×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Atriarc
SplunkTrust
Member since: ‎08-06-2021
‎03-22-2024
Community Statistics
Posts 9
Solutions 1
Karma Given 5
Karma Received 7
Member Since ‎08-06-2021
Activity Feed
Topics I've Started
No posts to display.
View All

Re: How to split single sourcetype in multiple one...

by SplunkTrust in Getting Data In
‎12-08-2022 12:18 PM
‎12-08-2022 12:18 PM
You cannot rename the source type for data that has already been indexed. You can do some things at search time, but since that is inefficient I won't go into it. Your best bet is likely sending the data feed to a heavy forwarder, setting the source types appropriately (inputs, props, transforms), and then kicking it to the indexers. ... View more

Re: Set Label Throwing Validation Error sometimes

by SplunkTrust in Splunk SOAR
‎12-07-2022 10:05 AM
‎12-07-2022 10:05 AM
What commonality do the failing containers have with other failing containers, and how do the differ from containers that do not fail? ... View more

Re: How do you manage several look-ups reviews?

by SplunkTrust in Knowledge Management
‎12-06-2022 08:54 AM
1 Karma
‎12-06-2022 08:54 AM
1 Karma
I would think that adding an additional column to your lookups containing the epoch time value for when the entry was created (or modified if you want that much granularity/complexity). From there it just becomes a matter of when to roll stale data out of the lookup.  ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2024 04:11 PM
Karma from
Karma given to
View All