About iamarkaprabha

iamarkaprabha · ‎12-26-2018

Hi Isaac.Hailperin@lcsystems.ch , Did the issue resolve ? I am facing same kind of issue

iamarkaprabha · ‎10-31-2018

are you talking about https://splunkbase.splunk.com/app/3411/

iamarkaprabha · ‎10-30-2018

Does the macro has permission level to the same app where the dashboard was created?

iamarkaprabha · ‎10-30-2018

Oh sorry . For next 6 month's , you have to use machine learning. There is a app called ML toolkit. By which you are write various regression techniques and show future data. Or there is a command called predict , you can use that also

iamarkaprabha · ‎10-30-2018

You can use earliest and latest command to isolate the data of 6 month's

iamarkaprabha · ‎10-30-2018

use this **index=_internal source=*metrics.log group="per_host_thruput" | eval GB=kb/1048576 | timechart sum(GB) as "total" by series span=1d limit=0 | appendpipe [stats avg(*) as *]**

iamarkaprabha · ‎10-30-2018

Hi, Can you try it like this your search here | rex field=source "/[^/]+(?<date>\d{8})[^/]+$" It will extract the date out of your file_name then you can compare

iamarkaprabha · ‎10-30-2018

Hi , This happened maybe the file got indexed at that particular day, You can add tz=UTC in props.conf for this one It will be like this [source::\\\\SERVERNAME\\prod-iislogs\...\...\\C*.log] TZ = GMT

iamarkaprabha · ‎10-30-2018

Hi , This usually happens when a forwarder cannot send something to an indexer. Is splunk running on your indexer? Is the input's port open? Can the forwarder connect to the input's port?

iamarkaprabha · ‎10-30-2018

Hi , can you use this **index=_internal source=*metrics.log group="per_host_thruput" | eval GB=kb/1048576 | timechart sum(GB) as "total" by series span=1mon limit=0 | appendpipe [stats avg(*) as *]** and set the time frame on your search for last six months

iamarkaprabha · ‎10-29-2018

Hi , Can you use timechart instead of stats and use span of 1month over there

iamarkaprabha · ‎10-29-2018

can you share the splunkd.log

iamarkaprabha · ‎10-29-2018

Hi , Why don't you try case statements for this one. If the cpu went up to 85% and more then it will store the data in one field and vice versa using eval - eval description=case(status == 200, "OK", status ==404, "Not found", status == 500, "Internal Server Error") http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/ConditionalFunctions#case.28X.2C.22Y.22.2C....29

iamarkaprabha · ‎10-29-2018

I second you Vijeta

iamarkaprabha · ‎10-29-2018

Hi, Can you share me how much amount of data you are talking about.

iamarkaprabha · ‎10-29-2018

Hi , here is the solution I found out . It uses a dropdown menu, rather than a button <label>Run query</label> <choice value="1">No</choice> <choice value="2">Yes</choice> <default>1</default> <change> <condition value="1"> <unset token="run_consolidations"></unset> </condition> <condition value="2"> <set token="run_consolidations">dbxquery</set> </condition> </change> <search> <query>| $run_consolidations$ connection=...... The run_consolidations token initially hides the chart and stops the query from running. When set by the dropdown, the chart is shown and query is run.

iamarkaprabha · ‎10-29-2018

Hi , I have not tried this one yet , but i got some answers for this same issue You can't set a time retention on hot or warm buckets. Only by size in MB. This is one of my huge gripes in Splunk. You can use the Monitoring Console to gain some insight into how much data is in your hot/warm directories (x amount of days, for instance). The only time retention I've found is based on moving data from cold into frozen Link to the original answer : https://answers.splunk.com/answers/501003/could-i-set-the-the-time-limit-on-hotwarm-buckets.html

iamarkaprabha · ‎10-28-2018

Hi , Can you check on your job scheduler if today's run of that job has been completed or not. The error you are getting maybe because of that . It can be possible that the job gets completed and returned 0 results. or The job gets skipped for todays run

iamarkaprabha · ‎10-28-2018

Hi , Are you referring to app uninstall ?

iamarkaprabha · ‎10-28-2018

Hi , Please create the alert based on this index=_audit "action=search" search=*delete*

Posts	85
Solutions	18
Karma Given	2
Karma Received	109
Member Since	‎03-09-2017

Online Status	Offline
Date Last Visited	‎11-18-2020 12:05 PM

How to check field values containing an underscore...

Visualization using network diagram approach

Re: Too many open files, despite ulimit of 65536

Re: Phantom app for Dell Secure works?

Re: Query works fine in search, not on dashboard

Re: Using Splunk Enterprise Search and Reporting

Re: Using Splunk Enterprise Search and Reporting

Re: Using Splunk Enterprise Search and Reporting

Re: How do you search for the nearest file within ...

Re: How do you search for the nearest file within ...

Re: TCP output processor has paused data flow

Re: Using Splunk Enterprise Search and Reporting

Re: how to group by month for yearly data.

Re: Error fetching saved searches

Re: How to setup splunk disk space alert(s) for mu...

Re: how to group by month for yearly data.

Re: Online [realtime] integration with WebApp

Re: How do I add a "stop" button to a dashboard?

Re: how to create bucket over a period of 3 days?

Re: help on loadjob command

Re: alert when uninstalling a software

Re: alert when deleting a file