here is the doc, how to update in distributed deployments. https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Iplocation#The_MMDB_file_and_distributed_deployments ... View more

simulating your requirement | makeresults count=100 | eval field1="News" | appendcols [ | makeresults count=10| eval field4="Media" ] | stats count(eval(field1="News")) as f1 count(eval(field1="News" AND field4="Media")) as f4 results as f1 f4 100 10 In your case, try like this ... field1="News" OR field4="Media" | stats count(eval(field1="News")) as Total count(eval(field1="News" AND field4="Media")) as "failed events" ... View more

besides your query I ran this query to see if user executed job is running as owner or user and It found to be running as user instead of owner. here A945sg is owner of report and T945sg is user who is running the report. index=_audit action=search info=granted search=* "T945sg" OR "A945sg" NOT "search_id='scheduler" NOT "search='|history" NOT "user=splunk-system-user" NOT "search='typeahead" NOT "search='| metadata type=* | search totalCount>0" | fields user, search, _time, search_id | eval search_id = trim(replace(search_id, "\'", "")) | join search_id [ | rest /services/search/jobs splunk_server=local | search NOT author="splunk-system-user" | search author="T945sg" OR author="A945sg" | rename custom.search as customSearch, sid AS search_id | eval SearchString=if(isnotnull(customSearch),customSearch,eventSearch) | search SearchString!="" | eval search_id = trim(replace(search_id, "\'", "")) ] | table _time,author,eai:acl.owner, user,search,eai:acl.app,isSavedSearch,resultCount,search_id my primary concern is why user is not seeing results when job is set to run as owner privileges. NOTE: user is restricted to access to index directly that is used in report. ... View more

I mean I can see that I am the owner of the object. But how to see when the user running my report is running as owner permissions instead user permissions. Because user is unable to see the report results when running as owner. ... View more

sorry it was typo, there is no "userID=" and B* is only once. see query now. yes I am aware that match treats as regex.this is not my exact query I tried to clone my problem with simple syntax here. thanks for your recommendation. based on my observation I don't think issue is with LIKE or match() or both because like I said results are not varying when I assign _raw to any field and use that in case statement. seems like issue is only when I use _raw. hence I wanted to know if anyone have faced similar issue while using _raw field. ... View more

most scripted commands are available under SPLUNK_HOME/etc/apps/search/bin including xmlkv.py. So ensure your user role is readable on default search&reporting app. If you do not want user to use default search app then copy xmlkv.py to your custom search home app bin directory. ... View more

any updates on this issue please?? ... View more

any updates on this issue please?? ... View more

use dedup on max value and time. It will show first value for each time span. ... View more

Look for searches using rest command(probably in ONTAP Collection Configuration dashboard) and try to add splunk_server value=local or "your indexer servername" ... View more

try this | rest splunk_server=local /services/search/jobs ... View more

specify argument splunk_server="local" or your "indexer url" to your rest call. ... View more

RPC server runs on port 9998 by default, make sure its not used by any other service. If it is being used by some other service, then edit inputs.conf file in dbx app to change default port to unused port and restart splunk. ... View more

this works for me on Splunk 5.0.5: <param name="charting.chart.sliceCollapsingThreshold">0</param> OR <param name="charting.chart.sliceCollapsingThreshold">0.00</param> and this don't <option name="charting.chart.sliceCollapsingThreshold">0</option> ... View more

not sure if it works, but did you try to use eval with case or if statements ... View more

Try as below.. base search | lookup "first-lookup.csv" field1 as field-from-splunk OUTPUT output-field as output-field | lookup "second_lookup.csv" field-in-2ndcsv as output-field OUTPUT final-field-from-2ndCsv as Final_output_field here "output-field" from first lookup and "output-field" in second lookup should match. ... View more

If you are looking only to use single query and reduce processing time, then you can try postprocess as below. Postprocess is used if your base search is trying to retrieve same events for two different results. In your case If all your fields(1 to 4) are from same base query then you can try this. your base search : search /my/huge/query/with/lot/of/evals/and/joins | stats count by field1,field2,field3,field4 portprocess 1 | chart avg(field3) as AVG by field1 postprocess 2 | chart avg(field4) as AVG by field2 For more info on postprocess you can refer on below link. http://docs.splunk.com/Documentation/Splunk/6.2.1/AdvancedDev/PostProcess OR If you want to merge results to same chart then you can use "append " as explained by #somesoni2, I suspect the raw events are retrieved twice from disk , once for inner search and once for outer search. You can inspect the search query results. ... View more

you can refer here, using SEDCMD , REGEX in props.conf and transforms.conf file in $SPLUNK_HOME/etc/system/local/ directory http://docs.splunk.com/Documentation/Splunk/6.2.1/Data/Anonymizedatausingconfigurationfiles ... View more

Not sure if this is resolved, but posting my answer ur basesearch | transaction api_transaction startswith="api_request" endswith="api_response" unifyends=true this transaction will make sure, it MUST contain both startwith and endswith and ignores the events if either request or response is not present in any any transaction even it is present during the specified time span. ... View more