Hi guys I am definitely a splunk novice. I want to run a search with the splunk REST API. it is a tstats on a datamodel. the issue i am facing is that the result take extremely long to return. when i run the same search on the front end its extremely fast but via the rest API for 3 results it takes between 7-10 min where as on the front end it returns the results quickly. my search is structured as follows: https://<server>:8089/services/search/jobs -d " search= | tstats summariesonly=1 values(<value>) (there are a few values after this) from datamodel=<datamodel name> WHERE (some values for the values option before the from) | head 3" -d earliest= -5m@m -d latest =now -d output_mode=json So when running an index search on which the datamodel is built (which is slower on the front end) it returns results as soon as i run the /results endpoint but the datamodel search takes extremely long. Any ideas as to what my problem could be. The search does eventually return the results but it takes very long for the result size im requesting.
... View more
Hi guys I'm trying to run a search to the /jobs endpoint. however I get a bash: syntax error near unexpected token `(' error message. my search has quotes in it for a | rex command and I tried escaping the quotes with the \ but is till seem to get the issue. when using the \ I get a <msg type="ERROR">Unparsable URI-encoded request data</msg> error. My search is structured as follows: | tstats summariesonly=1 values(<values>) ....(there are a lot of these) from datamodel=<name> WHERE (some values for the previous section) | lookup <lookup> | rex field=<name> "(?<new field name>[^.]{9}$)" ... there are about 4 lookups in total and 2 rex command. however when i try to escape in the rex command I get the Unparsebale URI error. Anybody come across this error before?
... View more
Hi Thank you very much for your reply. This is for professional use however is is not an actual deployment, more of a poc and requires this kind of installation according to the needs of the customer. That being said it seems the problem was the lack of a postgres "phantom" database. I then created on and that got rid of that error. however now I am still getting the error for a supervisord. This is the start of the installation but then it gives this error on the installation logs i found the following errors This one i assume i fixed by creating the phantom database in postgres Any suggestions?
... View more
Hi guys I tried installing Splunk Phantom as an underprivileged user as per the documentation: https://docs.splunk.com/Documentation/SOARonprem/5.0.1/Install/InstallUnprivileged Although I pretty much get through the process without problems, when I get to the last step i get warnings about storage The installation does continue and then completes (i think) I then navigate to the ./bin directory and run the ./start_phantom.sh script but it gives me a connection to postgres error Postgres is installed so i dont know what the issue could be. Note this is a standalone instance of phantom Has anyone experienced something similar? Also I cannot access the frontend but I assume this is because phantom is not running
... View more
as it stands we have a index with high volume, high speed data with a couple of extractions and enrichments from lookups. in order to make the searching faster we usually populate 1 months worth of the data in a data model. however now we need to create a knowledge object that contains stats of that large data index(only some of the fields) what we have done is extended the data model back to as far as we need the data(April) so that we can extract the needed fields from the data model and then pipe them into a summary index. however I did not know how to stream the results from the data model into the summary index
... View more
Hi Guys Wanted to know if anyone knows if you can populate a summary index from a data model. the summary index query requires the si* prefix to transforming commands (sistats) but the datamodel search also requires a tstats command so they cannot be used in conjunction
... View more
Hi guys I'm having a problem my drilldown menu for the panels on my dashboard is disappearing. when I render the dashboard its there but when i try to click it it vanishes. there are no scripts or custom visualizations on the dashboard so I don't understand why this happens. the permissions are also global for the dashboard
... View more
hi guys i want to run a custom splunk command via a button i can put on the dashboard. i want to do it via a visualization and not editing the xml. I want it work like a panel that can be added via the add panel option on the dashboard. i know it should be done via the visualizaions.js file in a custom visualization but i would like some help on how to write the visualization_source.js file for it. So the logic is button - visualization.js - custom command im assuming the command will have to be run via REST any help is appreciated
... View more
i have an average of 100 events coming into the splunk _internal index per minute on a instance that is not very busy and is being used by 2 people. I reduced the bucket size to allow the data to roll over sooner to avoid a disk space error. are there any configurations that im missing that could slow down the incoming events.
... View more
hi guys
doe anyone know why i could be getting this error. it pops up whenever i go to any splunk control like: settings>server controls or settings>data input. i attached the image of the error
... View more
hi so im having a problem
I ingested data(and i receive the successful page) but whenever i search for data the index shows up empty/there are no events
i already checked the license and im good with licensing. I have a developer licensing. I check the monitoring console and it shows that i did not use any license at all.
So its very weird because i am getting a successful ingested message but then the index is empty and the monitoring console says i did not ingest anything.
Any suggestions as to what the problem could be
... View more
this generates a weird count value. its goes 0,10,100,1000,10000,10010,10020,10030, whereas what we looking for is a 10,20,30,40,50 in the count
... View more
How would i find the average value of a certain field per a certain amount of events
Example:
i have 1000 events and in there i have a specific numerical field. what would i do if i wanted an average of every 10 events and wanted to display them in a new table. so my new table will have 100 events now each entry filled with the average of 10 events
... View more