×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
apnetmedic
Explorer
Member since: ‎01-29-2014
‎06-05-2020
Community Statistics
Posts 8
Solutions 0
Karma Given 7
Karma Received 4
Member Since ‎01-29-2014
Activity Feed
View All

Re: How to extract and report on field values from...

by in Splunk Search
‎07-06-2016 07:56 AM
‎07-06-2016 07:56 AM
I like it! I left out index and sourcetype for brevity in the original question. I've been having other ingest problems with a file this large, which has made me question the whole method. Sounds like I can still make it work. ... View more

Re: CSV file with column named "Index"

by in Getting Data In
‎03-24-2016 09:47 AM
‎03-24-2016 09:47 AM
Ah! Indeed. Victim of my own typo. I had "index" on the brain and thus typed it as such: extracted_index, lowercase. Original field was Index, so it's extracted_Index. All is right with the world. ... View more

Re: How to do a simple calculation based on two fo...

by Splunk Employee in Dashboards & Visualizations
‎11-06-2014 11:22 AM
‎11-06-2014 11:22 AM
I believe the best way would be to use calculated fields - http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/definecalcfields In props.conf, you could set up a calculated field such as: [<stanza>] EVAL-<field_name> = <eval statement> which in your case: [<your_stanza>] EVAL-someResult = token1 * token2 * <someConstant> ... View more

Re: 6.1 upgrade - can't access search macros

by in Splunk Search
‎05-09-2014 07:26 AM
‎05-09-2014 07:26 AM
This does not fix it. I'm running Splunk free on Debian and the error pops up each time I try and access the following: Data > inputs > Scripts Data > inputs > UDP Data > inputs > monitor ... View more

Re: Only latest results from a constantly human up...

by in Getting Data In
‎05-10-2016 12:41 PM
‎05-10-2016 12:41 PM
I solve this by doing two things: In props.conf: [source:://my/watched/path/*] CHECK_METHOD = modtime My events don't have time stamps, so _time is now set to the last time the file was touched. In my searches: <base search> | eventstats max(_time) as LatestTime by source | eval ThreshTime = LatestTime - 2 | where _time > ThreshTime | <now the rest of my search> Find the latest _time, subtract a few seconds to account for the time it might take to ingest (might need more here if coming through a forwarder?) and ignore events that aren't in this window. I combine this with a time range spec that goes back a few days so that the initial search doesn't have to work as hard. I have to think there's a better way to do this, but I have not found it. I too am looking to present a dashboard of data based on a file that's refreshed daily, but the update happens at varying times of day, or sometimes not at all, so just doing "earliest=-1d@d" doesn't work. If the boss logs in before the refresh happens, the dashboard would be blank. Doing "earliest=-24h" might catch two days' worth of data if done at the wrong time, so that's out too. I'm not super happy with it because it makes all my searches more expensive, but it gets the job done. I went down a path of trying to do a scheduled search to take my code from above and reverse the sense on it: ... eval ThreshTime = LatestTime - 2 | where _time < ThreshTime | delete But this fails because apparently delete can't be used after a streaming command like eventstats . Any other thoughts on this I'd love to hear. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM
Karma from
Karma given to