Knowledge Management

Discussions

Thread Info

How do i search username's logons in french?

Hello, I collect security events from an active directory domain. I 'm trying to get the number of logons by usern...

by Explorer in

Is it safe to clear event data from _internal?

Is it safe to clear the _internal index like this? Or should this never be done in the first place? What are the issu...

by Path Finder in

Tag from cli or search?

Is it possible to auto-tag a field from the results of a search from the cli or the search bar? Something like: "s...

by Path Finder in

summary index on search head not showing all the indexers in splunk_server field

When I search for index=summary in search head, the result only shows one of the server in splunk_server field. But I...

by Path Finder in

Summary indexing inconsistent results across different apps

I am experiencing some very weird behaviour with SI's. I have two apps. App1 and App2. App1 has a search named tes...

by Path Finder in

Summary Index Schedule type

In Manager -> Searches and Reports -> [summary index], there is an option to select "Basic" or "Cron" Schedule type. ...

by Explorer in

Web Intelligence: local/eventtypes.conf will not override default/eventtypes.conf

I was trying the use ./local/eventtypes.conf to override the values in ./default/eventtypes.conf. Using btool, it sho...

by Explorer in

rolling dc over a summary index

I'm trying to build a running distinct count against a summary index. I came up with a solution, but it seems a littl...

by Path Finder in

Macro Arguments

I'm totally lost when it comes to arguments in macros. Here is what I want to do. I have three partial searches that ...

by Builder in

Results Table won't show tag AND its field

I've tagged my host field with their respective customer. I want to display the host as well as the tagged value in a...

by Explorer in

Eval limitations on si index with sistats count by field1, field2 etc

I have a search to SI index=sec marker=01 sourcetype=cisco_firewall | bin _time span=5m | sistats count by log_lev...

by Contributor in

Multiple definitions for one tag?

I am somewhat new to tags as a "Knowledge Management" tool, and I am reviewing the tags configured on my SPLUNK searc...

by Path Finder in

Missing fields in summary index

I have a little problem with summary indexing seemingly ignoring some fields. My logfile looks like this: # /ho...

by Engager in

Summary view host name instead of ip address

How can a device name be displayed for the IP address in the summary search window?

by Explorer in

getting started

Do I get to have my own website? And if I do, how do I go about creating one? That is mainly why I'm on here. TO crea...

by New Member in

how to reuse existing summary index data further

We are reporting daily new user added in system. WE have recently moved to summary indexing and we are getting data. ...

by Path Finder in

single-argument macro will not work (but argumentless version does)

Consider the following pair of macros, the former of which functions as expected whereas the latter fails with an err...

by Esteemed Legend in

Where to put macros.conf so available everywhere (all users/apps/searches)?

The subject has the entirety of my question but as a bonus to anyone who reads this, here is a macro that everyone sh...

by Esteemed Legend in

Should summary indexing happen on the distributed searcher or on the indexer(s)?

Technically, summary indexing can be configured on either the search head or indexing server. Are there advantages/di...

by Splunk Employee in

summary index issue

I have created a summary index, from the following query (i called it base query), and the summary index co...

by Path Finder in

How can I set "_time" = "initialQueryTime" in the summary index?

I need to set the "_time" of a summary index equal to the time of a field value. Like for example: Event: ...

by Motivator in

App development best practice: new index, or not?

When developing an App for SplunkBase for widespread use, is it a good practice to put all of my app's data in a new ...

by Motivator in

Backfill operation runs but summary index not populated

I have a saved search that i am running using the backfill script, but the data isn't showing up in the summary index...

by Communicator in

summary indexing data

hi i am using the below query to summary index index=level3 earliest=+285min latest=+300min | eval volumegb=volum...

by Explorer in

timechart count against si gives different max results for 2 intervals

I have si search "save" for every 5 mins as : search = sourcetype="cisco_firewall" | sitimechart count When run...

by Contributor in

Get Updates on the Splunk Community!

Knowledge Management

Discussions

How do i search username's logons in french?

Is it safe to clear event data from _internal?

Tag from cli or search?

summary index on search head not showing all the indexers in splunk_server field

Summary indexing inconsistent results across different apps

Summary Index Schedule type

Web Intelligence: local/eventtypes.conf will not override default/eventtypes.conf

rolling dc over a summary index

Macro Arguments

Results Table won't show tag AND its field

Eval limitations on si index with sistats count by field1, field2 etc

Multiple definitions for one tag?

Missing fields in summary index

Summary view host name instead of ip address

getting started

how to reuse existing summary index data further

single-argument macro will not work (but argumentless version does)

Where to put macros.conf so available everywhere (all users/apps/searches)?

Should summary indexing happen on the distributed searcher or on the indexer(s)?

summary index issue

How can I set "_time" = "initialQueryTime" in the summary index?

App development best practice: new index, or not?

Backfill operation runs but summary index not populated

summary indexing data

timechart count against si gives different max results for 2 intervals

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability

New Splunk TcpOutput persistent queue

Persistent queue problems

Solutions: "Splunk could not get the description f...

Restore Datasets in a Data Model from an App

After upgrade to 9.1.x and above overall increased...