Activity Feed
- Karma Re: How to add new member to SHC? for richgalloway. 08-09-2023 08:08 PM
- Posted How to add new member to SHC? on Splunk Search. 08-09-2023 01:49 AM
- Tagged How to add new member to SHC? on Splunk Search. 08-09-2023 01:49 AM
- Posted Re: splunk search query for unix timestamp on Splunk Search. 07-12-2023 09:46 PM
- Posted Re: splunk search query for unix timestamp on Splunk Search. 07-11-2023 10:21 PM
- Posted Help with splunk search for unix timestamp? on Splunk Search. 07-11-2023 10:56 AM
- Posted Help with splunk query to alert server status from down to up? on Splunk Enterprise. 05-10-2023 08:57 AM
- Karma Re: How to connect a SHC to Indexer cluster? for burwell. 05-10-2023 08:44 AM
- Posted How to connect a SHC to Indexer cluster? on Splunk Enterprise. 05-02-2023 10:23 AM
- Got Karma for Re: Python upgrade readiness app: Why Integrity check failing after update?. 03-28-2023 03:47 AM
- Posted Re: Python upgrade readiness app: Why Integrity check failing after update? on Installation. 03-02-2023 12:11 AM
- Karma Re: Jenkins data indexing into Splunk, dashboards all blank for Gattaca2. 02-17-2023 03:43 AM
- Posted Re: How to complete a KVStore Migration on Installation. 02-16-2023 09:57 AM
- Karma Re: search query for non-reporting IP addresses ? for richgalloway. 02-11-2023 11:04 AM
- Posted Help with search query for non-reporting IP addresses? on Splunk Search. 02-10-2023 11:23 AM
- Posted How to approach kvstore migration on non-sh? on Splunk Enterprise. 02-10-2023 10:57 AM
- Karma Re: how to find percentage with selective sum of field values for richgalloway. 01-24-2023 10:58 PM
- Karma Re: how to find percentage with selective sum of field values for bowesmana. 01-24-2023 10:57 PM
- Posted Re: how to find percentage with selective sum of field values on Splunk Search. 01-24-2023 10:22 PM
- Posted Re: How to find percentage with selective sum of field values? on Splunk Search. 01-24-2023 10:16 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-09-2023
01:49 AM
Hi All, I have a requirement to add new members to the existing SH Cluster. I have gone through the below link where it explains about adding member to the SHC. Add a cluster member - Splunk Documentation How do I Integrate it with the CM/Indexers? Do I need to do it after the above one? Is there any link?
... View more
07-12-2023
09:46 PM
_time always picks the time range. for example if I set during June 8th, the results look like: If I set the time range as JUne12th, the results look like,
... View more
07-11-2023
10:21 PM
Not on the Indexer, but I can see the props on the Heavy forwarder. [PureStorage_REST] INDEXED_EXTRACTIONS = JSON TIMESTAMP_FIELDS = time,opened TIME_FORMAT = %Y-%m-%dT%H:%M:%SZ TZ = UTC detect_trailing_nulls = auto SHOULD_LINEMERGE = false KV_MODE = none AUTO_KV_JSON = false
... View more
07-11-2023
10:56 AM
I want to create an alert for which I am writing a search query but I am unable to filter using the time range picker. since the events contains unix timestamp, I tried to convert but it fails during time range picker. can you help me what is wrong here? Query:
index=isilon sourcetype="emc:isilon:rest" "memory threshold"
| eval "Start Time" = strftime('events.start', "%d/%m/%Y %I:%M:%S %p")
| table "Start Time" events.message
Ideally when I run this query with time range picker on June 12th then there should be NO results, but the results contains June8th events(attachment provided)
Sample event:
{"events": {"devid": 8, "event": 400020001, "id": "8.794044", "lnn": 8, "message": "The SMB server (LWIO) is throttling due to current memory threshold settings. Current memory usage is 90% (23556 MB) and the memory threshold is set to 90%.", "resolve_time": 1686266238, "severity": "critical", "specifier": {"PercentMemoryUsed": 90, "PercentThreshold": 90, "ProcessMemConsumedInMB": 23556, "antime": 1686266290.600042, "devid": 8, "extime": 1686266290.490373, "kmtime": 1686266238.984405, "lnn": 8, "val": 90.0}, "time": 1686266238, "value": 90.0}, "timestamp": "2023-06-12 23:46:57", "node": "0.0.0.0", "namespace": "event"}
{"events": {"devid": 8, "event": 400020001, "id": "8.793138", "lnn": 8, "message": "The SMB server (LWIO) is throttling due to current memory threshold settings. Current memory usage is 90% (23556 MB) and the memory threshold is set to 90%.", "resolve_time": 1686248504, "severity": "critical", "specifier": {"PercentMemoryUsed": 90, "PercentThreshold": 90, "ProcessMemConsumedInMB": 23556, "antime": 1686248570.519368, "devid": 8, "extime": 1686248570.447457, "kmtime": 1686248504.901769, "lnn": 8, "val": 90.0}, "time": 1686248504, "value": 90.0}, "timestamp": "2023-06-12 23:46:57", "node": "0.0.0.0", "namespace": "event"}
... View more
05-10-2023
08:57 AM
Hi All, I have created an alert which checks the status of the server and if it down, then alert will be triggered. Query: index=performance host=hostname1 source!=sar status!=UP | dedup hostname | table hostname status Sample Event: 2023-05-10 17:50:18 hostname1 server is DOWN 2023-05-10 17:55:18 hostname2 server is DOWN Now, I want to create an alert whenever the status changes from DOWN to UP. Can someone help with query? Thanks.
