Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About DG
DG
Explorer
Member since:
07-12-2022
03-19-2026
Community Statistics
| Posts | 14 |
| Solutions | 0 |
| Karma Given | 6 |
| Karma Received | 0 |
| Member Since | 07-12-2022 |
Activity Feed
- Posted Re: "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing on Knowledge Management. 06-21-2024 01:26 AM
- Karma Re: "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing for hrawat. 05-02-2024 12:50 AM
- Posted Re: "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing on Knowledge Management. 04-24-2024 07:01 AM
- Posted Re: "Fatal thread error: pthread_mutex_lock: " when persistent queue enabled. Crashing thread: typing on Knowledge Management. 04-24-2024 02:03 AM
- Posted Re: thawing out multiple buckets at once? on Getting Data In. 10-18-2023 05:06 AM
- Karma Re: thawing out multiple buckets at once? for rafrey. 10-18-2023 05:02 AM
- Posted Scanning Splunk data for secret leaking? on Security. 03-07-2023 12:46 AM
- Tagged Scanning Splunk data for secret leaking? on Security. 03-07-2023 12:46 AM
- Tagged Scanning Splunk data for secret leaking? on Security. 03-07-2023 12:46 AM
- Tagged Scanning Splunk data for secret leaking? on Security. 03-07-2023 12:46 AM
- Tagged Scanning Splunk data for secret leaking? on Security. 03-07-2023 12:46 AM
- Karma Re: How can I determine who modified a dashboard? for sloshburch. 02-23-2023 08:48 AM
- Posted Re: How to use tokens in Base and Chain searches in Dashboard studio? on Getting Data In. 09-17-2022 03:20 AM
- Posted Re: How to use tokens in Base and Chain searches in Dashboard studio? on Getting Data In. 09-16-2022 02:02 PM
- Posted Re: Using tokens in Base and Chain searches in Dashboard studio on Getting Data In. 09-16-2022 05:27 AM
- Posted Any opinions, own experiences with Data Manager? on Splunk Cloud Platform. 09-14-2022 02:10 PM
- Posted Re: Why is base search more expensive? on Splunk Cloud Platform. 07-22-2022 02:24 AM
- Karma Re: Why is base search more expensive? for ITWhisperer. 07-22-2022 02:22 AM
- Posted Re: Why is base search more expensive? on Splunk Cloud Platform. 07-13-2022 04:39 PM
- Posted Re: Why is Base search more expensive? on Splunk Cloud Platform. 07-13-2022 03:23 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
06-21-2024
01:26 AM
Hi Hrawat, It's 21st June, I don't see the release on https://hub.docker.com/r/splunk/splunk/. When will this be released? Thanks, DG
... View more
04-24-2024
07:01 AM
Thank you for the information @hrawat ! Do I understand correctly that the "backports" are coming with the major release, as you said "conf release" - so around the Splunk conference, June 11-14?
... View more
04-24-2024
02:03 AM
Hi @rphillips_splk , @hrawat It's great to hear that it will be finally fixed, but when will you release those fixed versions? I don't find those tags on docker hub. Also, why didn't Splunk containers crash when this kind of failure happen? We are running the splunk/splunk images (as heavy forwarders) on K8S and we only noticed the issue when we saw that the network thoughput was low on a pod. K8S didn't restart the pod automatically because it didn't crash. The container stayed there as a zombie and didn't do any forwarding. Thank you! Regards, DG
... View more
10-18-2023
05:06 AM
Thank you very much! After 8 years this script is still relevant and working correctly! Karma is given!
... View more
03-07-2023
12:46 AM
Dear Community, We know that there are several options to mask sensitive data before/during ingestion. But generally, how do you scan your data to check if there is any already existing leakage of secrets/tokens/password? I've googled and searched community, but I did not find anything. I thought there is a Splunk app or Splunk ES has a built-in feature to do this, like a professional, fast, effective alert or an AI/ML assisted one. What I've done so far for a few indexes: index={INDEXNAME} | stats values(*) AS * | transpose | table column | rename column AS Fieldnames | search Fieldnames=*secret* OR Fieldnames=*password* (with last 15 minutes search interval) Is there any better solution out? Or do you have better idea to handle this? How are others doing this? We have a Splunk Cloud Platform, but I think it would be the same for Enterprise as well. Thank you very much! Regards, DG
... View more
Labels
- Labels:
-
audit
09-17-2022
03:20 AM
Hi @elizabethl_splu , Thank you very much! Ah, so the problem was with the case (sId) and as I see, we are on version: 8.2.2203.4 so I guess we have to wait to get to 9.0.2205 and test it 😮 I will get back to you if I tried it!
... View more
09-16-2022
02:02 PM
Thanks @elizabethl_splu , but I have already found these, I'm more interested in what @mjones414 asked. How can we store the whole search result in a token? Like this in Classic: <search>
<query>
index="myIndex" event="login"
</query>
<done>
<set token="Thing_One">$job.sid$</set>
</done>
</search> and I'm utilizing the loadjob command twice: <panel>
<single>
<title>Number of Unique users</title>
<search>
<query>| loadjob "$Thing_One$" | stats dc(user_id) as "Unique users"
</query>
</search>
<option name="drilldown">none</option>
</single>
</panel>
<panel>
<title>Unique users timeline</title>
<chart>
<search>
<query>| loadjob "$Thing_One$" | timechart dc(user_id) as "Unique users timeline"</query>
</search>
</chart>
</panel> This way the SVC consumption is about half the amount of running two individual queries. I am asking because as our team measured (with Chargeback app for Splunk), in Dashboard Studio using 1 ds.search (base) with 2 chain searches (children) are consuming almost as much SVCs as 2 individual ds.searches. We thought that using chain searches will execute the same base only once, so the SVC consumption will be half of that. I would try loadjob in Dashboard Studio, but I could not load any ds.search's result. I tried several syntax from the page you linked. (loadjob $search name:job.sId$, $search name:result$, $search name:results$ etc.) Thank you for your help!
