Hi, we are logging api requests in Splunk. I would like to create a sort of health check table where every column represents the status code of the last API call in previous 5 minutes. While each row is a different API. Here an example of what the output should be Any Idea how I could achieve that in Splunk? Each row represents a different API ( request.url), while the status code is stored in response.status Thank you ... View more

Hi guys, I have a nodejs service that needs to perform number of sequential queries: e.g: search mysearch from 01/01/2018 00:00:00 to 00:05:00 search mysearch from 01/01/2018 00:05:00 to 00:10:00 search mysearch from 01/01/2018 00:10:00 to 00:15:00 .... .... until 14/01/2018 00:00:00 The queries are very fast ( < 1s) In my tests environment I have no problem (Splunk version 6.5.2) In my production environment (Splunk version: 6.6.2), after some queries I receive an error: [SPLUNKD] Unknown sid. error: SplunkSearcher.search :: Error {"response":{"headers":{"date":"Mon, 05 Feb 2018 12:45:31 GMT","expires":"Thu, 26 Oct 1978 00:00:00 GMT","cache-control":"no-store, no-cache, must-revalidate, max-age=0","content-type":"application/json; charset=UTF-8","x-content-type-options":"nosniff","content-length":"53","vary":"Cookie, Authorization","connection":"Close","set-cookie":["splunkd_8089=jlHwfXrZZNgO.....; Path=/; Secure; HttpOnly; Max-Age=3600; Expires=Mon, 05 Feb 2018 13:45:31 GMT"],"x-frame-options":"SAMEORIGIN","server":"Splunkd"},"statusCode":404},"status":404,"data":{"messages":[{"type":"FATAL","text":"Unknown sid."}]},"error":null} The nodejs service and the Splunk server are on the same server. What could be the problem and how can I debug it? thank you ... View more

Hi guys, I have a javascript service that performs a query every 30 seconds: let service = new this.splunkjs.Service({ username: process.env.SEARCHER_USERNAME, password: process.env.SEARCHER_PASSWORD, scheme: process.env.SEARCHER_SCHEME, host: process.env.SEARCHER_HOST, port: process.env.SEARCHER_PORT, version: process.env.SEARCHER_VERSION }); // Set the search parameters let searchParams = { exec_mode: "blocking", auto_cancel: process.env.SEARCHER_AUTO_CANCEL_JOB_SEC, output_mode: "JSON", rf: "*" }; service.search( searchQuery, searchParams, ... .... ...... even If I set SEARCHER_AUTO_CANCEL_JOB_SEC=30 , if I go to Activities/Jobs (in the Splunk Web Application) the job Expires date is 10 minutes after the Created at date. I was expecting 30 seconds not 10 minutes. Splunk version: 6.6.2 Thank you ... View more

Hi guys, I would like to convert the following event into a table: { Id: 1505207351 Start: 1505207651 Resource: res Nodes: [ [ res1, 1 ] , [ res2, 3 ] ] } The output should be a table like this: Id | Start | Nodes 1505207351 | 1505207651 | [res1,1] , [res2,3] Or even better, display a subtable in the Nodes column: Id | Start | Nodes | | Res | Rank ------------------------------------- 1505207351 | 1505207651 | res1 | 1 | res2 | 3 ------------------------------------ 2305207351 | 2305207651 | res3 | 4 | res4 | 3 The event sourcetype is _json My actual query to search the events is this: index="myindex" | spath | table Id, Start, Nodes The result is a table but the Nodes column is empty Thanks ... View more

Is there a detailed list of collected data that Splunk add-on for unix and linux collects? I found this: documentation but it is not so detailed. For example what does means TCPrexmits (sourcetype=protocol)? Is this Add-on collect also how many packets have been retransmitted? Thanks ... View more

Hi guys, I've installed a Splunk enterprise 6.5.2 and some Splunk applications. It's a while that when I try to click on refresh button ( splunkserver:port/debug/refresh ) after a couples of minutes the web interface is not reachable anymore and I've to restart splunk. In splunk.log files there are some errors related to the Splunk applications installed but they seem to be not important. Also I see the following: ERROR KVStoreBulletinBoardManager - KV Store changed status to failed. KVStore process terminated. 05-04-2017 08:39:23.487 +0200 ERROR KVStorageProvider - An error occurred during the last operation ('saveBatchData', domain: '2', code: '5'): Failed to connect to target host: 127.0.0.1:8191 What Can I do? ... View more