cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
baseballnut8200
Explorer
Member since: ‎06-02-2017
‎01-24-2022
Community Statistics
Posts 7
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎06-02-2017
View All

Re: Timestamping different formats in same sourcet...

by SplunkTrust in Getting Data In
‎01-24-2022 09:42 AM
‎01-24-2022 09:42 AM
Just for clarity I'd lose the isnotnull and use coalsece instead. It's more readable that way. Also if your parsing is not working (and thus you're getting index time into them), you can add some constant "fallback" at the end so it always matches and see if it's because the EVAL maches wrongly or is it that it's not run at all. Like INGEST_EVAL= _time=coalesce(strptime(_raw, "%Y-%m-%dT%H:%M:%S.%QZ"), strptime(_raw, "%Y-%m-%dT%H:%M:%S.%QZ"), strptime(_raw,"%s%3N"), strptime(_raw, "%s%3N"), 1) This way if none of the strptime produces a non-null result, your event should get indexed in 1970 🙂 ... View more

Monitoring Console

by in Monitoring Splunk
‎10-13-2021 11:20 AM
‎10-13-2021 11:20 AM
Anyone noticed that there is a big difference between what the MC displays in for the hot volume under indexers->indexes and volumes->volume Detail and what the OS reports??  I have our indexers showing that between 11-12 TBs are being used up for the hot volume, while the MC is reporting that they are not even at 10 TBs.  That seems like a really big difference to me...  I can deal with checking each box, but I like have the MC reporting where I can see all the indexers in one panel.  Thanks! ... View more
Labels

Re: Splunk Add-on for Microsoft Active Directory f...

by in All Apps and Add-ons
‎04-26-2018 08:14 AM
1 Karma
‎04-26-2018 08:14 AM
1 Karma
Hi, This issue is being caused because the execution of Powershell scripts was disabled on our servers. We were able to capture this by running the ./splunk diag on the server in question. We see this error many times: ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"" be loaded because the execution of scripts is disabled on this system. The issue has been resolved using the following steps: http://docs.splunk.com/Documentation/SoS/3.2.1/SoSGuide/Postinstall#Enable_local_PowerShell_script_execution_on_Windows_platforms Hope this helps! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎01-24-2022 03:21 PM
Karma from
View All