Another alternative would be to use the SQL UNION operator. So you'd have a single dbxquery that executed the SQL statement select count(bug_id) as "Total Defects" from bug UNION select count(bug_status) as "Open defects" from bug where bug_status='Open' UNION select count(bug_status) as "Open defects" from bug where bug_status='Close' Regards Dave ... View more

maybe this video about creating alerts will help https://www.youtube.com/watch?annotation_id=annotation_2942967387&feature=iv&src_vid=SuARLqm7_jc&v=0REbozaALX0 Dave ... View more

Hi How have you determined that the events are being sent to the indexer? Could it be that the date format of the events is being misinterpreted and the events indexed today from the Domain Controllers are being indexed with a timestamp of 10 February 2017? Dave ... View more

There were a couple of sessions at .conf2016 that were recorded, regarding running Splunk as a Docker image and monitoring/troubleshooting Docker images. There were more sessions at .conf2017 regarding Docker and Splunk, but I've no idea if they were recorded, and if they were when they may be made available. Dave ... View more

The section Add navigation to a Splunk app in the documentation should help you change the names in the app bar. Dave ... View more

What version of DB Connect are you trying to run? Dave ... View more

Hopefully this will give you some ideas on how to do that Dave ... View more

The documentation covers timestamp recognition. I suspect you will need to specifically define a TIME_FORMAT attribute for this data, so that Splunk can correctly interpret the timestamp in the event. Dave ... View more

Mmmm, the events stopped indexing at the end of the month. I suspect there may be a timestamp mismatch and the events for 1st July were indexed with a date of 7th January, the events for 2nd July were indexed with a date of 7th February. Will these events magically start indexing tonight at midnight? Dave ... View more

My initial thought is that this sounds like it may be a permissions related issue. What version of DBConnect are you running? Have you checked the DBConnect logs for entries relating to the dbxlookup command? Whatever version of DBConnect you're running check the Troubleshooting section of the documentation to see what is logged and where. Have you tried setting the DBConnect logging to DEBUG? Is the dashboard in the same app as your working dbxlookup search? Dave ... View more

I've used both the Pinger and Website Monitor apps in the past to periodically ping an IP address. Dave ... View more

I don't see a negative number when I try the calculation. However, one thing is puzzling me, %I is the hour in a 12 hour clock notation. To uniquely identify the hour wouldn't you also require the AM/PM portion of the timestamp. ... View more

In the command prompt window, and from the bin subdirectory mentioned by gmchenry can you enter the command splunk status Does that say splunkd is in a Running or a Stopped state? I had a similar problem some time ago whereby Splunkd had crashed, and so was in a stopped state, but it hadn't cleaned up all its child processes. This left at least one orphan process which maintained its association with port 8089. I think the root cause of my particular problem (SPL-86939) was fixed in 6.1.4. It is also possible that a process totally unrelated to Splunk is also needing to use port 8089 and so the two are programs are conflicting over port 8089. If that's the case you'll need to change one of the programs to use a different port. To find the process that is associated with a port you can use the netstat command netstat -ano This blog item may help you identify the process that is associated with the port (I've not tested the details in the blog item, and so can't comment on its validity). ... View more

OK so the msg field is present is it the substr that's failing or is it the concatenating of the '...' that's failing? What does the following produce? index="web_rev3" _index_earliest=-15m@m _index_latest=now (level=ERROR OR level=FATAL) | head 1 | eval msg=substr(msg,1, 300) | table _time index msg ... View more

Can you provide some examples of how the data may appear in the original file, and how that data should then be indexed by Splunk? ... View more

I think there's a typo in the fieldformat command. It probably should read your current search | fieldformat _time=strftime(_time,"%Y-%m") Dave ... View more

Hopefully this answer will give you some clues. You can also look at the time modifiers section in the Search manual Dave ... View more

Have you checked the DB Connect logs for instances of your query being scheduled? You may need to change the logging level to DEBUG to get additional diagnostics. Dave ... View more

Should the query attribute be query = SELECT * FROM "Sitecore.Logging"."dbo"."Log" where id > ? order by id in your statement you haven't specified which columns you want to select Dave ... View more

An alternative could be to use the transaction SPL command. In the link it states the transaction command adds two fields to the raw events, duration and eventcount. The values in the duration field show the difference between the timestamps for the first and last events in the transaction. The values in the eventcount field show the number of events in the transaction. So as starting point you could try index=whatever sourcetype=whichever | transaction ticketid | table ticketid duration eventcount Dave ... View more

The example in the documentation for getServerTimezoneOffset() is var serverOffsetSeconds = Splunk.util.getServerTimezoneOffset(); Could it be that you are just missing the var declaration Dave ... View more

The Knowledge Manager documentation states By default, Splunk software creates each data model acceleration summary on the indexer, parallel to the bucket or buckets that cover the range of time over which the summary spans, whether the buckets that fall within that range are hot, warm, or cold. If a bucket within the summary range moves to frozen status, Splunk software removes the summary information that corresponds with the bucket when it deletes or archives the data within the bucket. So from that I'd say they are tied together. Dave ... View more

I think your main problem is that you are trying to do this on the UF. It needs to be done using a heavy forwarder or on the indexer. For filtering take a look at Filter event data and send to queues in the documentation Dave ... View more

Hi Harry The documentation walks you through how to do this using what Splunk call lookups. Dave ... View more