Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About RobertMarks
RobertMarks
Observer
Member since:
07-19-2023
11-07-2023
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-19-2023 |
Activity Feed
- Posted Re: How can I find an event count of event that are less than a p95 duration? on Splunk Search. 11-07-2023 12:51 PM
- Posted Re: How do I install and configure a specific Splunk app or add-on? on Splunk Answers-a-thon!. 07-19-2023 11:59 AM
- Posted Re: How to index data from a CSV file? on Splunk Answers-a-thon!. 07-19-2023 11:58 AM
- Posted Re: How can I manage and monitor indexers and forwarders in a distributed environment? on Splunk Answers-a-thon!. 07-19-2023 11:56 AM
- Posted Re: How can I manage and monitor indexers and forwarders in a distributed environment? on Splunk Answers-a-thon!. 07-19-2023 11:55 AM
- Posted Re: How to use field extractions? on Splunk Answers-a-thon!. 07-19-2023 11:54 AM
- Posted Re: How to use field extractions? on Splunk Answers-a-thon!. 07-19-2023 11:52 AM
- Posted Re: How to create and manage lookup tables? on Splunk Answers-a-thon!. 07-19-2023 11:50 AM
- Posted Re: How can I configure index-time and search-time data extractions? on Splunk Answers-a-thon!. 07-19-2023 11:46 AM
- Posted Re: How do I create a basic dashboard in Splunk? on Splunk Answers-a-thon!. 07-19-2023 11:43 AM
Topics I've Started
No posts to display.
11-07-2023
12:51 PM
I find doing eventstats on raw data to be tremendously slow. I'd probably compute the percentile in a subsearch and pass it through. Then you only do the percentile computation once. index=xyz status=complete [ search index=xyz status=complete | stats p95(dur) as p95Dur | eval search = "dur>"+p95Dur | table search]
... View more
07-19-2023
11:59 AM
Download the tar'ed app from Splunkbase and then go to Apps -> manage apps -> upload from file. Chose whether to overwrite an existing app if you're upgrading
... View more
07-19-2023
11:58 AM
Settings -> Add Data -> monitor -> files and directories. You could also add the data as a lookup and do an " | inputlookup asdf | collect sourcetype=stuff index=stuff " but thats kind of a roundabout way of doing it.
... View more
07-19-2023
11:56 AM
Monitoring may be done in a properly configured Monitoring Console under the tabs for indexing: distributed enviroment (or something similar, can't remember the exact name)
... View more
07-19-2023
11:55 AM
You may use a Deployment Server. You can also use the cluster manager to manage the knowledge object bundle, or use SmartStore.
... View more
07-19-2023
11:54 AM
There is also the option to use the search -> sidebar -> extract more fields -> and use the automatic field extractor, though this is most often just a jumping-off point for your final field extractions.
... View more
07-19-2023
11:52 AM
You can write a search time field extraction under splunk -> settings -> field extractions. A field extraction will apply to a sourcetype and can be either an inline regex based extraction, or use a TRANSFORM from transforms. conf. You can also extract fields at indextime using transforms.conf on the indexer/HF
... View more
07-19-2023
11:50 AM
You can manage a lookup table in the settings tab. You can update or write to a lookup either by uploading them or using the "| outputlookup" command. You can also do this on the backend under the directory $SPLUNK_HOME/etc/system/lookups/ , or in $SPLUNK_HOME/etc/<app_name>/lookups/ if the lookup belongs to a specific app. You can also list lookups using the REST api You can access your lookup table at the search bar using "| lookup" or "| inputlookup" Additionally you can set automatic lookups under the fields options. These will apply to a sourcetype kind at search time like how a calculated field or field extraction would work.
... View more
07-19-2023
11:46 AM
Indextime extractions can be configured using transforms.conf on the indexer (or indexer cluster). Searchtime extractions can be set using settings -> field extractions on the Splunk searchead UI. You will need to manage the permissions if you want these extractions to be visible for different user roles, the default would be your user only.
... View more
07-19-2023
11:43 AM
The most basic way to create a dashboard would be to run a Splunk Search and then click the "Save As" button, then save as dashboard panel.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-07-2023
04:11 PM
|