... View more
05-02-2023
10:23 AM
Hi All, I need to connect a new indexer cluster which are in GCP to an existing splunk SHC. I read the below document. Integrate the search head cluster with an indexer cluster - Splunk Documentation Integrate with a single-site indexer cluster Do I need to execute on all the SHC and then do a rolling restart? OR I need to execute on one SH, perform the restart and then follow the same on other SH? also, do I need to start with captain or non-captain? There is one more way, via GUI part: Enable the search head - Splunk Documentation It didn't mention whether I need to apply this on only one SH which is in cluster or on all the SH. can anyone help me with this? Thanks.
... View more
Labels
03-02-2023
12:11 AM
1 Karma
I am also facing the same issue. Were you able to resolve?
... View more
02-16-2023
09:57 AM
Do we need to initiate migration from SHC captain or KV Store captain?
... View more
02-10-2023
11:23 AM
Hi All, I have a field name ip_address which has 50 IP values in it. at every 5mins interval, I will receive the same values. ip_address 10.1.1.1 10.1.1.2 10.1.1.3 . . . 10.1.1.49 10.1.1.50 What are ways to list down the values which are not coming to splunk. Let's say 10.1.1.2 and 10.1.1.45 are not coming to splunk. Then I need those missing values to be listed in statistical way to create an alert for missing ip address. What are ways to achieve this. Please help 🙂 Thanks in advance.
... View more
02-10-2023
10:57 AM
Hi All, We are planning to migration KVstore storage engine from mmap to wiredTiger. I know it is safe to disable kvstore on Indexers but I'm Just wondering what steps to approach if at all we need to upgrade storage engine from mmap to wiredTiger on Indexer Cluster.
... View more
Labels
01-24-2023
10:22 PM
Sorry I think I didn't put it in the right way. It calculates the return_code like below ( check KO and OK ) But I want to calculate the highlighted ones. Example: 8+9+3 = 20 254 + 227 = 481 perc = 20*100/(20+481)=3.1%
... View more
01-24-2023
10:16 PM
yeah, right. modified it. thanks 226 / (2924 + 226) = 7.17%
... View more
01-24-2023
10:51 AM
< query > ... | stats count by return_code fetches me the below output. I have to create an alert where the sum of any return_code value other than 100 and 200 should not cross 20% of the overall value. Example: from the above image, I will add the count of return_codes (other than 100 and 200 ) which will result as 226. now the count of 100 and 200 is 2924. now the percentage will come around 7.17 %. How do I achieve this via query?
... View more
Labels
- Labels:
-
stats
01-24-2023
05:22 AM
It shows error in where command
... View more
01-23-2023
09:57 AM
I have a field which contains http status code. I want to create a single alert query with multiple conditions. Example: condition1) status code is 500 and greater than 10% alert should be triggered. Condition 2) status code is 403 and greater than 20% alert should be triggered. Condition 3) status code is 503 and greater than 20% alert should be triggered. Also, Is it possible to have different time range for the above condition? like condition 1 and condition 2 should search for last 15 minutes, whereas condition 3 should search for last 30 mins. How do I form the query?
... View more
Labels
- Labels:
-
alert condition
01-20-2023
05:01 AM
Hi, can you help on the query if multiple condition needs to be met in the same query? Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.
... View more
01-20-2023
05:00 AM
Hi, can you help on the query if multiple condition needs to be met in the same query? Example: status code is 500 and greater than 10% alert should be triggered. also, if status code is 403 and greater than 20% alert should be triggered.
... View more
01-18-2023
10:27 PM
@fredclown Thanks for input. It works. Can you help on the query if the values are in decimal? A B 10.5 20.3 C 30.8
... View more
01-18-2023
10:56 AM
I have a field A which has percentage values. Also, I have a field B which has percentage values in it. Both are different values. Now I want to create a new field which adds both the values. A B 10% 30% 20% 50% 30% 70% The query should fetch me the results like below: C 40% 70% 100%
... View more
- Tags:
- field-values
