022 03:52 PM
Karma given to