Other option is using input monitor or oneshot command. ... View more

Hi @yihan How did you input the log file? If you are uploading with Splunk WebUI, it is failing due to HTTP file transfer size limitation. It is not a license limitation. When importing logs larger than 500MB, split the file so that one file is less than 500MB. Then try uploading from WebUI. ... View more

上記説明の tz の設定内容ついて訂正します。 tz = Asia/Tokyo のようにZone Nameで指定してください。 ... View more

@arai0729 さん Free版のSplunkを利用されている場合は、ユーザ設定をWebUIから変更ができないため、設定されていない状態といなります。Splunkはタイムゾーン設定がない場合、Splunk（またはSearchHead）を動かしているサーバのシステムタイムゾーンが使われます。 下記のどちらかを実施していただくことで変更可能です。 Splunkが動作しているサーバのシステムタイムゾーンを変更する Splunkのインストールフォルダ配下の etc/users/admin/user-prefs/local/user-prefs.conf を開き、 [general] スタンザ配下に tz=JST のようにタイムゾーン設定を追加する。タイムゾーンは任意の値に変更してください。 参考資料： https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/User-prefsconf#.5Bgeneral.5D 補足 Free版の場合、内部的にはadminユーザまたは、初期インストール時に作成した管理者ユーザが使われています。 user-prefs.confを変更する際は、古いSplunkバージョンを利用されている場合はadminユーザの設定を、7.2以降を利用されている場合はインストール時に作成した管理者ユーザの設定を変更してください。 ... View more

@pgadhari You should forward your search results in summary index and then just search it without tstats. tstats needs to extract fields during indexing time. I am not sure if this works with a summary index. However, storing calculation results in a summary index can provide significant benefits. Also, you don't have to do a lot of processing over and over, and you can search on a longer time range. And Summary Index does not consume daily license. I'm still looking for a way to use tstats at the summary index or add a field extraction configuration that can use tstats later, but I haven't yet found a good way. Here is the step to use summary index without using tstats command. *Reference : https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing * Step 1) Create a new index to use as a summary index. The method of creating a summary index is the same as creating a general index. The entity is just an index. Note: When creating a summary index, your configuration may affect where you create the summary index. Only SearchHead can generate summary index data. And you can not access that summary index from other SearchHeads. Option 1: Store summary index locally on SearchHead If you are using standalone Splunk or single SearchHead, there is no problem creating an index locally. Option 2: Save summary index in Indexer If the amount of data in the summary index to create or the number of events is large, it is possible to hold the summary index in Indexer. By doing so, you have the following benefits: Aggregates data in Indexer Summary index can be used from other SearchHead such as SearchHeadCluster If you want to save the summary index in Indexer, you need to set up to transfer SearchHead data to Indexer, referring to the following page. *Reference : Best practice: Forward search head data to the indexer layer https://docs.splunk.com/Documentation/Splunk/latest/DistSearch/Forwardsearchheaddata * Keep in mind the following points when making this setting: - You will not be able to access the summary index already created in SearchHead (since all requests will be sent to Indexer) - Before setting up, it is necessary to create a summary index used by SearchHead in Indexer. To create an index in Indexer, distribute indexes.conf from Cluster Master.     Step 2) Set the schedule search as the following settings. Execution interval and time range specification are one example, please change according to your search frequency and requirements. If you want to set the summary index from the schedule search setting screen on the WebUI, please delete the collect command line of the query because it is unnecessary. Execution interval ： per 1h Search Timerange ： Relative , earliest: -1h@h , latest: @h Query1: collect command line means , store search results in to summary index dcim_summary and add a strings tags=dcim_sum_v1 to record. Please change the index name from dcim_summary to created in Step 1. You should add a tag or label, if you use same summary index to other usage. index=dcim | fields value, source | bin _time span=1m | stats sum(value) as values by _time,source | eval labels="source:"+source | xyseries _time labels values | addtotals | collect index=dcim_summary marker="tags=dcim_sum_v1" Step 3) Search statistical data from summary index. Query2: index=dcim_summary tags=dcim_sum_v1 | bin _time span=1m | stats sum(source:*) sum(Total) by _time Thanks for reading. I hope it helps you. ... View more

Hi @leo_wang I tried to use Lookup File Editor Version 3.3.1 with Splunk 7.1, but this app does'nt work in Splunk Free version. It looks like this issue. The Issue is still open and I couldn't find the fixed release. https://github.com/LukeMurphey/lookup-editor/issues/34 ... View more

Hmm. Sorry , I have no answer to increase more faster this query search performance easly. This query has dispatch almost procsess at indexers. Add more indexer can increase this performance. but... yeah, this not an answer you want. Other option is, how about to save your shortly span results to summary index using hourly or daily scheduled search. You can use fill_summary_index.py to fill your summary index with past timerange. If you need many times to search a same query or more than long timerange, this is one of the answer i think. Or, If this index is using index-time field extractions with structured data (ex: CSV , json ,etc), you can use tstats command to get more faster results. like this : | tstats sum(value) where index=dcim by _time,source span=1m | xyseries _time source value | addtotals ... View more

Hi @pgadhari Can you try this. In your case , you shoud use bin command (to grouping events timestamp), and stats command . index=dcim | fields value, source | bin _time span=1m | stats sum(value) as values by _time,source | xyseries _time source values | addtotals The timechart command with span=1m option is searching and calcurate events in every all 1min( really every 1 minuite) . So ,if you change the timerange to more longer , this affects to search speed. ... View more

Hi @jon_marcum How about this. index="Web" | eval WebTraffic=if(match(http_user_agent, "(?i)bot"), "Bots", WebTraffic) | eval WebTraffic=if(match(http_user_agent, "(?i)crawl"), "Crawlers", WebTraffic) | bin _time span=1h | top WebTraffic by _time | chart avg(count) as count, avg(percent) as percent over _time by WebTraffic | addtotals "count: WebTraffic" "count: Bots" "count: Crawlers" | fields _time "count: WebTraffic" "count: Bots" "count: Crawlers" Total "percent: Bots" "percent: Crawlers" I hope this would be some of help. ... View more

リプライありがとうございます。了解しました、リリースノート反映を待ちます。 ... View more

Splunk7.1.2がリリースされましたが、Fixed Issuesの一覧に「SPL-155106」が見当たりません。 Splunk7.1.2ではまだ修正されていないと考えてよろしいでしょうか。 ... View more