Hi Y'all,   I am trying to execute a dbxquery in Splunk by adjusting only the time tokens. Splunk server is in a time zone and the database server is also in the same time zone but when I execute the query I can see that the query is executing with a lag of an hour.   When I execute the same in the database directly, I can see that there is no lag and the query executes perfectly. Only difference I could sense is the usage of epoch time conversion in SPL and no conversion used in the database query which I feel might be a time zone difference between the servers.         | dbxquery query="select 100-(COUNT(DISTINCT (week)) *100 / (DATEDIFF (DATE_FORMAT(FROM_UNIXTIME('1680559200'), '%Y%m%d') , DATE_FORMAT(FROM_UNIXTIME('1672527600'), '%Y%m%d'))/7)) from `mxone_db`.`pdt_disruptions` where DATE_FORMAT (DATE, '%Y%m%d' ) between DATE_FORMAT(FROM_UNIXTIME('1672527600'), '%Y%m%d') AND DATE_FORMAT(FROM_UNIXTIME('1680559200'), '%Y%m%d')" connection="dbuser"     Solution: 47.3118       select 100-(COUNT(DISTINCT (week)) *100 / (DATEDIFF (DATE_FORMAT('2023-04-03', '%Y%m%d') , DATE_FORMAT('2023-01-01', '%Y%m%d'))/7)) from pdt_disruptions where DATE_FORMAT (DATE, '%Y%m%d' ) between DATE_FORMAT('2023-01-01', '%Y%m%d') AND DATE_FORMAT('2023-04-03', '%Y%m%d')     Solution: 46.7391   Not sure where is this query getting lost? Please let me know if you have any clue of this issue.   Regards, Pravin ... View more

Hi Community,   I have a use case where the client needs data to be stored over an extended period of time. That data powers the dashboard that uses datamodels to generate the panels. Since the client wants data to be available for at least 6 months, the idea was to create an index that has hot/warm buckets in SSD and cold buckets in slower storage. I have two different issues here: I have implemented this setup in our test environment with mixed storage for hot and cold buckets. Is there a way for me to check where my data is being stored? Since my dashboards are all powered by datamodels, I have a question regarding the storage location and method of accelerated data. If the data is accelerated, does the data model summary folder store the complete accelerated data or will it have some pointers that point to the location where the data is actually present? The main problem here is that if we have mixed storage of SSD and HDD, and since all the dashboards are powered by datamodels how much will this affect the performance of Splunk? Will the time to load the dashboard be affected by such a storage model?   Regards, Pravin ... View more

Hi Community,   I have a search query where I am trying to get values for the search from the results of another query. index=_internal [ `set_local_host`] source=*license_usage.log* type="Usage" | eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h) | eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s) | eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx) | bin _time span=1d | stats sum(b) as b by _time, pool, s, st, h, idx | search pool = "*" | search h = hp742srv OR dell970srv OR dell428srv OR hp548srv OR dell429srv OR dell477srv OR dell433srv | timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30 | join type=outer _time [ search index=_internal [ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d | eval _time=_time - 43200 | bin _time span=1d | stats latest(stacksz) AS "stack size" by _time] | fields - _timediff | foreach * [ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]  The search statement in line number 9 has a list of host names which I have entered manually using the OR operator. The below query can generate the list of results but I am not able to use the result in the above query. index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022" | table host | dedup host  How can I use the results from the 2nd query dynamically in the first SPL query? Thanks in advance.   Regards, Pravin ... View more