×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
splunkatl
Path Finder
Member since: ‎01-25-2012
‎06-05-2020
Community Statistics
Posts 16
Solutions 1
Karma Given 0
Karma Received 4
Member Since ‎01-25-2012
Activity Feed
Topics I've Started
View All

Re: system local folder vs forwarder local folder

by SplunkTrust in Getting Data In
‎06-26-2015 02:40 AM
2 Karma
‎06-26-2015 02:40 AM
2 Karma
This should add some clarity: http://docs.splunk.com/Documentation/Splunk/6.2.3/admin/Wheretofindtheconfigurationfiles ... View more

Re: How to get the sourcetype size in index.

by Splunk Employee in Splunk Search
‎12-10-2012 02:28 PM
2 Karma
‎12-10-2012 02:28 PM
2 Karma
You can find that search here: http://wiki.splunk.com/Community:TroubleshootingIndexedDataVolume Counting event sizes over a time range Roughly, you can run a search where you look at all (or some) data over a range of indexed_time values, counting up the size of the actual events. For example, where the endpoints START_TIME and END_TIME are numbers in seconds from the start of unix epoch, the search would be indexed_time>START_TIME indexed_time<END_TIME |eval event_size=len(_raw) | stats sum(event_size) This is a slow and expensive search, but when you really need to know, can be valuable. It must be run across a time range that can contain all possible events that were indexed at that time -- meaning regardless of timestamp regularity. Typically this means it must be run over all time. The stats computationg as well as initial filters can of course be adjusted to look at the problem more closely. ... View more

Re: Anonymize the sensitive data no gaurantee in ...

by Splunk Employee in Getting Data In
‎10-18-2012 10:44 PM
‎10-18-2012 10:44 PM
Try this: REGEX =(?msi)^(.*?)xxxPasswordData:\s(.+?)(replace.*) FORMAT = $1xxxPasswordData:################==\n$3 Hope this helps, d. ... View more

Re: How to fake field values

by in Splunk Search
‎10-09-2012 10:40 AM
‎10-09-2012 10:40 AM
this works awesome. Thanks for prompt response Here are the Steps I followed 1)Created ldap_errcodes.csv as below err,ldaperr_description 1,Operations error 2,Protocol error 2)uploaded this file to Manger>Lookups>Look up table files 3) gave the search err| lookup ldap_errcodes.csv err OUTPUT ldaperr_description |top err,ldaperr_description ... View more

Re: How to increase textfield size in formsearch

by in All Apps and Add-ons
‎05-12-2016 04:31 PM
‎05-12-2016 04:31 PM
Hi @nabeel652 The post wasn't properly formatted. I just edited it to render the code properly. Do keep in mind though that this post is almost 4 years old and the solution might not be relevant to more current Splunk versions ... View more

Re: MUST_BREAK_AFTER -How to give for multiple val...

by Splunk Employee in Splunk Search
‎09-07-2012 09:59 AM
‎09-07-2012 09:59 AM
Right, so something kind of like this I think: MUST_BREAK_AFTER = (SignaturePolicy:\sBINDING_DEFAULT$)|(SignatureStatus:\sBINDING_DEFAULT$)|(EXCEPTION) ... View more

Re: unable to find tag

by Splunk Employee in Knowledge Management
‎09-06-2012 11:43 PM
2 Karma
‎09-06-2012 11:43 PM
2 Karma
Probably you have an eventtype that references that tag. ... View more

Re: Unable to get sample events: local variable 'f...

by in Knowledge Management
‎09-23-2013 09:15 PM
‎09-23-2013 09:15 PM
splunk 5.0.5 may solve this problem: Search head pooling: Build event type page shows error: "Unable to get sample events: local variable 'f' referenced before assignment". (SPL-70870) ... View more

Re: Transforms and props files on splunk universa...

by SplunkTrust in Getting Data In
‎12-05-2015 03:55 AM
1 Karma
‎12-05-2015 03:55 AM
1 Karma
Indexed_extractions must be done on the universal forwarder. This answer is for folks using indexed_extractions only. If you're struggling getting your props to work, you might consider placing it on the UF now. http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Configurationparametersandthedatapipeline Data pipeline phase --- Components that can perform this role Input --- indexer , universal forwarder , heavy forwarder Parsing ---- indexer, heavy forwarder, light/universal forwarder (in conjunction with the INDEXED_EXTRACTIONS attribute only) Indexing ---indexer Search ---indexer,search head ... View more

Re: charting customization

by in Splunk Search
‎05-21-2012 10:56 AM
‎05-21-2012 10:56 AM
May I suggest that you re-scale the field, since you are looking for results in seconds? index="xyz" | eval duration = round(TRANSACTION_DURATION/1000,0) | chart count by duration span=50 You would also need to update the axisTitleX.text in the XML to DURATION(SEC) BTW, if you want to show it in MS, then I think your span needs to be 50000 not 500. ... View more

Re: question on "local" folder

by in Splunk Search
‎01-23-2013 02:47 PM
‎01-23-2013 02:47 PM
No, that is for regular app contents only. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
View All