Hi Splunkers; I'm trying to create a table but can't and don't understand how to do... I'd like to calculate stats avg, max and exactperc90 on 8 fields values adding a by 2 other fields values. my problem is to use as a field value his own field name. I'm not shure my explains are clear, tried to draw it. any one have done this before? Thanks a lot for support. ... View more

Hello, A few days ago I had a problem with an index. The index_size_max was equal to the index_size , with the default setting in the indexes.conf file. Here is the request I used: | rest /services/data/indexes | where disabled = 0 | search NOT title = "_*" | eval currentDBSizeGB = round( currentDBSizeMB / 1024) | where currentDBSizeGB > 0 | table splunk_server title summaryHomePath_expanded minTime maxTime currentDBSizeGB totalEventCount frozenTimePeriodInSecs coldToFrozenDir maxTotalDataSizeMB | rename minTime AS earliest maxTime AS latest summaryHomePath_expanded AS index_path currentDBSizeGB AS index_size totalEventCount AS event_cnt frozenTimePeriodInSecs AS index_retention coldToFrozenDir AS index_path_frozen maxTotalDataSizeMB AS index_size_max title AS index On May 14th AM => -index_max_size set to 512Go -index_size = 500Go -latest data age was "uptodate" -earliest data age was March 19th - 05:11:30 On May 14th PM => -index_max_size set to 1536Go (updated) -index_size = 509Go -latest data age was "uptodate" -earliest data age was March 19th - 05:11:30 (still the same date) On May 18th AM => -index_max_size set to 1536Go -index_size = 524Go -latest data age was "uptodate" -earliest data age was March 19th - 05:11:30 (still the same date) On May 23th AM => -index_max_size set to 1536Go -index_size = 563Go -latest data age was "uptodate" -earliest data age was March 23th - 12:22:28 (not anymore the same date) On May 26th AM => (today) -index_max_size set to 1536Go -index_size = 564Go -latest data age was "uptodate" -earliest data age was March 28th - 06:46:27 (not anymore the same date) Since I've increased the maxTotalDataSizeMB in indexes.conf, I'm still losing the oldest data, but the index is bigger days after days. I also notice that the earliest data ages are not exactly the same between my 2 indexers in my cluster. By default I must keep 1 year of data, and parameters are set for, aka " frozenTimePeriodInSecs = 31557600 " Can anyone help me please? Thanks a lot. P.S. Can someone explain to me why this request gives me information for 2 of 3 indexes I've got? index names are csmsi_supervision_ followed by active , passive or servicenow . "passive" is missing. Thanks. ... View more

Hello; I've searched a few moment and found an answer to my problem... I'd like to understand why my pdf dashbaords expors show "$field1$" instead of "PE0101" (serveur name) in graph title. I found this, here on docs.splunk.com/Documentation/ : => Splunk/6.5.1/Viz/DashboardPDFs#Limitations_to_PDF_generation => Splunk/8.0.3/Viz/DashboardPDFs#Limitations_to_PDF_generation => answers/92805/how-to-change-advance-xml-to-simple-xml.html that it is question of xml format, simple or advanced and variables are not translated into pdf export with advances xml dashboards. Any way i could satisfy myslef but not really. Please see in 1st screenshot that everything is OK in the dashboard called "Backbone PING - Etats des Interfaces" using IHM or pdf export. Please notice in 2nd screenshot that everything is NOT OK in the dashboard called "Backbone PING - Graphes Equipement" using IHM is OK but using pdf export is NOT OK, variables are not set. I use in both dashboards this kind of personnale xml code -form script="custom.js" -set token="timelabel">$label$ I think beeing in advanced xml mode with both dashboards so why the 1st exports variables in pdf and not the 2nd..... ? Thanks for answers. ... View more

