About uvmk61

uvmk61 · ‎08-22-2019

I have seen suggestions to increase the size in [lookup] # Maximum size of static lookup file to use a in-memory index for. max_memtable_bytes = 200000000 /splunk_home/etc/system/local/limits.conf This has not helped me and I continue to get the message in Lookup Editor - "The file is too big to be edited (must be less than 10 MB)" When I go over the Readme of Lookup Editor, it is noted under Known Limitations section "The lookup editor is limited to editing files up to 10 MB. Files larger than this cannot be edited because it consume too much memory on some browsers." So there is no way around being able to edit a file inside lookup editor larger than 10MB? Thanks!

uvmk61 · ‎08-20-2019

any other suggestions?,any suggestions?

uvmk61 · ‎08-16-2019

have tried [sourcetype_name] INDEXED_EXTRACTIONS = json KV_MODE = none and [yoursourcetype] KV_MODE=XML both of them do not generate the fields we need, which are Name and Value pairs. These are the sample pairs we would like to be able to extract - Pair <Value>2019-07-24 08:51:32</Value> <Name>Scan Date</Name> Pair <Value>2019-07-24 08:51:33</Value> <Name>Indexer Date</Name> The data is a result of a query running on DB Connect App and as it is, the raw event after indexing is all mixed into 1 multi line event with all Name and Value pairs written in single event.

uvmk61 · ‎08-16-2019

have tried [sourcetype_name] INDEXED_EXTRACTIONS = json KV_MODE = none and [yoursourcetype] KV_MODE=XML both of them do not generate the fields we need, which are Name and Value pairs. These are the sample pairs we would like to be able to extract - Pair <Value>2019-07-24 08:51:32</Value> <Name>Scan Date</Name> Pair <Value>2019-07-24 08:51:33</Value> <Name>Indexer Date</Name> The data is a result of a query running on DB Connect App and as it is, the raw event after indexing is all mixed into 1 multi line event with all Name and Value pairs written in single event.

