×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dnitschke_splun
Splunk Employee
Member since: ‎05-10-2017
‎08-12-2025
Community Statistics
Posts 10
Solutions 0
Karma Given 2
Karma Received 10
Member Since ‎05-10-2017
Activity Feed
View All

Re: How to edit my inputlookup search to filter ba...

by Splunk Employee in Getting Data In
‎05-02-2020 08:20 AM
‎05-02-2020 08:20 AM
What about creating a subsearch that generates the constraints for the WHERE clause of the inputlookup command. Your requirement 2700<=now()-Last_PA_Send is equivalent to Last_PA_Send<=now()-2700 . | inputlookup my_kvstore WHERE [| makeresults count=1| eval max_delta=now()-2700 | eval search="(Last_PA_send<=" . max_delta . ")" | table search ] ... View more

Re: Filter time-based values from inputlookup by t...

by Splunk Employee in Splunk Dev
‎05-02-2020 08:03 AM
2 Karma
‎05-02-2020 08:03 AM
2 Karma
In case your lookup file contains time in seconds since the epoch, you can also add the time filter into the WHERE clause of inputlookup , e.g. | inputlookup Product_Status.csv WHERE [| makeresults count=1 | addinfo | eval info_max_time=if(info_max_time=="+Infinity", 2147483647, info_max_time) | eval search="( (_time>=" . info_min_time . ") AND (" . "_time<" . info_max_time . ") )" | table search ] ... View more

Re: kvstore, inputlookup and time-bounds

by Splunk Employee in Knowledge Management
‎05-02-2020 07:56 AM
‎05-02-2020 07:56 AM
You can also add the time filter into the WHERE clause of inputlookup , e.g. | inputlookup testkv WHERE [| makeresults count=1 | addinfo | eval info_max_time=if(info_max_time=="+Infinity", 2147483647, info_max_time) | eval search="( (ts>=" . info_min_time . ") AND (" . "ts<" . info_max_time . ") )" | table search ] ... View more

Re: How to filter on KV Store lookup time-based fi...

by Splunk Employee in Splunk Search
‎05-02-2020 07:52 AM
‎05-02-2020 07:52 AM
You can also add the time filter into the WHERE clause of inputlookup , e.g. | inputlookup MyKVstoreName WHERE [| makeresults count=1 | addinfo | eval info_max_time=if(info_max_time=="+Infinity", 2147483647, info_max_time) | eval search="( (MyTimeField>=" . info_min_time . ") AND (" . "MyTimeField<" . info_max_time . ") )" | table search ] ... View more

Re: External link in default.xml - open in new tab...

by Splunk Employee in Splunk Dev
‎01-22-2019 02:25 AM
3 Karma
‎01-22-2019 02:25 AM
3 Karma
In Splunk 7.2.x opening an external link in a new tab from the app navigation bar works. Example data/ui/nav/default.xml file including a link to the Splunk Developer Portal: <nav search_view="search"> <view name="search" default='true' /> <view name="datasets" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" /> <a href="http://dev.splunk.com/" target="_blank">Splunk Developer Portal</a> </nav> Tested with Chrome 71.0.3578.98, Firefox 64.0.2, Safari 12.0.2 on macOS 10.14.2. ... View more

Re: Splunk default.xml open link in a new tab

by Splunk Employee in Dashboards & Visualizations
‎01-22-2019 02:23 AM
1 Karma
‎01-22-2019 02:23 AM
1 Karma
In Splunk 7.2.x opening an external link in a new tab from the app navigation bar works. Example data/ui/nav/default.xml file including a link to the Splunk Developer Portal: <nav search_view="search"> <view name="search" default='true' /> <view name="datasets" /> <view name="reports" /> <view name="alerts" /> <view name="dashboards" /> <a href="http://dev.splunk.com/" target="_blank">Splunk Developer Portal</a> </nav> Tested with Chrome 71.0.3578.98, Firefox 64.0.2, Safari 12.0.2 on macOS 10.14.2. ... View more

Re: What are the pain points with deploying your S...

by Splunk Employee in Getting Data In
‎01-16-2019 06:17 AM
3 Karma
‎01-16-2019 06:17 AM
3 Karma
According to the documentation, Workload Management is only supported on Linux operating system. https://docs.splunk.com/Documentation/Splunk/latest/Workloads/Requirements ... View more

Ingesting data from Apache Tomcat 7.x

by Splunk Employee in All Apps and Add-ons
‎07-31-2018 11:36 PM
‎07-31-2018 11:36 PM
Hi all, the Splunk Add-on for Tomcat 1.1.0 https://splunkbase.splunk.com/app/2911/ states support for Apache Tomcat 8.x and above. Does this add-on also work with Apache Tomcat 7.x? Any caveats? And what about its companion, the Splunk Add-On for Java Management Extensions 3.2.0 https://splunkbase.splunk.com/app/2647/ to collect performance metrics from Apache Tomcat 7.x? ... View more

Why is the"ping" workflow action not populating "h...

by Splunk Employee in All Apps and Add-ons
‎04-30-2018 03:22 AM
‎04-30-2018 03:22 AM
Executing the "ping" workflow action on, say, the src_ip field neither populates the "host" field nor returns any result. "nslookup", "traceroute", and "whois" workflow actions seem to work fine. Problem is seen with Splunk Enterprise 7.0.3 and 7.1.0. ... View more

Re: bucket roll logging

by Splunk Employee in Deployment Architecture
‎05-10-2017 03:07 AM
1 Karma
‎05-10-2017 03:07 AM
1 Karma
Check if index=_internal sourcetype=splunkd component=BucketMover gives you what you are looking for. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-12-2025 05:09 AM
Karma from
View All
Karma given to
View All