I need to upgrade the Splunk Universal forwarder version to all the existing installed windows 2016 and 2019 servers. I am using Splunk Enterprise as a Search head and indexer. Is there a way that I can upgrade the old version with the latest without uninstalling the old and install the new one. And how this task can be done for all the servers together instead of one by one. ... View more

Hello, I have created server down and up alerts separately which triggers when the server is down on the basis of percentile80>5 and up when the percentile80<5. But I want to create one combine alert which should trigger all the time when the server is down and I just want only one up alert (Recovery alert) once the server is up again, means it should not trigger multiple alerts for up until it again down. Any way to get this done ? Below is the query : Time Range is last 15 minutes and Cron job is */2 * * * * (every 2 minutes) index=xyz sourcetype=xyz host=* | eval RespTime=time_taken/1000 | eval RespTime = round(RespTime,2) | bucket _time span=2m | stats avg(RespTime) as Average perc80(RespTime) as "Percentile_80" by _time | eval Server_Status=if(Percentile_80>=5, "Server Down", "Server UP") So above alert should trigger when the Server is down and it should trigger every 2 minutes until is up. And then alert should trigger only once when the server is Up again and it should not trigger every 2 minutes until the server is down again. ... View more

index=abc sourcetype=abc | timechart span=1m eval(count(IP)) AS TimeTaken Now I want to get 95th percentile of this total IP counts. like below. | stats perc95(TimeTaken) as Perc_95 by IP So how should I write this query ? ... View more

I am using below query to get the index sizes and consumed space and frozenTimePeriodInSecs details. | rest /services/data/indexes splunk_server="ABC" | stats min(minTime) as MINUTC max(maxTime) as MAXUTC max(totalEventCount) as MaxEvents max(currentDBSizeMB) as CurrentMB max(maxTotalDataSizeMB) as MaxMB max(frozenTimePeriodInSecs) as frozenTimePeriodInSecs by title | eval MBDiff=MaxMB-CurrentMB | eval MINTIME=strptime(MINUTC,"%FT%T%z") | eval MAXTIME=strptime(MAXUTC,"%FT%T%z") | eval MINUTC=strftime(MINTIME,"%F %T") | eval MAXUTC=strftime(MAXTIME,"%F %T") | eval DAYS_AGO=round((MAXTIME-MINTIME)/86400,2) | eval YRS_AGO=round(DAYS_AGO/365.2425,2) | eval frozenTimePeriodInDAYS=round(frozenTimePeriodInSecs/86400,2) | eval DAYS_LEFT=frozenTimePeriodInDAYS-DAYS_AGO | rename frozenTimePeriodInDAYS as frznTimeDAYS | table title MINUTC MAXUTC frznTimeDAYS DAYS_LEFT DAYS_AGO YRS_AGO MaxEvents CurrentMB MaxMB MBDiff title MINUTC MAXUTC frznTimeDAYS DAYS_LEFT DAYS_AGO YRS_AGO MaxEvents CurrentMB MaxMB MBDiff XYZ 24-06-2018 01:24 10-02-2024 21:11 62 -1995.87 2057.87 5.63 13115066 6463 8192 1729   For index 'XYZ' I can see frozenTimePeriod are showing 62 days so as per the set condition it should just show last 2 months of data but my MINTIME is still showing very old date as '24-06-2018 01:24'. When I checked the event counts in Splunk for older than 62 days then it shows very few counts compare to past 62 days events counts. (Current events counts are very high) So why still these older events are showing in Splunk and also why very few not all). I want to understand this scenario to increase the frozentime period. ... View more

I want to calculate the Percentage of status code for 200 out of Total counts of Status code by time. I have written query as per below by using append cols. Below query is working but it is not giving percentage every minute or by _time wise. I want this Percentage of status code for 200 by _time also. So can anybody help me out on this how to write this query. index=* sourcetype=* host=* | stats count(sc_status) as Totalcount | appendcols [ search index=* sourcetype=* host=* sc_status=200 | stats count(sc_status) as Count200 ] | eval Percent200=Round((Count200/Totalcount)*100,2) | fields _time Count200 Totalcount Percent200 ... View more

I have created an  Alert when the response time is high and service is down and scheduled it on Cron job which is set to every 2 minutes. So it is notifying me when the Server is down. But I also want to create an Alert which will show the recovery Alert means when the service is Up again the alert should trigger only one time after the down. I have created this Up alert also by putting the condition low response time but it is triggering every 2 minutes and sending an email. Which is actually not required. So I just need only one email notification after down that service is Up again and running normally.     ... View more