uvmk61 · ‎08-14-2019

Any help is appreciated in parsing the following xml data retrieved from DB connect input. We just need the Name and Value pair either at props.conf sourcetype definition level or through Field Extraction. Below is the sample event (image attached). Thank you! <ArrayOfDocumentIndexFieldValue xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <DocumentIndexFieldValue ID="812b8dce-7383-425e-b403-11352c417637"> <Value>12345</Value> <TableValue xsi:nil="true" /> <Name>Transaction ID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="ad4611a6-d971-49f3-a775-d9095b4e7fb0"> <Value>ABCD123</Value> <TableValue xsi:nil="true" /> <Name>User</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="277221b1-0a7a-4c53-a1ac-f51c9bad27c0"> <Value>17</Value> <TableValue xsi:nil="true" /> <Name>Business Process ID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="42915916-c309-4c41-bac2-262064b667d4"> <Value>123456</Value> <TableValue xsi:nil="true" /> <Name>CIN</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="83310d99-0f68-45c7-a1d3-b90d842a5764"> <Value>SMITH JOHN</Value> <TableValue xsi:nil="true" /> <Name>Name</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="d60e8b6a-f814-41e8-b34c-0ca0621af200"> <Value>ABCD</Value> <TableValue xsi:nil="true" /> <Name>Scanner ID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="9b0cf138-2e93-4c94-98f4-5f0ebaba38b1"> <Value>1</Value> <TableValue xsi:nil="true" /> <Name>Page Count</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="a5ef5e01-472c-4fa5-b8a6-801c4b90a787"> <Value>ABC001</Value> <TableValue xsi:nil="true" /> <Name>Batch Group</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="6e338002-6a46-4275-83a0-a05d43c9a6eb"> <Value>123_ABC_AllDocuments</Value> <TableValue xsi:nil="true" /> <Name>ProfileName</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="cc4d69bb-9413-47b5-a4a3-99d0218833f1"> <Value>ANNUAL ABCD SNAPSHOT</Value> <TableValue xsi:nil="true" /> <Name>Document Type</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="d2aac869-57c7-4b01-8b77-70286bcc0fa3"> <Value>AB123</Value> <TableValue xsi:nil="true" /> <Name>Document Type ID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="8a657e1a-29b3-43ca-8245-c64ccd103022"> <Value>ABCDEF</Value> <TableValue xsi:nil="true" /> <Name>Document Class</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="d71cd966-0739-4a32-9a9f-a6122c185886"> <Value>True</Value> <TableValue xsi:nil="true" /> <Name>Expedite</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="adbefc35-c740-4400-bbec-b503b0e227a2"> <Value>ADMIN</Value> <TableValue xsi:nil="true" /> <Name>Indexer ID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="69b385dd-8196-4c59-972c-478a0fe9799b"> <Value>DOC1</Value> <TableValue xsi:nil="true" /> <Name>DocID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="64d48d87-6d3e-4363-ab43-ed7b009676d5"> <Value>2019-06-03</Value> <TableValue xsi:nil="true" /> <Name>Financial Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="ce821a54-4207-4533-b2c7-56ebac989ca5"> <Value>123456789</Value> <TableValue xsi:nil="true" /> <Name>SSNTIN</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="f993b0c6-d075-43cc-a7c8-4e3ecb92564a"> <Value>JOHN</Value> <TableValue xsi:nil="true" /> <Name>FirstName</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="2925e416-fcaf-4989-b23a-f6b17446c345"> <Value>L</Value> <TableValue xsi:nil="true" /> <Name>MiddleName</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="b5a0cb13-bb76-4d98-9b3c-673ea948a968"> <Value>SMITH</Value> <TableValue xsi:nil="true" /> <Name>LastName</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="10e9ffed-c926-487b-b541-5b0686c9aae2"> <Value>True</Value> <TableValue xsi:nil="true" /> <Name>Active</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="550fa233-b2df-45ba-a7aa-45cc8ce80f59"> <Value>123</Value> <TableValue xsi:nil="true" /> <Name>BusinessProcessID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="cd59aeb6-10ae-45e7-89ef-8d2964655b1a"> <Value>ANNUAL ABCD SNAPSHOT</Value> <TableValue xsi:nil="true" /> <Name>DocTypeDesc</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="b48f0838-f8de-4459-9cc4-2ade712d0bc9"> <Value>False</Value> <TableValue xsi:nil="true" /> <Name>eSignature</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="2646fe10-6c97-48a5-8b4f-009fc6da6e7f"> <Value>False</Value> <TableValue xsi:nil="true" /> <Name>PasswordProtected</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="0047a4f8-095a-44e2-95fc-42aefbb23bce"> <Value>ABCDEF</Value> <TableValue xsi:nil="true" /> <Name>ClassifierId</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="3df55d4d-fb54-4a7a-b0d3-031f19e5638e"> <Value>2019-07-24 08:51:32</Value> <TableValue /> <Name>Transaction Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="021a2134-3510-4622-bca6-94df4a3010d7"> <Value>2019-07-24 08:51:32</Value> <TableValue /> <Name>Scan Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="2bc3e3f6-8591-4e50-bb0a-76d628a81e14"> <Value>2019-07-24 08:51:33</Value> <TableValue /> <Name>Indexer Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="f5337a5d-7b62-496c-a724-8e0df9587a20"> <Value /> <TableValue /> <Name>ABCD Name</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="b5a10c20-a4ce-4730-9148-c61dd05f89a5"> <Value /> <TableValue /> <Name>Expiration Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="542f48ca-cb5f-4a3b-a8e8-bd239806f20c"> <Value /> <TableValue /> <Name>Issue Location</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="63b1c6eb-700f-4801-b837-70e6859fdc03"> <Value /> <TableValue /> <Name>Issue Date</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="2d406a58-0603-422d-8d97-69453fb249c9"> <Value /> <TableValue /> <Name>Business Name</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="581f3c46-05c6-42c6-8262-60bd7219c5f4"> <Value>P00100000012345</Value> <TableValue /> <Name>ABCDProcID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="6e488463-5780-4c99-98f0-eb3aa11ba859"> <Value>P0010000001234–123</Value> <TableValue /> <Name>ABCDProcID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="05d8c0ac-4fae-4e64-97c3-0d5edbc0b064"> <Value /> <TableValue /> <Name>RetentionTrigger</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="483d23ca-d2ef-4ac8-9348-f503f4a41813"> <Value /> <TableValue /> <Name>ACSDocId</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="ecb7cacd-ae81-40fa-923b-ef81fcee9599"> <Value /> <TableValue /> <Name>FileNetID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="a8868f3a-9111-4a5d-9bf6-18c6a798967d"> <Value /> <TableValue /> <Name>SecondaryCIN</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="0f6477de-4b61-40e6-b567-32b9974188d7"> <Value /> <TableValue /> <Name>PrimaryABCDCIN</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="170a7ea8-d3ce-429e-9dc3-6543e0322437"> <Value /> <TableValue /> <Name>ABCDID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="dba49278-bb4c-4ca2-9007-bd28b32f4fc9"> <Value /> <TableValue /> <Name>PrimaryABCDCIN</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="c876ff14-ad1a-4f83-b7dc-11780a23886f"> <Value>ABCD123-ABCD123-ABCD123-ABCD-ABCD123.pdf</Value> <TableValue /> <Name>FullFileName</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="6e4ee1a0-993e-453e-a3b1-6708a128cf27"> <Value /> <TableValue /> <Name>OldTransactionID</Name> </DocumentIndexFieldValue> <DocumentIndexFieldValue ID="7be4c600-1113-4ac1-baaa-1718783d40ad"> <Value /> <TableValue /> <Name>ActimizeId</Name> </DocumentIndexFieldValue> </ArrayOfDocumentIndexFieldValue>

