Compare results from day to day
Let's assume I have data structured like this: |timestamp|user|action| |2019-09-10 13:40|user1|action1| |2019-09-10 12:40|user2|action2| |2019-09-09 12:40|user3|action3| |2019-09-09...
View ArticleHow to fix "data model 'modelname' had an invalid search, cannot get indexes...
Hi, i run a search in panel, and in response i get this error: data model 'modelname' had an invalid search, cannot get indexes to search. Help pls Thanks.
View Articlechanging labels on a chart (will be numeric to string)
I have a query that produces a lovely table base search |chart values(Number) as State over Date by description Date | act1 | act2 | act3 M05 | 1 _ .... | -1_ .... | 3.... M06 | 5 _ .... | -1_ .... |...
View ArticleSingle index on indexer not getting new data. Other indexes are.
I have a splunk cluster with 3 indexers. I have a non replicated index that for some reason has stopped getting new data on one of the indexers. Other indexes on the same node are getting data. What...
View ArticleFind the matches of the fields from the first table with the values of the...
Hello. I have two tables. I need to compare values of two columns in each tables. In result i want to receive rows from first table only with fields, which faced in second table. Table 1 1. v11 v12 v13...
View ArticlePull missing event date from header
Hello, I'm trying to index a log in the IIS W3C Extended Log Format. The date information in each event is missing, but the date is at the top of the file in the header info. The time (HH:MM:SS) is...
View ArticleHow to name the clusters when using TFIDF and DBSCAN in the machine learning...
I have a case where a "Message" field contains sentences of strings, which indicated different kind of system errors. We want to use the machine learning toolkit to automatically clusters those errors...
View ArticleOne Sourcetype which includes Events with different Timestamp formats -...
Hi guys, i'm in GMT+2 timezone and having events from sourcetype=tibco. Based on the event the timestamp format is different: 2019-09-10 12:48:14.066 [blablabla] OR 2019 Sep 10 12:48:10:263 GMT +0200...
View ArticleCommonBaseEvent treatment
Hello all, I receiving some event from our Monitoring Agent tool (from the editor Dassault Systemes) through Common Base Event format like: >0203300476278 I don't really understand how can I operate...
View Articlesplunk forwarder failed to send logs from amazon linux instance
Trying to send logs to splunk server using forwarder installed on Amazon Linux instances. I am not seeing any data on splunk server. On forwarder side, I am seeing interfaces.sh related error in...
View ArticleField Range of Numbers Inside of Case Statement
Greetings! Hoping there is an easier way to write this sequential host list such as (host = "vlt(01 through 16)-she1") ? | eval cde_model = case ( host = "vlt01-she1" OR host = "vlt02-she1" OR host =...
View ArticleWhat is your average indexing rate from your monitoring console ?
I'm trying to determine if a bottleneck exists in my environment. We ingest about 130Gb a day. **Syslog** events come through without delay, but Windows Events are **delayed** anywhere between **1,500...
View ArticleHow do I benchmark system health before a Splunk Enterprise upgrade?
I need details about what to check before I upgrade so I know if my deployment is ready to upgrade. What do I monitor, and how do I benchmark system health before the upgrade?
View ArticleHow do I monitor system health during a Splunk Enterprise upgrade?
I need details about what to monitor during my upgrade so I know it is proceeding as expected. What should I monitor during an upgrade?
View ArticleWhat do I validate after I upgrade Splunk Enterprise to confirm the upgrade...
I need details about what to validate after the upgrade so I know it was successful. How can I tell that everything got upgraded correctly, and that the system is healthy and ready to go?
View ArticleError parsing dashboard XML: malformed URI sequence.
Updated Splunk 6.5.x to 7.3.0 and now one of my main dashboards has, "Error parsing dashboard XML: malformed URI sequence. Go to "Edit Source" to fix." Going into "Edit source", it states "Error on...
View ArticleJoining Multiple index and sourcetypes
I have two index and multiple sourcetypes. Hostname is the common.. I will to bring all possible information of that host from all ST. index=I1 ST=S1 index-I2 ST=S2, ST=S3,ST=S4,ST=S5 Sourcetype= S2 to...
View ArticleProcess for moving indexers to new datacenter with new IP address.
Hi All, We will be moving our physical indexers from one datacenter to another datacenter. The new datacenter will have a new IP address scheme so I'll need to re-IP the indexers after they're in the...
View ArticleSplunk web login and logout option missing
Hello, We have installed splunk in one of our new servers. everything is fine we can access to web UI but we cannot see login and logout option in the UI. we did not change any default configs. Please...
View ArticleSplunk 7.3.1 Windows apply shcluster-bundle -target https://xxxx:8089 -auth...
I am trying to push my first app through the search head deployer. this is a brand new Splunk 7.3.1 environment with 3 search heads, 1 search head deployer, an indexer cluster with 2 indexers and a...
View Article