Thanks for responding. We noticed that without the crcSALT= we get duplicates in QA therefore we kept the crcSALT in PROD. The files are rolled in that directory from type1_log to type1_log.20181910 in the same directory. The PROD is a HAMPC cluster which switches nodes every month or so. We do not have an environment to test the effects of ingestion from such cluster. We installed Splunk UF on the cluster successfully. We know ingestion is occurring normally as type2_log is ingesting normally and with no duplication. We do notice this in the internal logs: 10-18-2018 20:10:06.900 -0700 INFO WatchedFile - Logfile truncated while open, original pathname file='data/server1/.../LOG/type1_log', will begin reading from start. We are not sure why this type of INFO is appearing or why the file is being read from the start over and over again. We notice events get indexed 100s of times. Thanks for your help! ... View more

Does your inputs.conf have a setting crcSalt = <SOURCE> ? Can you paste your inputs.conf ... View more

Hello, Basic functionality of splunk is to check CRCs and start ingesting the file from where it left off. Does the file modification time change when off-time data is written? Is off-time data written to the same file? Does the file name change after off-time data is written? Also, what is the value of crcSalt? ... View more

I tried yesterday with Public DNS, it didn't work. I stopped the EC2 instance and started, it created new public DNS. Now i tried with the new public DNS (IPV4), It worked well. Thanks, Chandana ... View more

Thanks for your response. My alerts are triggering before the hour not after the hour. I'll use your query to make sure the selected time range. Thanks, Chandana ... View more

Are there any errors on the dashboard panels? ... View more

If both _time and yesterday are epoch you would need use a range i.e. _time>=yesterday AND _time<yesterday+86400 . Where yesterday should represent -1d@d or midnight. If yesterday is string time, it should be of format YYYY-mm-dd and you would need to perform strftime(_time,"YYYY-mm-dd") to compare both dates as string time. However, best option would be to fetch only the results from yesterday using base search filter i.e. either Time Picker or earliest=-1d@d latest=-0d@d-1s . Please add more context for us to assist you with your issue, if one of the above does not fit the needs. Possibly ask a new question 😉 ... View more

Thank you for your response. My main issue in this task is list out new files. here new files means files are not existed in previous data . If i use above query I can't list out new files but i can see all files with timestamp. Unfortunately, this is not the answer what I am looking for. To understanding more i'll give an example today: r, t, y, w, h, g, u, o, p, l, i, a, c yesterday: y, i, c, b, f, j, 1, 9, 5, 3, aa, gf, br, rh last week: w, g, fg, rd, o, ff, ht, og, c, y last 6 months: y, hd, jw, o, r, kd, rd last year: sd, ed, ewe, ui, oo, kas, w, c Different files in today's data: t, h, u, p, l, a The rest of the files are occurred in yesterday, last week, last 6 months and last year. Can i get the result as above using splunk tool? I already mentioned this point but i'm again mentioning i.e., the search query what I have mentioned in my question, it is working fine but it is listing different files from previous day only. My requirement is, I want compare all files from previous week/month/year too. Thanks, Chandana ... View more

My colleagues can see full data from a particular index. When it comes to me, I can see some of the data from the same index not full data. I will give you an example. index="cursor" timestamp=11/21/2017 02:20:03 to 11/21/2017 02:20:04 From the above query, actual events count is 24. when it comes to me I can see only 2 events. The splunk is not listing all 24 events. ... View more

Hi, I came across same kind of problem. I used this solution as reference. However, When I executed above search everything is working fine but stdev(count) is not working. It is only working when i remove BY country from the search. How can i find Standard deviation for every country? Thanks, Chandana ... View more

Thank you for your response. I have been working on these commands past week but not able to find a proper solution. I can only work on single field but here, if i search a file_name that should be show whole patterns of all fields and if the file_name has missed or low probability then it should show on anomalies list. NOTE: I want to find out anomalies from the patterns of the file ... View more

Hi buraka, There are three modes. The histogram mode is controlled by the pthresh option. For the other two modes, the docs say, "When method=zscore, performs like the anomalousvalue command. When method=iqr, performs like the outlier command." Please see the corresponding docs for those commands. ... View more

Thank you Niketnilay. I able to solve my problem based on the status indicator documentation. ... View more