×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
nonno_pinto
Engager
Member since: ‎06-04-2024
‎01-20-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎06-04-2024
Activity Feed
View All

Monitoring email status

by in Splunk Search
‎01-16-2025 05:22 AM
‎01-16-2025 05:22 AM
Hi everyone! My goal is to create an alert to monitor in ALL saved search if there's any email that no longer exist (mainly, colleagues that left the company or similar). My idea was to search for the same patter of Mail Delivery Subsystem that happens when sending an email from Gmail (or any other) to a non-existing mail. Bud didn't find anything in _internal index, nor with a rest to saved search and index=mail is empty. Amy idea? ... View more

Re: Setting _time with collect not working

by in Knowledge Management
‎06-04-2024 03:56 AM
‎06-04-2024 03:56 AM
After few tries, i changed test case and saw the problem was that is was asking splunk to save an event "in the future", and apparently that's not possibile ... View more

Setting _time with collect not working

by in Knowledge Management
‎06-04-2024 02:26 AM
‎06-04-2024 02:26 AM
I have a small query that splits events depending on a multivalue field and each of n's date from the multivalue needs to become the _time of n's "collected" row.   index=test source=test | eval fooDates=coalesce(fooDates, foo2), fooTrip=mvsort(mvdedup(split(fooDates, ", "))), fooCount=mvcount(fooTrip), fooValue=fooValue/fooCount | mvexpand fooTrip | fields - _raw | eval _time=strptime(fooTrip, "%F") | table _time VARIOUS FIELDS | collect index=test source="fooTest" addtime=true   The ouput table view is exactly what i'm expecting, but when i search for these fields on new source, they have today time (or, with addtime=false, earliest from the time picker). Also using testmode=true, i still see results as supposed to be. What's wrong? Thanks  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎01-20-2025 03:38 AM
Karma given to
View All