Hi Isaac.Hailperin@lcsystems.ch , Did the issue resolve ? I am facing same kind of issue ... View more

are you talking about https://splunkbase.splunk.com/app/3411/ ... View more

Does the macro has permission level to the same app where the dashboard was created? ... View more

Oh sorry . For next 6 month's , you have to use machine learning. There is a app called ML toolkit. By which you are write various regression techniques and show future data. Or there is a command called predict , you can use that also ... View more

You can use earliest and latest command to isolate the data of 6 month's ... View more

use this **index=_internal source=*metrics.log group="per_host_thruput" | eval GB=kb/1048576 | timechart sum(GB) as "total" by series span=1d limit=0 | appendpipe [stats avg(*) as *]** ... View more

Hi, Can you try it like this your search here | rex field=source "/[^/]+(?<date>\d{8})[^/]+$" It will extract the date out of your file_name then you can compare ... View more

Hi , This happened maybe the file got indexed at that particular day, You can add tz=UTC in props.conf for this one It will be like this [source::\\\\SERVERNAME\\prod-iislogs\...\...\\C*.log] TZ = GMT ... View more

Hi , This usually happens when a forwarder cannot send something to an indexer. Is splunk running on your indexer? Is the input's port open? Can the forwarder connect to the input's port? ... View more

Hi , can you use this **index=_internal source=*metrics.log group="per_host_thruput" | eval GB=kb/1048576 | timechart sum(GB) as "total" by series span=1mon limit=0 | appendpipe [stats avg(*) as *]** and set the time frame on your search for last six months ... View more

Hi , Can you use timechart instead of stats and use span of 1month over there ... View more

can you share the splunkd.log ... View more

Hi , Why don't you try case statements for this one. If the cpu went up to 85% and more then it will store the data in one field and vice versa using eval - eval description=case(status == 200, "OK", status ==404, "Not found", status == 500, "Internal Server Error") http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/ConditionalFunctions#case.28X.2C.22Y.22.2C....29 ... View more

I second you Vijeta ... View more

Hi, Can you share me how much amount of data you are talking about. ... View more

Hi , I have not tried this one yet , but i got some answers for this same issue You can't set a time retention on hot or warm buckets. Only by size in MB. This is one of my huge gripes in Splunk. You can use the Monitoring Console to gain some insight into how much data is in your hot/warm directories (x amount of days, for instance). The only time retention I've found is based on moving data from cold into frozen Link to the original answer : https://answers.splunk.com/answers/501003/could-i-set-the-the-time-limit-on-hotwarm-buckets.html ... View more

Hi , Are you referring to app uninstall ? ... View more

Hi , Please create the alert based on this index=_audit "action=search" search=*delete* ... View more

Hi , Yes, It can be possible . Create an incident or event from an alert using the snow_incident.py or snow_event.py script You can create an incident or event based on an alert. In Splunk Web, click Settings > Searches, Reports, and Alerts. Click New. Set the Destination app to Splunk Add-on for ServiceNow (Splunk_TA_snow). Enter a Search name that describes the alert you want to create. Enter a Search that meets the following criteria: To create an incident, the search must include the mandatory arguments category, short_description, and contact_type. These arguments are required by ServiceNow to create an incident. The Splunk platform passes the arguments through to the alert result to trigger the script. To create an event, the search must include the mandatory arguments node, resource, type, and severity. These arguments are required by ServiceNow to create an event. The Splunk platform passes the arguments to the alert result to trigger the script. The search can include any of the optional arguments supported by ServiceNow incident or event creation. See About the commands and scripts for a table detailing each of these arguments. The search must be in tabular format. The following search is an example that demonstrates how to trigger the script to create an incident when CPU usage is 95 or higher. sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval contact_type="email" | eval ci_identifier=host | eval priority=1 | eval category="Software" | eval subcategory="database" | eval short_description="CPU on ". host ." is at ". CPU | table category, subcategory, short_description, contact_type, ci_identifier, priority The following search is an example that demonstrates how to trigger the script to create an event when CPU usage is 95 or higher: sourcetype="CPURates" earliest=-5m latest=now | stats avg(CPU) as CPU last(_time) as time by host | where CPU>=95 | eval node=host | eval resource="CPU" | eval type="CPUAlert" | eval severity=2 | eval description="CPU on ". host ." is at ". CPU | table time, severity, node, resource, type, description Under Schedule and alert, click Schedule this search. Select values for Schedule type, Run every, Expiration, and Severity according to your alert requirements. Under Alert actions, check the box next to Enable under Run a script. Enter the name of the script in File name of shell script to run. For an incident, enter snow_incident.py For an event, enter snow_event.py Click Save. Please refer to the below document for detailed process https://docs.splunk.com/Documentation/AddOns/released/ServiceNow/Usescriptedalerts ... View more

Hi , I had answered similar query few days ago. Here is my answer , you can use multiple aggregate functions You can use the same search for these optimization issue. I prefer to write it like this. index=indexname | stats dc(yourfield) count(eval(anotherfield=fieldvalue)) by other field names ... View more

I completely agree with valiquet ... View more