Sum of non-unique fields
Hi. I have 4 events with field _smsresult=_ , and I have to calculate the amount of the values of this field. I tried to use<code> stats sum(SMSRESULT) </code> The problem is that some...
View ArticleJob Inspector: How to interpret execution time in seconds vs total run duration?
Folks, I have been using the job inspector for quite a bit of time, but in our enterprise environment, I'm getting some weird results. I've attached an image to show the results![alt text][1] - The...
View ArticleHow to distribute lookup tables in an indexer clustering environment?
Hi, I have an environment consisting of two Indexers (clustered), one search head and one master node. I already read about distributing changes in the environment over the cluster-bundle function. Now...
View ArticleHow to extract key/values from a string?
Hi, Well, there must be a really easy answer for this, but I seem to be mentally blocked. :-) So if I have field after a search that contains a string with regular key/value syntax, but I don't know...
View ArticleWhy do I get no results when search internal indexes?
Why does the search `index=_internal` not return any results?
View ArticleAfter adding a user to only one search head in a search head cluster, why is...
I have a search head cluster and have created a custom role (authorize.conf), which has been deployed to each SH through a custom app. I added a user "xyz" to only one SH so that the user only uses a...
View ArticleHow do I edit my current search to compare the values of 2 fields efficiently?
Hello, I want to compare results of 2 searches, I am using a subsearch and a join index=1 | table field1 | eval a=field1| join type=left a [ | search index=2 |table field2 | eval a=field2 | fields -a...
View ArticleSplunk Support for Active Directory: How to troubleshoot error ldapfilter.py...
Hi, Am getting these errors, but not sure why. I have configured ldap.conf and connection was successful, but I'm not able to see Active Directory related data in the Splunk Support for Active...
View ArticleHow do I find the time difference between these two events?
Hello, I have following events: event 1: product_category=dvd product_name="the martian" event=to_basket event_time=2016-01-18T19:57:21+0100 ... event2: product_category=dvd product_name="the martian"...
View ArticleHow to edit my dashboard search to monitor logged in admins from Active...
I have to build a Dashboard to see all Logged in Admins. So i search for Eventcode 4624 and 4634 and Logon Type 2 and 10. But to get these Events only for a specific User group, I have to do a second...
View ArticleWhy is kvstore update failing with code 115?
I've got a kvstore lookup who's data is updated every day from a scheduled search. I built it using the ideas that @dwaddle and @starcher presented at .conf2015 ([presentation here][1] if anyone is...
View ArticleI was finally able to make Cisco eStreamer work on Windows platforms, but ...
With the help of a Cisco TAC engineer, I was able to make the eStreamer SDK compatible with Windows via a slight modification of its Perl module SFPkcs12.pm. However, when I migrate the change over to...
View ArticleHow to get a license report with sourcetypes and indexes?
Hi, I need a license report for sourcetypes that also shows the relevant index. Is that possible?
View ArticleHow to compare two cells when using table_cell_highlighting.js
I am using table_cell_highlighting.js and right now I have something like this working: if (cell.field === 'field_percent') { if (value > 50) { $td.addClass('range-cell').addClass('range-severe'); }...
View ArticleIs there a way to display the time when a dashboard panel updated?
Is there any way to display the time when a dashboard panel updated? I am scheduling a report, adding it to a dashboard, and would like to know when the report ran that is displayed on the dashboard.
View ArticleCan you mask data at index-time conditionally?
Given data like this: v1=1 v2=2 v3=3.45 v4=4 key=bad v1=6 v2=7 v3=8.45 key=good v4=9 I want to mask the vX values in the case of key=bad only. I cannot guarantee order. Results should be: v1=x.xx...
View ArticleAPI - saved search artifacts
Let's say Splunk keeps the last job artefacts from an accelerated search which spans the last 7 days. What's the simplest way to access the job equivalent to last Monday through the API?
View ArticleCisco Networks with NX/OS devices - What are the good commands ?
Hi, We are looking at implementing the Cisco Networks application in our systems to manage especially our Cisco Nexus devices (N5K / N7K families) Our network team informs me that the help of the...
View ArticleSplunk ES: Customizing Incident Review Audit Dashboard - Add Timepicker
Has anyone ever tried updating the Incident Review Audit Dashboard in Splunk ES to include a timepicker? I can't seem to get any of the searches in the panels to use the timepicker.
View ArticleWhy a scheduled - summary indexed- search does not finalize?
Hello, I have a scheduled saved search which populates a summary index with ~50M events. As the search is triggered I monitor the progress in the **Job Inspector**. I noticed that **it reaches 100% in...
View Article