Replacing a value of one field with the value of another.
I checked the past questions and answers, but I am not able to find a way to do this. Basically the value field of the 'event' has 'DERIVE'. I need to replace 'DERIVE' with the value in Count. I am...
View ArticleHow can we add the first event to all existing event as a matedata?
Here is the case , I have an huge XML file . In which i have extracted the events based on the tags.So i have the 3 tags header, trailer and body . So, the output will be the header section as one...
View ArticleSplunk License Key (trial)
Hello. I created an EC2 instance on AWS with splunk installed. When I try to search in splunk my data coming from amazon kinesis firehose I get an error message stating that my license is expired. I...
View ArticleForwarder not forwarding data other than _internal
I have forwarder not forwarding any input data other than _internal. Checks performed: splunk version - 6.4.2 Forwarder is up and running. Checked the $SPLUNK_HOME/etc/system/local/inputs.conf . --...
View ArticleCombine data from two source types based on common values
Hi there, I have question regarding source types. I have 2 source types A and B. A has field called aaa and B has field call bbb. These 2 fields share same value ( example: aaa=123, bbb=123) but the...
View ArticleHow do you apply a Splunk license that is already installed?
Hello. I created an Amazon Elastic Compute Cloud (EC2) instance on Amazon Web Services (AWS) with Splunk installed. When I try to search in Splunk for my data coming from Amazon Kinesis Data Firehose,...
View ArticleSplunk Machine Learning Toolkit: How do you replace a value of one field with...
I checked the past questions and answers, but I was not able to find a way to do this. Basically the value field of the event is "DERIVE". I need to replace "DERIVE" with the value in Count. I am...
View ArticleWhy is my forwarder not forwarding data other than _internal?
I have forwarder not forwarding any input data other than _internal. Checks performed: splunk version - 6.4.2 Forwarder is up and running. Checked the $SPLUNK_HOME/etc/system/local/inputs.conf . --...
View ArticleHow do you combine data from two source types based on common values?
Hi there, I have a question regarding source types. I have 2 source types "A" and "B". "A" has a field called "aaa" and "B" has field call "bbb". These two fields share the same value ( example:...
View ArticleHow to get a single value based on a eval results
Hello I have a search that joins together data, the search works great but the results that Im trying to get are proving a bit tricky. index=tsv |rename BOID AS id |dedup SurveyInstanceID QuestionID...
View ArticleWhat is the difference between the dbinspect command and "_bkt"?
Hello guys, Could you let me know the difference in terms of buckets between : `| dbinspect *search* and *search* | eval bkt=_bkt | table bkt` ? It looks like `dbinspect` returns more results and with...
View ArticleWhy are two of my columns empty in a table returned by a lookup file with...
I used a lookup file which is configuring like this field1, field2, field3, field4 value1, value2, value3, value4 value10, value2, value3, value4 value11, value2, value3, value4 I would like to obtain...
View ArticleHow can you get a single value based on eval results?
Hello, I have a search that joins together data. The search works great, but the results that Im trying to get are proving a bit tricky. index=tsv |rename BOID AS id |dedup SurveyInstanceID QuestionID...
View ArticleHow to you create a table with each row being a log and every column being a...
I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual `| table field1, field2...` method. To be clear I want to...
View ArticleHow do you highlight a table cell based on a field of the search result?
I am trying to highlight the cells of my result table. I have seen multiple examples showing how to highlight a cell based on the value shown in the actual result table. What I need is for the cell to...
View ArticleHow do I use a look up to check to see if I'm getting logs from hosts that...
Dears, I'm trying to use a lookup for Splunk to read a file and tell me if I'm collecting the logs to the host of that file. What I need: Check if I'm getting logs from hosts that are in a CSV. I am...
View ArticleUsing average in maps+ instead of count.
While using maps+ the clusters it makes show count of events in it. How can i use average of the values for a particular kpi? Like when it shows cluster count can I display average of a KPI like I am...
View ArticleBucket two events starting using a timespan starting with the first event
My question is a mix of using the transaction command with the bin command. What I would like to achieve is capturing when 2 consecutive POST requests are made in proxy logs within two seconds of each...
View ArticleMultiple Cumulative Time Series
I can make mulitple summed time series. source="splunk-source" | timechart sum(figure) as figure by category I can make a single cumulative summed time series. source="splunk-source" | timechart...
View ArticleSplunk forwarder 6.6.6 upgrade failure
I'm trying to upgrade the forwarder version to splunkforwarder-6.6.6-ff5e72edc7c4-x64-release.msi, but it fails with "File in use " error This is the command i used msiexec.exe /i...
View Article