×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mmanfred
Explorer
Member since: ‎05-24-2011
‎06-05-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎05-24-2011
View All

Re: AppFlow Data is not visible in the Citrix App

by in All Apps and Add-ons
‎08-05-2015 08:50 AM
‎08-05-2015 08:50 AM
Ah - Two things: 1 - my inputs.conf needed to be [ipfix://NetScaler_AppFlow] sourcetype = appflow index = netscaler address = 0.0.0.0 port = 4739 buffer = 1048576 disabled = true 2- when I setup the IPFIX data input i didnt name it NetScaler_AppFlow so the above didnt match ... View more

AppFlow Data is not visible in the Citrix App

by in All Apps and Add-ons
‎08-05-2015 08:29 AM
‎08-05-2015 08:29 AM
I have Splunk 6.2.3, Latest IPFIX and Citrix App and Netscaler 10.x. IPFIX listener is up and netscaler is sending appflow data to it. I am able to query eventtype=netscaler but the appFlow dashboards seem to be looking for eventtype=netscaler_appflow which does not exist. sourcetype=ipfix for these events and I see in the eventtypes.conf: [netscaler_appflow] search = eventtype=netscaler sourcetype=appflow there is no sourcetype=appflow. my input.conf only has the python [ script line <pre> [script:\/\/./bin/scripted_inputs/deploy_splunk_ta_netscaler.py] interval = -1 index=_internal sourcetype=netscaler:installer disabled = 0 passAuth = splunk-system-user </pre> am I missing a setup step that creates that sourcetype? ... View more

Re: Joining two data sets using time windows

by in Splunk Search
‎12-03-2013 07:45 AM
‎12-03-2013 07:45 AM
agree with lguinn that it will match identically. I am looking for something that is more akin to a fuzzy match on the window. If first event is 12:00:00 I need the joined events to be between 11:59:55 and 12:00:05 in this example. (this is a one to many match and I would probably want to count the number of events as well with the results as a drill down later for example) ... View more

Joining two data sets using time windows

by in Splunk Search
‎12-02-2013 04:12 PM
‎12-02-2013 04:12 PM
I have two data sets that I want to join: Set A: _time, field1, field2, field3... via search: eventtype=mystats | fields _time, field1, field2, field3... Set B: _raw via search: eventype=mydata | tranaction .... | closed_txn = 0 | where _time >= "Set A _time - 5 seconds" AND _time <= "Set A _time + 5 seconds" | fields _raw The result should be simply appending all Set B _raw that match to the rows of Set A. Set A+B: _time, field1, field2, field3, _raw Is this possible with a subsearch to iterate over time or join by time while passing the _time around? I am not sure what the right approach is but I am trying to find open transactions in set B around a window of events in Set A (which ticks every 30 seconds) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM