cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
bwalden_splunk
Splunk Employee
Member since: ‎12-13-2013
‎08-02-2023
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 4
Member Since ‎12-13-2013
Activity Feed
View All

Re: I've done my core certified user certification...

by Splunk Employee in Splunk IT Service Intelligence
‎10-21-2019 01:32 PM
‎10-21-2019 01:32 PM
The ITSI User class (https://www.splunk.com/en_us/training/courses/using-splunk-it-service-intelligence.html) requires fundamentals 1 & 2, so you're fine there. The Implementing ITSI class (https://www.splunk.com/en_us/training/courses/implementing-splunk-it-service-intelligence.html) adds the Splunk System and Data Administration pre-requisites. You'd struggle in the implementing class--recommend taking the admin courses first. ... View more

Re: Why do I only get default indexed fields via R...

by Splunk Employee in Splunk Search
‎05-27-2015 10:01 AM
‎05-27-2015 10:01 AM
Returned to this issue today with a couple ideas, and one of them seems to work. By adding |fields * to the search expression, my SDK searches are now returning full verbose field extractions. Kinda un-intuitive. Gonna play with it some more but looks promising. I guess the idea is to specify the fields you want in the output using the |fields command. bw ... View more

Re: Indexed Real Time Search

by Splunk Employee in Splunk Search
‎04-16-2015 11:51 AM
‎04-16-2015 11:51 AM
the use case is speculative, but I can imagine a customer who likes the resource-saving abilities of indexed realtime, but would like the ability to override it when needed. the default 60 second delay does not go over well with folks running an operations center and wanting an alert to fire as close to realtime as possible. So they'd desire the ability to run "real" realtime searches if needed. ... View more

Indexed Real Time Search

by Splunk Employee in Splunk Search
‎04-16-2015 08:41 AM
1 Karma
‎04-16-2015 08:41 AM
1 Karma
Some questions about indexed rt (http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Aboutrealtimesearches#Indexed_real-time_search) apparently i can't post a link--so search for indexed realtime at splunk docs if you don't know what it is. the docs says setting indexed_realtime_use_by_default = true sets indexed rt to be the "default" behavior. if this is enabled, is there still a way I can run "normal", pre-indexer rt searches, perhaps with some search argument or command? is there a way to make indexed rt the default for a role, but allow other roles to use normal rt? are there any guidelines on best practices for setting indexed_realtime_default_span? thanks, bw ... View more

Why do I only get default indexed fields via REST ...

by Splunk Employee in Splunk Search
‎02-20-2015 11:46 AM
3 Karma
‎02-20-2015 11:46 AM
3 Karma
This is related to http://answers.splunk.com/answers/136754/splunk-sdk-fields.html. I've tried searching via the SDK and also direct to REST endpoints, but my results only return the default indexed fields. For instance: curl -sku admin:changeme https://localhost:8089/servicesNS/admin/search/search/jobs/export -d search="search index=_internal | head" returns these fields: _bkt _cd _indextime _raw _serial _si _sourcetype _subsecond _time host index linecount source sourcetype splunk_server But the same search index=_internal | head in the Splunk Web UI returns many more extracted fields. It does not seem to matter if I use an export, oneshot, or "normal" search. Setting the namespace specifically does not seem to matter either. Any insight appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-02-2023 01:06 PM
Karma from