How to override a savedsearch name ?
I have a savedsearch defined in my savedsearches.conf like the following> [my_saved_search]> search = "index=........"> earliest = "-30d@d"> ....... Hence the savedsearch view and the...
View ArticleSourcetypes keep changing when I don't want them to
I have a small LAN with a couple dozen servers all running Solaris. They are sending into a single instance of Splunk Enterprise via syslog. I have created field extractions, dashboards, reports, etc....
View ArticleHow to split a multivalue field into separate fields?
I have a customer that is attempting to check a field “Account_Name”. Some of the events have multiple account names in the field. He needs to break them out so that he has two Account_Name entries...
View ArticleWhy are my sourcetypes constantly changing, and how do I prevent this?
I have a small LAN with a couple dozen servers all running Solaris. They are sending into a single instance of Splunk Enterprise via syslog. I have created field extractions, dashboards, reports, etc....
View ArticleWhat are my options if Splunk Enterprise is not installing on my computer?
Splunk Enterprise will not load on my computer, same issue I had before and gave up. What are my options? Try and install it and it says there is an error, this is why I gave up on it before.
View Article"Error reading compressed journal while streaming: gzip data truncated". Are...
While running a query via EMR on a bucket archived to s3 with hadoop data roll, I got the following error: [hadoop] [ip-192-168-4-184] Streamed search execute failed because: Error reading compressed...
View ArticleHow can I define props.conf with respective source types?
i have text file with some data below. how can i define my props.conf file with respective sourcetypes? **file 1 of sourcetype=s1** Batch Counter Cache Name CacheSize MemoryBytes MemoryMB Avg Object...
View ArticleHow to derive earliest and latest from a list of events that overlap in...
I need to roll up several events with overlapping start and stop times. I need the total time of the events without doing a sum of the elapsed time for each event. Each event in the series has a start...
View ArticleCan deployment servers handle mirroring so changes on my main deployment...
For compliance reasons, we need to have gateway servers set up at the edges of our secure domains that can forward Splunk traffic into one main domain. Putting an intermediate forwarder on the gateway...
View ArticleHow to hide all form input filters in a dashboard by default?
In dashboard, if you add input, you will see a text `Hide Filters`. I would like all the filters to be hidden in one dashboard by default. The users need to click `Show Filters`. Searching around and...
View ArticleIs there any documentation available for the Broken Hosts App for Splunk?
Hi, Looking at the Broken Hosts App for Splunk, but there isn't any real documentation on it. Is it available? Or examples? I enabled it with defaults, and it alerted on a bunch of hosts, but that...
View ArticleHow to create a report that displays stats count in a table for x days?
Sorry I am new to Splunk and wondering if can have the report that gives results in a table as below, data as : index=api serviceName=find userId=7878 index= api serviceName=find userId=7877 index= api...
View ArticleWhy does an iframe table view only display 20 records, and how can I increase...
HI All, I am using iframe to display error details in a portal where, in 24 hours, the error count is usually more than 100, but iframe displays only 20 records. Please suggest how to display all the...
View ArticleHow to search a lookup table and return the a matching term?
All- I am new to Splunk and trying to figure out how to return the matched term while utilizing CSV table with inputlookup. I just researched and found that inputlookup returns a Boolean response,...
View Articlequery to track the amount of data being ingested to a specific index, measure...
I'm trying to write a query to track the amount of data being ingested to a specific index, measure in MB/per minute. This is what I have so far: index=my_index_name metrics name=index_thruput...
View ArticleHow do I delete a data model or a data table built with the new datasets add-on?
I've been playing around with the new datasets add-on - it's very slick, well done. But now I want to delete some of the testing tables I created but there isn't a Delete option in the Data Model...
View Articleapp showing pending review status
we update app for new version in splunkbase, it showing status as pending review. When can we expect this status for visible to customers to download.
View ArticleHost daily license utilization per each SourceType
Hello, I'm trying to build a search that is listing, daily, the hosts that are, filtering for a specific SourceType, ingesting data in Splunk . Sort of daily "Top Talkers" for a specific SourceType....
View Articlesearch a field value for a period of time
Hi i have an extracted field from regex ie;Time_extract which gives hour ,Now i want to get the logs between a period of time ie; time_extract>=10 AND time_extract<23 ..how to go about that s...
View ArticleHow to edit my search to prevent getting duplicate results with mvexpand?
I have a set of ticket data and trying to match the words with the description to track issues. My current search is getting duplicates and I'm wondering if this is the best approach anyway. Current...
View Article