... View more
09-16-2022
05:27 AM
Hi @elizabethl_splu , Do you have any updates about this feature? Is it implemented and documented somewhere? Thank you in advance!
... View more
09-14-2022
02:10 PM
Dear Community, Do you have any opinions, own experiences with Splunk new feature called Data Manager? What are the advantages and disadvantages of it compared to an add-on (i.e. Splunk Add-on for AWS) to ingest your data to Splunk? As I see this Data Manager just generates CF templates and we have to pull up our machines upon them (pay for these resources to AWS) and push data to Splunk (are we paying for SVC usage - ingestion- here?), while the addon is fully managed by Splunk and is pulling the data from AWS. The addon uses Splunk resources of course (are we paying for SVC usage - ingestion - here?) to pull data until it reaches AWS API limits (if it reaches). So, I would be happy to hear your own, objective experiences about the topic. 🙂 Does it worth overall to start using Data Manager? (AWS costs + Splunk ingestion costs (?)) VS. (Splunk ingestion costs (?) + API limit) What did you also consider? (Of course I tried googling this topic, but I did not find any good, objective comparison, opinions about it.) Thank you very much for your help!
... View more
Labels
- Labels:
-
administration
-
using Splunk Cloud
07-13-2022
04:39 PM
Your answer is more detailed and I got more explanations, so I accepted yours. 🙂 However, it seems that on average we gain more with the loadjob solution. I don't know why the SVC consumptions are so different, I'm running the default dashboard and these two solutions with the same "refresh=180" attribute for one hour.
... View more
07-13-2022
03:23 PM
"including _time, so it's likely the base search result set will be the entire data set" -> yes, now I think so, too. I have included _time, because my post-processing searches displayed error or invalid data, so I googled and read it i.e. here: https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-create-Time-chart-with-search-with-base-search/m-p/322417 that I should try using "| fields *", or "stats count by _time" here: https://community.splunk.com/t5/Splunk-Search/help-on-base-search-event-limit/m-p/574058#M200053 "As ITWhisperer says, the additional filters (user_id, is_aaaaa_login, environment) should also be part of the base search. Is there a reason why not and how many of the 3million events are included unnecessarily?" -> Totally true, my mistake, I did not realize that they can be the part of the base search.
... View more
07-13-2022
03:10 PM
Thank you very much! Both solution (loadjob from ITWhisperer and base search from bowesmana) worked, saved SVCs for us, we have to measure a few times to get a more accurate picture of exactly how much, but once it was 75% saving, other time it was around 40% saving. I'm quite new here, can I accept both as solution?
... View more
07-12-2022
09:30 AM
Dear Community,
I would like to get some assistance and/or clarification regarding Splunk’s base-search/post-processing functionality. I have read it/heard that using one base-search and post processing instead of several similar queries is cost effective, we can save SVCs (splunk virtual computes) with it. In practice, unfortunately I have experienced quite the opposite:
Let’s say, I have a dashboard (call it “A”) with these queries:
index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..."
index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result
index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total"
index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users"
index="myIndex" "[OPS] [INFO] event=\"asd\"" | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason
I cloned this “A” dashboard (let’s call the clone “B”).
I got some issues, like I got no data, or the numbers were different on “B” than “A”, but after some googling, reading Splunk community, I managed to get the same results on “B” with:
A base search:
index="myIndex" "[OPS] [INFO] event=\"asd\"" | stats count by user_id is_aaaaa_login environment result reason _time
Post-processes:
search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | stats dc(user_id) as "Unique users, who has logged ..."
search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart count by result
search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | dedup user_id | timechart span=1h count as "per hour"| streamstats sum("per hour") as "total"
search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Successful" | timechart dc(user_id) as "Unique users"
search | where user_id != "0" AND is_aaaaa_login="true" AND environment="prod" AND result="Failed" AND reason != "bbb" | timechart count by reason
I have added ‘refresh=”180”’ to the top of these two dashboards and leave them open in my browser for about one hour (and the common date-picker was set to “last 24 hours”). After this, I was surprised when I saw that dashboard “A” in “Splunk App for Chargeback” consumed around 5 SVCs while dashboard “B” used around 15 SVCs. So the dashboard with the base-search was way more expensive than the “normal” one. I thought that it will be much cheaper.
Why is that? Did I construct my base/post-process queries badly? If yes, what should I change?
I searched a lot, I found only one comment on Splunk community here:
https://community.splunk.com/t5/Dashboards-Visualizations/Base-Search-for-dashboard-optimization/m-p/348795
“However, I do not recommend it when dealing with large data because base search is slow.” which implies that maybe base search is not always a cheaper solution?! So I executed only my base-search in Splunk for a 24 hours interval, it gave back a table with around 3,000,000 rows. Does this mean a large data set? Should I forget using base-searches?
Thank you very much for your help!
... View more
Labels
- Labels:
-
troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-19-2026
06:21 AM
|
