Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About sverdhan
sverdhan
Loves-to-Learn Lots
Member since:
09-23-2024
a month ago
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 09-23-2024 |
Activity Feed
- Posted Finding forwarders that have not sent data on Getting Data In. a month ago
- Posted Re: SPlunk query on Getting Data In. a month ago
- Posted Re: SPlunk query on Getting Data In. a month ago
- Posted Re: SPlunk query on Getting Data In. 06-17-2025 06:28 AM
- Posted SPlunk query on Getting Data In. 06-17-2025 06:26 AM
- Posted Search for "index=*" in searches on Splunk Search. 04-23-2025 01:36 AM
- Posted How to get ingest volume for 1200 sourcetypes ? on Splunk Search. 10-04-2024 07:20 AM
- Posted data ingestion on Monitoring Splunk. 10-03-2024 03:30 AM
- Posted Re: non searchable sourcetypes on Splunk Search. 09-26-2024 12:30 AM
- Posted non searchable sourcetypes on Splunk Search. 09-26-2024 12:12 AM
- Posted Re: splunk on Monitoring Splunk. 09-23-2024 07:26 AM
- Posted Re: splunk on Monitoring Splunk. 09-23-2024 06:40 AM
- Posted How find amount not ingested? on Monitoring Splunk. 09-23-2024 04:24 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
a month ago
Hello , Can anyone please provide me a query which lists out all forwarders that have not send data over the last 30 days? Thank you
... View more
Labels
- Labels:
-
indexer
-
universal forwarder
a month ago
Hello, this query seems to be working but the clients field is a multivalue field for some sourcetype ,so it results are spread out ,can you modify it ?
... View more
a month ago
Hello Giuseppe, Thanks much for your suggestion , bit the query is giving an error : Cannot find client in the source field client in the lookup table . Now, we cant add clients in th elookup table becaue that would complex things. CAn yiu please tell m eothe rways to do it maybe through join or something. Much appreciated.
... View more
06-17-2025
06:28 AM
A4server Beta is the first value so no matter what sourcetype i choose it is on;y giving the values of A4server Beta in sourcetype , newIndex an ddomain
... View more
06-17-2025
06:26 AM
Hello team , Please help me modify this query such that it is able to loop through all the values of the csv file : Although it is able to give the clients and sensitivity of the selected sourcetype but in the results in the fields- Sourcetype Domain and NewIndex it is only giving the values of the first sourcetype- A4Server Like for example over here the selected sourcetype is A4server but in the sourcetype it is giving A4ServerBeta as it is not looping through the entire csv but only the first value | tstats count WHERE index=* sourcetype=A4Server by index | rex field=index max_match=0 "(?<clients>\w+)(?<sensitivity>_private|_public)" | table index, clients, sensitivity | join type=left client [ | inputlookup appserverdomainmapping.csv | table NewIndex, Domain, Sourcetype ]| eval NewIndex= NewIndex + sensitivity | table clients, sensitivity, Domain, Sourcetype, NewIndex
... View more
Labels
- Labels:
-
indexer
04-23-2025
01:36 AM
Hello guys, I need a splunk query that list out all the alerts that have index=* in their query. Unfortunately, I can't use rest services so kindly suggest me how can i do it without using rest.
... View more
Labels
- Labels:
-
field extraction
-
metadata
10-04-2024
07:20 AM
i have a query that will calculate the volume of data ingested in a sourcetype--
index=federated:infosec_apg_share source=InternalLicenseUsage type=Usage idx=*_p* idx!=zscaler* st=<your sourcetype here> | stats sum(b) | eval GB = round('sum(b)'/1073741824,2) | fields GB
The issue is I have a list of 1200 sourcetypes . please suggest me how can I adjust the entire list into this query
... View more
Labels
- Labels:
-
search job inspector
10-03-2024
03:30 AM
Hello everyone,
I have created a query that list sourectypes :
index=_audit action=search info=granted source="*metrics.log" group="per_sourcetype_thruput" | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | chart sum(kb) by series | sort - sum(kb) | search hasBeenSearched="0" | search NOT[inputlookup sourcetypes_1.csv | fields sourcetype]
I would want to modify this query such that it also enlists the volume ingestion of these sourcetypes as well...Kindly suggest
... View more
Labels
- Labels:
-
search head
09-26-2024
12:30 AM
Thank you for your prompt reply ..
Actually , I am having this search which lists the sourcetypes that have not been searched , but it is not very accurate so it might contain sourcetypes that are still searchable :
index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype | search hasBeenSearched="0"
So, I created a lookup into which I have put the sourcetypes that have been searched...I was thinking to reference this lookup in the above mentioned query so that it could remove the sourcetypes that are searchable .. But the query is not giving me results . Can you please check where should i Adjust those commands related to referencing that lookup ..
here is how I have used the query, but the results are not coming:
index=_audit action=search info=granted | eval _raw=search | eval _raw=mvindex(split(_raw,"|"),0) | table _raw | extract | stats count by sourcetype | eval hasBeenSearched=1 | append [| metadata index=* type="sourcetypes" | eval hasBeenSearched="0"] | stats max(hasBeenSearched) as hasBeenSearched by sourcetype| search NOT [inputlookup sourcetypes_1.csv | fields sourcetype] | search hasBeenSearched="0"
... View more
09-26-2024
12:12 AM
Hello All, I am looking for a query that can provide me with a list of sourcetypes that have not been searched .Kindly suggest.
... View more
Labels
- Labels:
-
search job inspector
09-23-2024
07:26 AM
Thank you , Do you have a general query to calculate the volume ingested for any sourcetype in general?
... View more
09-23-2024
06:40 AM
thank you for your reply , can you suggest any method apart from the lookup one?
... View more
09-23-2024
04:24 AM
i have used the below query to get a list of 25 sourcetypes who are not reporting for the last 30 days ...but i need to know the volume of data ingested by them...kindly suggest any ideas or any alternative methods: | metadata type=sourcetypes | eval diff=now()-lastTime | where diff > 3600*24*30 | convert ctime(lastTime) | convert ctime(firstTime) | convert ctime(recentTime) | sort -diff
... View more
Labels
- Labels:
-
search performance
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