Hello; I've got this request running on my searchhead server: Job report : "This search has completed and has returned 1 101 résults by scanning 29 230 690 events in 860,672 seconds" Execution time : 860,672 seconds aka 14 minutes and 20 seconds, running on "previous week" Here is the request: index=csmsi_supervision_active u_ci_name=PE* cmd=check_interface_traffic | fields u_ci_name, svc, ds, traffic_in_bps, traffic_out_bps, if_alias, _time | dedup svc, ds | eval Kbps_In=traffic_in_bps/1000, Kbps_Out=traffic_out_bps/1000, Periode=strftime(_time,"%Y-%V") | rex field=if_alias "(?.*_vers_(?:(?:PE)|(?:P0)|(?:P1)|(?:CE)).*)" | stats avg(Kbps_In) as "In_Moy", exactperc90(Kbps_In) as "In_Perc90", max(Kbps_In) as "In_Max", avg(Kbps_Out) as "Out_Moy", exactperc90(Kbps_Out) as "Out_Perc90", max(Kbps_Out) as "Out_Max" , values(Periode) as "Periode", latest(_time) as "_time" by u_ci_name, rex_if_alias | table Periode u_ci_name rex_if_alias In_Moy In_Perc90 In_Max Out_Moy Out_Perc90 Out_Max _time I read that using accelerated datamodels could reduce my request duration.... So I started to build one... datamodel_name : CSMSI_ARGOSS_Active_Metrics (rebuilt) node_name : metrics node_childs : icmp and traffic are just each one hiding few fields depending witch one I need or not Here is my request using datamodel : |tstats summariesonly=true values(metrics.u_ci_name) as u_ci_name, values(metrics.svc) as svc, values(metrics.ds) as ds, values(metrics.traffic_in_bps) as traffic_in_bps, values(metrics.traffic_out_bps) as traffic_out_bps, values(metrics.if_alias) as if_alias From datamodel=CSMSI_ARGOSS_Active_Metrics Where nodename=metrics u_ci_name=PE* | fields u_ci_name, svc, ds, traffic_in_bps, traffic_out_bps, if_alias, _time | dedup svc, ds | eval Kbps_In=traffic_in_bps/1000, Kbps_Out=traffic_out_bps/1000, Periode=strftime(_time,"%Y-%V") | rex field=if_alias "(?.*_vers_(?:(?:PE)|(?:P0)|(?:P1)|(?:CE)).*)" | stats avg(Kbps_In) as "In_Moy", exactperc90(Kbps_In) as "In_Perc90", max(Kbps_In) as "In_Max", avg(Kbps_Out) as "Out_Moy", exactperc90(Kbps_Out) as "Out_Perc90", max(Kbps_Out) as "Out_Max" , values(Periode) as "Periode", latest(_time) as "_time" by u_ci_name, rex_if_alias | table Periode u_ci_name rex_if_alias In_Moy In_Perc90 In_Max Out_Moy Out_Perc90 Out_Max _time but do not give result (0 results found) in "8 seconds executing time" according to search.log My question is, where is my issue? ps1: 1st time I write this kind of request ps2: I've got other request running on "previous month" and aborting after +2hours by timeout Thanks for helping 😉 ... View more

Hello guys; I'm getting this message in search head : "Dispatch Manager : The minimum free space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch" after researchs on server, i found: - df -h => /opt/splunk full at 91% - 4.2Go free on 47Go (yesterday - 13/01/2020) - df -h => /opt/splunk full at 92% - 3.9Go free on 47Go (today - 14/01/2020) - the bigest directory is : /opt/splunk/var/lib/splunk/csmsi_supervision_active/datamodel_summary => 32Go and is full of directories like 3374-ED6F9A3B-E103-4D86-8F41-xxxxxxxx -the oldest directories are October 16 2019 and lots of them are refreshed each 10 minutes. my questions: is-it safe to delete oldest directories? why the alerte is about another directory than the one i found? best practices are to exand fs ? resize server.conf? delete folders/restart? thanks a lot for helping. ... View more

Hello, Sorry for the language, I'm French. 😉 I'm executing this request with this lookup file: index=xxxxxxxxxx u_ci_group_entity="xxxxxxxxx" cmd=check_interface_traffic | fields svc, ds, u_ci_name, traffic_in_int, traffic_out_int, if_alias | dedup svc, ds | lookup collecte_orange_liste_interfaces_to_transportes u_ci_name if_alias OUTPUT valide group | eval heures_charge = if (valide = "oui" , 0 , 1 ) | search heures_charge = 0 | stats sum(traffic_in_int) as "somme_in", sum(traffic_out_int) as "somme_out", latest(_time) as "_time" by group | eval total_in_out_To=(somme_in+somme_out)/1024/1024/1024/1024, weeknumber=strftime(_time,"%V-%Y") | table _time weeknumber group total_in_out_To My question is: How can I invert lines and columns in the table to get this: The goal is to use outputlookup function to save results in CSV file as 1 line per week. Thanks for helping. ... View more