Hi I want splunk to populate _time field with value from file name. for ex my file name is ABC_20140131 I want _time field with value 01/31/2014. I looked http://blogs.splunk.com/2009/12/02/configure-splunk-to-pull-a-date-out-of-a-non-standard-filename/ and tried the configerations exaplined .But still I am getting _time as current time. My changes are as follows. etc\system\default\props.config [host::DateFormat] DATETIME_CONFIG =/etc/system/local/datetime.xml TIME_PREFIX=ABC_ MAX_TIMESTAMP_LOOKAHEAD=20 TIME_FORMAT = %Y%m%d datetime.xml <define name="_isodate" extract="year, month, day"> <text><![CDATA[source::ABC_\d{4}\d{2}\d{2}.*]]></text> </define> <datePatterns> <use name="_isodate"/> </datePatterns> Did I miss anything or can somebody give some suggestions on this. ... View more

I have created a new data input using files and directories option in splunk web. I have put 3 excel files. Later I have found some errors in files and I have deleted the host using host=A |delete command. Later I try to recreated data source with same excel files. This time host is not populating and displaying in search. Any idea why this is happening. ... View more

My search sting is like: host=A|rename "ERC" TO EMPLOYERCODE|join EMPLOYERCODE [search host= B|rename EMPLOYER_CODE TO EMPLOYERCODE ]|timechart span=1d sum(Visits) AS Visit, count(USER_NAME) AS User by EMPLOYERCODE| eval avg=Visit/User|table _time,avg. My purpose is to generate a timechart with avg in y axis. I am unable to display the avg in timechart. I am getting blank in average when using the above.Can you help me. ... View more

Hi All, This is a repeated question.I am posting it again because I cant find a solution. I have 2 data sets which contain a common data.(Columns names are different in 2 data set). Ex: Data1 Data2 EmpId EId Name Visit Age EmpId and EId are columns I want to join. In Data1 and Data2 have one to many relations. Both of this data set will be loaded in splunk on daily basis.So I want to join them and show the result on a day by basis (like timechart does). Ie I want to join today's Data1 with today's Data2. I tired below things but both of them doesn't work out. 1)host=Data1 OR Data2| eval employerCode = if(host="Data1","EId", employer_code) |transaction employerCode maxspan=1d 2)host=Data1|join EmpId [search host=Data2 | eval "EId"=EmpId]|eventstats ..... can anybody help me? ... View more

Hi All, I have a configured a folder to read csv files. My csv files column will be in same format. Consider I have 2 csv say 1 and 2.These excels are loaded into folder at different dates. Example. 1.csv (loading date yesterday) Id Status 1 DEV 2 QA 2.csv (loading date today) Id Status 1 PROD 2 PROD Instead of splunk showing all the data I want to show the last status of an Id. Ie since the status of id's 1 and 2 are changed to PROD i want to show that status only. Is it possible. One option i can see is search the column with latest time. Did we have any configuration we can set at data loading time itself to achieve this. ... View more

Hi HostA contains employer_code like (A,B,C,D,E,F,G) HostB contains ER Code like (A,A,B,D,D) I am trying to join 2 data sources with below query. host=HostA|join employer_code [search host=HostB| eval "ER Code"=employer_code] I am not getting result like inner join in SQL. Can anybody help.Is there any other way to solve this issue rather than join? Can we achieve this by sub search? ... View more

Hi If I feel difficult to achieve the search result in a single search,is there any way to do it in multiple steps like plsql procedures? I mean i have 2 search result from 2 different sources and i want to merge the result is there any way? i tried to join data but it will not solve my requirements. ... View more

My search string is host=ABC| append [search host=DEF]|stats sum(V) by "ER Code" Can I have a count function also with search.Count should by calculated based on another field. Ex:host=ABC| append [search host=DEF]|stats sum(V) by "ER Code"|stats count(I) by "User" Is it possible to achieve this result. ... View more

My search string is (host=ABC AND "Emp Code"=inputString) OR (host=joinHost AND "EMPLOYER_CODE"=inputString) Can I have a common varible in place of inputString. I tried using using eval like below. eval inupt=inputString|(host=ABC AND "Emp Code"=inputString) OR (host=joinHost AND "EMPLOYER_CODE"=inputString) But not getting result. Any help ... View more

How can we find the distinct values inside a grouped values. I use transaction to group data.Now i want to find count(filed2) for each grouped data. host=A|transaction "field1"|stats count("field2") but not return the appropriate result. Can anybody help. ... View more

I have host A and B.Both of this host have different _time values.Can I use _time from Host A only? How can i do this? My purpose is to generate a timechart. ... View more

How can I join and group data from 2 different hosts. Say I have HostA , HostB and ID as common field in 2 hosts. I want to join 2 hosts by Id and group them and do further processing on grouped result. Ex: In HostA I have id 10 repeating 1 time and in HostB id 10 is repeating 10 times. I want to know how may times id 10 occurs in HostA and HostB. How can I achieve this. Like this different Ids are in 2 hosts. For each ID I want to find the value. ... View more

How can i add a navigation menu to search options in splunk web 6. Ie when i click search in home page i can see pivot,report,alerts etc. I want to add one like that . ... View more

I have added a folder to read CSV files through data input >files and directory option. It seems that when I add a new file it needs splunk instance to restart to take up that file. Can we configure splunk to read the file automatically when new file is placed into folder. ... View more