sounds like it's by design https://community.splunk.com/t5/Knowledge-Management/summary-indexing-with-sisat-distinct-count-without-the-list-of/m-p/29384/highlight/true#M266 for fill_summary_index.py, described here https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Managesummaryindexgapsandoverlaps   ... View more

The problem with both of those is it does not account for the 5 vs 6 hour shift between CDT and CST. That is, solutions like this that use relative_time, manually subtract 5 or 6 hours, but do not differentiate when to make that shift (March-ish to November-ish), but Splunk has TZ awareness since the user can set their profile. Seems like there should be a way (a function?) to tap into that, but something like relative_time(epoch, "CST6CDT") doesn't seem exist. Many thanks for the great conversation as, per usual, learning!   ... View more

Amazing!  Appreciate the straight up regex, too.  This was the way I thought I'd have to do, but didn't realize it 'exact matched' all three keyes (all 3 have to match to be accepted). Thank you!!!   ... View more

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Timestamp_extraction_configuration You have the TZ parameter which you can use to "bind" a predefined timezone to a particular sourcetype, source or host. But it's always best if the source specifies the timezone within the timestamp itself - it saves you some work and possibly much grief later. ... View more

If you dig through the limits.conf file spec - https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf you'll see there are several separate limits. Some aspects of subsearching can hit 10k results limit, others have default limit of 50k. If I remember correctly, the join command has a limit of 50k but the "direct subsearch" can only return 10k results. ... View more

Don't immediately jump down the indexed fields route - there are uses but most of the time search time extraction is sufficient. Adding index extractions will increase storage requirements for data as the raw data AND the extractions are both stored. With recent developments in Splunk, the use of TERM(XX) in searches can hugely improve search times, as it does not have to look at the raw data to find hits, instead it will look at the "tsidx" files. ... View more

Hi @loganramirez, it was a pleasure to help you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉   ... View more

Hi @loganramirez, please try using the default for json and my TIME_FORMAT: [your_sourcetype] TIME_FORMAT: %s%3N TIMESTAMP_PREFIX: \"eventTime\": KV_MODE: none INDEXED_EXTRACTIONS = json Ciao. Giuseppe ... View more

thoughts on the 10k limit using sub searches like this?  just ran into that.   ... View more

wow this is great!  had NO IDEA about this and this is a really big help.  thank you for the specific example, sir! ... View more

i'm all ears on what configs to look at and how to debug! ... View more