cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
doubleIQ
Engager
Member since: ‎08-21-2012
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎08-21-2012
Activity Feed
View All

How to index the correct timestamp from a log that...

by in Getting Data In
‎10-05-2014 10:24 PM
1 Karma
‎10-05-2014 10:24 PM
1 Karma
Hi guys, I have a log file that occasionally logs an event which contains two dates. For example, like this: 2014-10-02 00:25:28.592991+10~^~log_name~^~WARNING: Message for 01st October 2014 etc etc there is missing data~^~2~^~function_name~^~~^~database_name~^~role_name~^~~^~server~^~ The first part of the log entry is the exact time that the message gets logged, so in this case, it's 2nd October at 12:25am. The next part starting with "Warning..." is just an error message that i want to report on, and it contains a date (1st October 2014). The problem i am having is that Splunk is reading "01st October 2014" from the information, and indexing it for that time, and not the correct time on 2nd October. So basically, being brief, the log entry should be getting indexed for the 2nd October, 2014 at 00:25:28am, but it is instead getting indexed for 1st October, 2014 at 00:25:28am. This is causing issues with my alerts that are running etc Does anyone know how i can get Splunk to not read second date and to index on the first date occurance only? If i haven't made something clear please let me know. Your help is much appreciated. thanks ... View more

Re: Running one part of search if first part is tr...

by in Splunk Search
‎12-09-2013 09:51 PM
‎12-09-2013 09:51 PM
Thanks Kristian, worked a treat 🙂 ... View more

Running one part of search if first part is true?

by in Splunk Search
‎12-05-2013 08:52 PM
1 Karma
‎12-05-2013 08:52 PM
1 Karma
Hi guys, just a quick and hopefully simple question. Trying to figure out how to do this if possible but can't seem to figure it out. Im running a search which returns how much splunk has currently indexed for the day: index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" NOT "RolloverSummary" earliest=@d | eval MB=(b/1024/1024) |stats sum(MB) AS MBUsed This query places the amount in MB indexed since midnight into MBUsed. What i would like to do, is run this following query if the above query if MBUsed > 500Mb. index=_internal source=*license_usage.log pool="auto_generated_pool_enterprise" NOT "RolloverSummary" earliest=-30d@d | eval MB=(b/1024/1024) | stats sum(MB) AS MBUsed by date_mday, date_month | Where MBUsed > 500 | stats count as TotalOvers This query simply sums MB used per day over the last month then just counts the days that have indexed over 500. So basically what i would like to do, is if the amount indexed is over 500Mb, then to run the second search to show me how many times the license limit has been breached in the last month. The two queries work when run seperately, im just unsure how to piece them together or if its possible. Hope that makes sense. Thanks for the help 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All
Karma given to
View All