IF statement inside EVAL
Hello, I want to divide AverageCount by AverageTotal. The problem is that Average count is separated by Sourcetype and Average Total is separated by a Field. For example: index=x Sourcetype: SAT -->...
View ArticleHow do I combine storage statistics of indexes with the index, sourcetype,...
I can use a rest search from the `services/data/indexes`endpoint to calculate storage statistics, like the index size in GB, of each index. I would like to combine these storage statistics to a table...
View ArticleCombine data across multiple sources and then split answer to separate rows...
Good afternoon, I am trying to take data from multiple sourcestypes, combine it by a common field and then output it to one entry per line when exporting to CSV. I'm having difficulty because there are...
View ArticleNeed help understanding how Transform "access-extractions" works
Hi to all that read this, Hoping one of you might be able to provide some assistance. We have an app that is producing logs using Extended Common web format. Right now the source type we are using is...
View ArticleUsing the number of events in bins to find percentile
Hello all, I have a seemingly simple goal: bucketing events by time and finding the 95th percentile using the total number of events in each bin. I'm able to get the counts for each bin but I'm not...
View ArticleWe are in process to move to cloud, but we have a splunk license on-premises,...
Hi! i nowadays we have a Splunk license on-premises, but we are in process to move to cloud, part of this process is keep a hybrid schema. For this reason we like know if is possible use the same...
View ArticleNeed to create a Dashboard which can select multiple fields based on user...
Hi all, I Need to create a Dashboard which can select multiple extracted fields based on user selection of checkbox/ radio button. ![alt text][1] For example, I want the user to be able to search with...
View ArticleCan I hide/unhide specific text boxes using a single checkbox?
Hi, I am trying to get a checkbox to hide/reveal specific text boxes. for example say I have the following checkbox with three choices: - c1 - c2 - c3 Furthermore, I have three text boxes t1, t2, and...
View ArticleSplunk App for AWS stops collecting data from AWS after migration fro 6 to 7
We are seeing that index build stopped for s3 bucket e.g. billing and cloudtrail after migration. I am not seeing any error message. It just stopped and not retrying anymore.
View ArticleHow do I create an alert when a value is greater than "X" directly following...
This is a snip of the log file. I want to receive an email when the value the follows "Memory used by APP:" exceeds 4000 MB. [2018-08-17 11:59:51.909.196][0x0000219c][Info][GENERAL] Memory used by APP:...
View Articlegetting alerts even i disabled from GUI
Hi, I have disabled an alert from GUI even though I am still getting splunk alerts. Can you please let me know why this is happening??
View ArticleHow to do search jobs using the imported CSV file field name
Dear Team, I have imported one csv File and searched using the Portal(8000) and REST API(8089), REST API is not working because of the *CustomField*, this is one of the field name in the csv file,...
View ArticleHow to search using the fieldname n the csv file in REST API
Dear Team, I have imported one csv file and searched using the sourcetype & customfield(one column header in the csv file), its working fine in the Portal (8000), If i do the same using the REST...
View ArticleWhat causes the this splunkd Search Head Assertion in Splunk 7.1.1?
Hello, splunkd: /home/build/build-src/nightlight/src/framework/SearchResultsMem.cpp:839: SearchResultsMem::iterator SearchResultsMem::erase(SearchResultsMem::iterator, SearchResultsMem::iterator):...
View ArticleHow to display comparison between previous week with current week in Single...
Hi, I have a query which should ideally give me results for the Last week and the current week Request count. index=data earliest=-1w@w latest=now | eval Latency=case(walltime<500, "0-0.5s",...
View ArticleIn real-time alert, if I use lookup command, too many alerts triggered.
Splunk ver 7.1.1 I'm using real-time alert that trigger when there is event which has src_ip match black_list.csv like below. index=hogehoge | lookup black_list.csv src OUTPUT status | where...
View ArticleIndex Cluster - Backup stratetegy
Hi All, We have 3 indexers in a Index cluster with a Index master. Currently, the data is being backed up periodically to AWS S3/Glacier storage. We want to understand if we need to shutdown before we...
View ArticleDashboard "Cover Page"
Hi, we have created a multi sided Dashboard which will be automatically exported to PDF. In order to get the report looking less technical we would like to add a cover page. Cover page simply should...
View ArticleIssue getting "Unknown host" in creating new connection using Progress Data...
Trying to configure a sql server jdbc driver for splunk, configured DataDirect SQL Server JDBC in Splunk DB Connect successfully. But unable to connect to SQL SErver.
View ArticleCombine multiple rows in one with a common key
Hello, I have a log that records data bit by bit. I want to combine them to have only one row of data. Exemple: ![alt text][1] I've tried mvcombine but when there are multiple values for a field it...
View Article