uvmk61 · ‎09-12-2018

Hello, Looking for suggestions on how to generate a Splunk report on a network drive. Instead of email with attachment, is there a way to generate a report to be placed on a network share? Thank you!

uvmk61 · ‎09-12-2018

I am trying to trigger an alert based on a value that is in a column. Below is the search I am running |node_details(SERVER NAME) | search Node_ID="Node3" (stats.key="node.cpu.sys.max" OR stats.key="node.cpu.user.max") | eval usage_by = case('stats.key'="node.cpu.user.max", "User", 'stats.key'="node.cpu.sys.max", "System") | eval stats.value = round(('stats.value'/10),1)| timechart span=5m avg(stats.value) by usage_by Basically, I want to alert anytime the System is greater than X. I have tried using customer alert condition and have added where System > 4 But, that has not helped. Can someone recommend a solution please? Thanks

uvmk61 · ‎04-25-2018

Thank you! Now the error still shows within the Chargeback App. The error has disappeared from Search and Reporting App though.

uvmk61 · ‎04-18-2018

We are getting the following error on all clustered peer indexers after installing the Chargeback App. I have run the back-fill searches on all search heads as the App installation instructions suggested. Still getting the error. Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'splunkd' and lookup table 'customers'. Can someone suggest a resolution to this? Thanks

uvmk61 · ‎02-27-2018

I am looking for ideas from Splunk users who provide services of Splunk to their internal customers in the organization. Do you have/can you share an on-boarding form/document/excel template that covers input parameters needed for - - simple log on-boarding - DB Connect - HTTP Event Collector - or any other apps. With this document, you will have persistent on-boarding data that you get from your internal customers. Thank you in advance!

Posts	10
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎04-10-2015

Online Status	Offline
Date Last Visited	‎06-05-2020 02:03 AM

Is there any way can one increase the limit of 10M...

XML Parsing Props.conf

Can I generate report to a shared network location

Can you help me create an alert that triggers when...

Why am I getting the error 'Could not find all of ...

Is there a Sample Data On-Boarding Document Templa...

Is there any way can one increase the limit of 10M...

Re: XML Parsing Props.conf

Re: XML Parsing Props.conf

Re: XML Parsing Props.conf

XML Parsing Props.conf

Can I generate report to a shared network location

Can you help me create an alert that triggers when...

Re: Why am I getting the error 'Could not find all...

Why am I getting the error 'Could not find all of ...

Is there a Sample Data On-Boarding Document Templa...