1. Golden shovel for you 😉 You're responding to a 13 years old post. 2. <p> tag contains a paragraph of text. Linebreaks are not rendered and spaces can (depending on css settings) be squished together. Either split your text into multiple paragraphs (separate <p> tags), break the text with <br> linebreaks or indeed use a preformatted block. ... View more

ES Cannot be installed in a cluster on Windows, it only supports standalone ES search heads. https://docs.splunk.com/Documentation/ES/latest/RN/Limitations ... View more

Exactly what I needed and all I had to do was substitute my field names.  Worked like a charm.  Karma for you.  Thanks ! ... View more

Most Simplified Explanation != is a field expression that returns every event that has a value in the field, where that value does not match the value you specify. Events that do not have a value in the field are not included in the results. For example, if you search for Location!="Calaveras Farms", events that do not have Calaveras Farms as the Location are returned. Events that do not have Location value are not included in the results. On the other hand, NOT is an operator that returns every event except the events that contain the value you specify. This includes events that do not have a value in the field. For example, if you search using:  NOT Location="Calaveras Farms", every event is returned except the events that contain the value “Calaveras Farms”. This includes events that do not have a Location value.   Here’s an example to illustrate the difference between the two methods. Suppose you have the following events: Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M7 Dash Black Calaveras Farms 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures If you search with Location!="Calaveras Farms", every event that has a value in the Location field, where that value does not match Calaveras Farms, is returned. Events that do not have a value in the Location field are not included in the results. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures   If you search with NOT Location="Calaveras Farms", every event is returned except the events that contain the value Calaveras Farms. This includes events that do not have a Location value. The following events are returned: Output Table   ID Name Color Location 101M3 McIntosh Chestnut Marin Meadows 104F5 Lyra Bay   104M6 Rutherford Dun Placer Pastures 101F2 Rarity   Marin Meadows 102M1 Roan     101F6   Chestnut Marin Meadows 104F4 Pinkie Sorrel Placer Pastures ... View more

To perform rolling restart of SH cluster use, splunk rolling-restart shcluster-members To check the current status of rolling restart use,  splunk rolling-restart shcluster-members -status 1 ... View more

This query can be further modified into this: index="_internal" source="*metrics.log" per_index_thruput series=* NOT ingest_pipe=* |stats sum(kb) as kb values(host) as host by series however this query will also show the amount of KBs being logged into indexes via summary indexing (sourcetype=stash), which is supposed to be not charged. Hence, I would prefer this query: index=_internal type=usage idx IN (*) source="*license_usage.log" NOT (h="" OR h=" ") ... View more

schedule_search is all you need from my experience ... View more

The beauty of this site! Some things (troubleshooting) never change hahaha Thanks so much for contributing!  ... View more

You can now even do it simpeler:   | tstats [ search index=<your_index> | stats first(*) as * | transpose | fields column | search column!="index" column!="splunk_server" column!="splunk_server_group" | mvcombine column | eval expr="count(".mvjoin(column,"), count(").")" | return $expr] where index=<your_index> | transpose | where 'row 1'>0 | rex field=column "count\((?<indexed_field_name>.*)\)" | fields indexed_field_name I came to this solution via this thread and https://community.splunk.com/t5/Splunk-Search/How-do-you-prevent-the-map-command-from-encapsulating-the/m-p/435102 . The 3 values for column needed to be excluded, otherwise tstats tells you it can't do that count function for those fields.   ... View more

I too had the problem and I sorted using a simple trick.  Instead of timechart or chart use stats. for the time value, you can use time extract command Note - Remember to select CumulativeTotal as chart overlay to better show the graph in your search panel. Here is how you can achieve -  index=<indexname> sourcetype=<sourcetypename> <<search string>> | eval HourMinute=strftime(_time, "%m/%d %H%p") | stats count(_raw) as count by HourMinute | appendcols [searchindex=<indexname> sourcetype=<sourcetypename> <<search string>> | eval HourMinute=strftime(_time, "%m/%d %H%p") | stats count(_raw) as count by HourMinute |streamstats sum(count) as CumulativeTotal ] ... View more

This works for the raw data ... meaning so long as you aren't doing sourcetype renaming at search time. Tstats only looks at the raw data so it cannot see anything that happens search time. Sourcetype | tstats count where index=* OR index=_* by index, sourcetype | fields - count | sort index Source | tstats count where index=* OR index=_* by index, source | fields - count | sort index ... View more

Search time normalization of mac addresses. This will convert any mac format to XX:XX:XX:XX:XX:XX  One liner:   | rex mode=sed field=mac "s/[^0-9a-fA-F]//g s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g y/abcdef/ABCDEF/"   Other versions:   | rex mode=sed field=mac "s/[^0-9a-fA-F]//g" | eval mac=upper(replace(mac, "(..)(..)(..)(..)(..)(..)", "\1:\2:\3:\4:\5:\6"))     | rex mode=sed field=mac "s/[^0-9a-fA-F]//g s/(..)(..)(..)(..)(..)(..)/\1:\2:\3:\4:\5:\6/g" | eval mac=upper(mac)   ... View more

@mpflugfelder    Did you ever find an answer to this? I'm running into the EXACT same scenario with my Openshift environment. Seeing that explination answers a lot about what I'm seeing, as I can't seem to get it to "re-sourcetype" my data. I do see a potential answer in CLONE_SOURCETYPE, but I am afraid that will double up the events, and I'd want to discard the original (and only if the second one contained all the metadata from the first). ... View more

Hi, super long shot, but was a solution ever found to this? We seem to be having this issue right now. Last week all the host fields were parsed to include the domain part, this week they are back to being hostname only. I've compared 2 logs from the same host, with the same event ID. The only difference I can see in the logs is that dvc_nt_host is different between the 2, while dvc is the fqdn on both. Which is super off because this line is in the props.conf of the Windows TA app  FIELDALIAS-dvc = host as dvc, host as dvc_nt_host   ... View more

Hey @bsayatovic , Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it. ... View more

For Splunk 7 & 8 at least: To get the daily ingestion per indexer with the hostname rather than the GUID following your time range picker selection.     index=_telemetry source=*license_usage_summary.log* type="RolloverSummary" | join type=inner slave [ | rest /servicesNS/-/-/search/distributed/peers splunk_server=local | table guid host | rename guid AS slave ] | search host=*PATTERN* | timechart span=1d eval(round(latest(b) / 1024 / 1024 / 1024, 3)) AS sizeGB BY host useother=f     Replace PATTERN by your indexers hostname convention. ... View more

From 8.1 + : You can now use a more intuitive and better readable Syntax like index=main mysearchterm ```This is a comment``` | stats count by host   ... View more

Hi @_d_,  ./splunk clean eventdata _thefishbucket is wrong command it will delete all data from all indexes in Splunk instance. Please use ./splunk clean eventdata -index  _thefishbucket  to clean the fishbucket only.   ... View more

Hi - can you please paste the solution? The link is not resolving to the stanza. ... View more

Using printf conversion function this is possible using something like printf("%04d",fieldName) . Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ConversionFunctions#Flag_characters Following is a run anywhere example: | makeresults | fields - _time | eval data=1 | eval padded_data= printf("%04d",data) ... View more

I'm on the cli of the indexer, not the cluster master. as indexers aren't search peers of the cluster master, the above rest command won't work. Thanks though. ... View more

That looks like it would work well - I assume you've tested it. Perhaps (eventTZmin-nowTZmin)*60 would make it easier to read ... View more