I think this might require subsearching, but I would be intrigued to see if someone can come up with a more elegant solution than subsearching.
... View more
Has anyone used ammap without a lookup? The necessary fields exist in my results and I'd like to bypass creating a lookup. See the link below.
http://splunk-base.splunk.com/answers/28740/use-ammap-without-a-lookup
... View more
amMap works fine using a lookup, but what if the data already has the client_city, client_region, client_country, client_lon, and client_lat in the events as fields?
I would like to map these events without generating a lookup table.
... View more
In our case we see the issue when we go from one Solaris (running a ZFS filesystem) to another Solaris box (running a ZFS filesystem). It is mostly a x86 Solaris (deployment server) to SPARC Solaris (deployment clients), but I don't think that would matter.
... View more
Enabling the apps isn't this issue we are seeing, it's granting execute permissions on the scripts.
Just a side note, our deployment server(s) are Solaris servers.
... View more
I'm also interested. I would like to remove the message "Subsearches of a real-time search run over all-time unless explicit time bounds are specified within the subsearch."
... View more
Thanks for the links Lowell, unfortunately I don't think they will work for me since I'm using the "transaction" operator (which will have multiple _cd values).
What I'm doing is running a search that looks at all the commands logged by a user on a networking device and puts them into a single transaction. The user then needs to put an explanation and a ticket number to go along with the transaction. I'll open an enhancement request.
... View more
A user would like to click on the down arrow to the left of an event and leave a comment. I think I have seen this demoed in ESS. Is there a simple way to implement it?
... View more
I'm having the same issue documented here http://www.splunk.com/support/forum:SplunkGeneral/3130
"An example is the Unix app. When this app is pushed to a Splunk instance using the deployment server the scripts under unix/bin lose their execute permissions."
The permissions on the deployment server are -r-xr-xr-x but on the client they become -rw------
... View more