Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About abhi04
abhi04
Path Finder
Member since:
02-12-2018
Monday
Community Statistics
| Posts | 184 |
| Solutions | 1 |
| Karma Given | 6 |
| Karma Received | 5 |
| Member Since | 02-12-2018 |
Activity Feed
- Posted Re: Why the top and appendcols giving different percentage results? on Splunk Search. Monday
- Posted Why the top and appendcols giving different percentage results? on Splunk Search. Sunday
- Posted How to disable/enable alerts using rest api commands for splunk cloud? on Splunk Cloud Platform. 10-17-2023 03:02 PM
- Posted Re: How to use mstats and inputlookup command on Splunk Search. 10-05-2023 12:29 PM
- Posted How to use mstats and inputlookup command on Splunk Search. 10-05-2023 10:38 AM
- Posted Re: Why does my search on specific indexer shows more GB of data than what is set up as part of maxtotalDataSizeMB? on Splunk Enterprise. 07-01-2021 10:04 AM
- Posted Re: Why does my search on specific indexer shows more GB of data than what is set up as part of maxtotalDataSizeMB? on Splunk Enterprise. 07-01-2021 06:43 AM
- Posted Why does my search on specific indexer shows more GB of data than what is set up as part of maxtotalDataSizeMB? on Splunk Enterprise. 07-01-2021 04:37 AM
- Got Karma for How to get audit plus manager logs into splunk enterprise security?. 01-29-2021 01:55 PM
- Got Karma for Why a pdf scheduled by me for a dashboard is not showing for the other user with the same access?. 09-23-2020 01:44 PM
- Karma Re: What if we place the deploymentclient file under the system/default as well as under the app/loc for richgalloway. 06-12-2020 01:10 AM
- Posted What if we place the deploymentclient file under the system/default as well as under the app/local? on Splunk Enterprise. 06-11-2020 11:03 AM
- Posted Re: Indexes.conf setting for 90 days retention? on Splunk Enterprise. 06-11-2020 09:16 AM
- Posted Indexes.conf setting for 90 days retention? on Splunk Enterprise. 06-11-2020 02:58 AM
- Karma Re: How to convert the GMT timezone to EST timezone at search time? for somesoni2. 06-05-2020 12:50 AM
- Karma Re: How to assign value for any field as "0" when no events are there for the field? for somesoni2. 06-05-2020 12:50 AM
- Karma Re: How to create a regex to display all the hostnames? for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: How to create a regex to display all the hostnames? for niketn. 06-05-2020 12:49 AM
- Got Karma for How to restart splunk web without starting splunk?. 06-05-2020 12:49 AM
- Got Karma for Re: What will be the regex for the below?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Monday
So, top does not take NULL into account for total and percentage? IS there a way top can take NULL into consideration? @ITWhisperer
... View more
Sunday
Hi, Why the below two queries giving me different percentage values? I checked the total count and count for Action=Sell is same. Am I missing something here? index=abc source=def | top Action This gives me 49.7 % for Action=Buy ================================================ index=abc source=def | stats count as Total | appendcols [ search index=abc source=def | search Action=Buy | stats count as Buy] | eval Percent_Buy=round((Buy/Total)*100,2) This gives me 27.7 % for Action=Buy
... View more
- Tags:
- top
Labels
- Labels:
-
subsearch
10-17-2023
03:02 PM
I want to enable/disable splunk alerts in splunk cloud, How to disable/enable alerts using rest api spl commands in splunk cloud?
... View more
Labels
- Labels:
-
using Splunk Cloud
10-05-2023
12:29 PM
@yuanliu Thanks for the query, just wanted to update that I was able to get the results that are not in the holiday date but got stuck on how to also put a filter on the hour (9 Am - 5:30 PM on holiday) The query I used to exclude events on holiday | search NOT [| inputlookup holidays.csv | rename HolidayDate as Date | fields Date ]
... View more
10-05-2023
10:38 AM
Hi, I have a alert query that uses mstats, I want this query to not throw alert during public holidays (from 9 AM to 5 PM). I have created a lookup holidays.csv with columns "Date","Description". How can i use this lookup with the already mstats command to check for the date and time in the lookup file and if its in the timerange in the file then not trigger the alert or probably not search. Thanks in advance. Lookup file:
... View more
07-01-2021
10:04 AM
Ye s, I restarted splunk after making changes. Below is the settings [main] frozenTimePeriodInSecs = 1209600 maxTotalDataSizeMB = 20000 As per this screenshot we can see the sum of data seen is more than 20 GB
... View more
07-01-2021
06:43 AM
Yes, the maxTotalDataSizeMB setting applies to ALL data in the index. So, if I select ALL time for the search for the main index, it should only show around 20 GB of data in the search results? Because I set the maxTotalDataSizeMB for main index as 20 GB, shouldn't I be seeing atmost 20 GB max data for any time frame? It could be less but not more than 20 GB. Below is the query I used to determine how much data in GB is there for the main index. index=main | eval raw_size_gb = (len(_raw) / 1024/ 1024/ 1024) | timechart span=1d sum(raw_size_gb) as Index_Size_In_GB Please let me know if I am on the wrong path.
... View more
07-01-2021
04:37 AM
I have set up the maxtotalDataSizeMB for main index as 20 GB. But when I try to run the search for the index main on this specific indexer it shows me more than 20 GB of data. I ran the search for last 10 days. Can someone explain the theory behind this. How I understand is that it should only show 20 GB of data and whatever older events were there would have moved to frozen which is not searchable. But that's not what is happening in this case. Is there something that I am missing?
... View more
Labels
- Labels:
-
using Splunk Enterprise
06-11-2020
11:03 AM
What if we place the deploymentclient.conf in the forwarder inside the system/default as well as under the app/local. for e.g. 1. under the system/default: deploymentclient.conf [deployment-client] clientName = xyz phoneHomeIntervalInSecs = 5 [target-broker:deploymentServer] targetUri = xxx 2. under the app/local deploymentclient.conf [deployment-client] phoneHomeIntervalInSecs = 3600 Will the phone home take place after 3600 sec due to the higher precedence?
... View more
Labels
- Labels:
-
configuration
06-11-2020
09:16 AM
@richgalloway , any suggestions regarding the maxHotBuckets and maxWarmDBCount. Any best practise rearding those? What if I remove these two parameters and the config file looks like below. Will this be better or the previous settings? # index definition (calculation is based on a single index)
[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
frozenTimePeriodInSecs = 8985600
maxDataSize = auto_high_volume
... View more
06-11-2020
02:58 AM
Hi All, I have total of 30 GB of total data to be indexed which after indexing will be 15 GB as per splunk average compressing. I have a total of 4 indexers with 1 TB of disk space. Can you please let me know the indexes.conf setting on each indexer for a retention of 90 days of searchable data in splunk. Does the below settings work or there can be some improvements that can be made? I got this from the splunk sizing app. http://splunk-sizing.appspot.com/#ar=0&cdv=1&cr=90&ds=1024&hwr=14&i=4&v=30 indexes.conf # volume definitions [volume:hotwarm_cold] path = /mnt/fast_disk maxVolumeDataSizeMB = 996148 # index definition (calculation is based on a single index)
[index_name]
homePath = volume:hotwarm_cold/defaultdb/db
coldPath = volume:hotwarm_cold/defaultdb/colddb
thawedPath = $SPLUNK_DB/defaultdb/thaweddb
homePath.maxDataSizeMB = 53760
coldPath.maxDataSizeMB = 345600
maxWarmDBCount = 4294967295
frozenTimePeriodInSecs = 8985600
maxDataSize = auto
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
05-30-2020
08:29 AM
Thanks for the explanation
... View more
05-29-2020
10:44 AM
@richgalloway Thanks for answering.
I went through the splunk doc (https://docs.splunk.com/Documentation/Splunk/8.0.4/Updating/Updateconfigurations) and its mentioned as below:
Reload the deployment server
After you edit the content of an app, you must reload the deployment server so that the deployment server learns of the changed app. It then redeploys the app to the mapped set of clients.
To reload the deployment server, use the CLI reload deploy-server command:
splunk reload deploy-server
The command checks all apps for changes and notifies the relevant clients.
I am confused because both things are mentioned
1. It redeploys the app to the mapped clients
2. The command checks all apps for changes and notifies the relevant clients.
I just wanted to understand how this works. I would appreciate your views on this.
Thanks in advance.
... View more
05-29-2020
10:29 AM
@gcusello Is the below command correct to send the events to loadbalancer which will send the events to one of the indexers?
curl -k -u "x:" LoadBalancer_VIP:8088/services/collector -d '{"sourcetype": "mysourcetype", "event":"Hello, World!"}'
... View more
05-29-2020
12:08 AM
Hello All,
I have below questions on the reload command and phonehoming which I need to confirm: 1. Both the deploy reload command and the phonehoming changes the configs in forwarders(clients) but both have a different approach. The reload command will push the changes to forwarders(clients) without any splunk start but the phonemhoming willcheck for any changes in the configs in the deployment server and if there are changes will poll the changes and restart the forwarder(clients) and apply changes? 2. Should we run the reload command before or after phonehoming?
... View more
Labels
- Labels:
-
deployment client
-
deployment server
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Monday
|
Karma from
Karma given to
