We are seeing this issue for accelerated datamodels. For other types of searches we were able to get around them by quarantining servers. For accelerated datamodels it seems to be ignoring all the rules as shown below: 04-05-2018 21:32:33.384 INFO SearchProcessor - Search targeting info not set on processor presummarize. Will contact all peers by default 04-05-2018 21:32:33.384 INFO DistributedSearchResultCollectionManager - Connecting to peer HOST1 connectAll 0 connectToSpecificPeer 1 Anyone else have any luck with this? ... View more

This should be achievable with streamstats which allows you to get the event values X event forward/back depending how you sort the data. E.g. ... | sort - _time | streamstats window=10 latest(PAR) as PAR_10_forward | search DIFF > 95 | eval forward_diff=BTC-PAR_10_forward ... View more

Sorry for the lack of real context and Yes I have read the docs and answers. In fact I asked the same question at splunk conf 2017 and was told to avoid the kvstore due to replication issues. Wiredtiger is the future and if splunk continues to use MongoDB no doubt it will be supported. Anyway, using splunk 6.5.3. My issue is the insert/update sometimes takes forever, even on a single splunk server. The servers pretty beefy. The kvstore collect has two set of accelerations on multiple fields. 1 field is an array which can have up to 500 unique values. All other fields are single strings or numbers. I can insert up to 1000 (splunk limit) rows using the splunk python SDK bulk save function. Which sometimes takes over 300 seconds even for much less than 1000 rows. I guess it might be the data I am updating/inserting since, due to the acceleration on the 1 array field for each row it may be generating the acceleration index for 500 unique values and this is what's taking significant time. The question is then how to check how long splunk MongoDB spends on generating the acceleration indexes. Or is it possible to get a breakdown of the processes and timings it takes during a bulk save? ... View more

To get last 30 minutes, it is just earliest=-30m latest=now Looking at your examples you are actually describing snapping to the last multiple of 30 minutes. The below search should give you what you want | makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m")) | eval latest=strftime(latest, "%Y-%m-%d %H:%M:%S"), earliest=strftime(earliest, "%Y-%m-%d %H:%M:%S") Example usage Your search [| makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m")) | table latest, earliest] Note this is a very weird use case. ... View more

Try the set diff command http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Set You will want to add an id column if order is important. ... View more

Just update your SQL to have where condition of the period your interested in. E.g | dbxquery connection=SQL query="SELECT * FROM dbo.ProcessLog where timefield >= (sysdate - 1) AND message like '%[IsSuccess]:False%'" Assuming your using a oracle db ... View more

Not able to reproduce this. Is this happening in a single instance of Splunk? Maybe the field alias setting hasn't been replicated correctly to all your indexers. Are there any errors or warnings in your "inspect job" splunk.log? ... View more

Little bit hard to understand, but seems like you want to use the stats values function e.g. ... | stats values(myfieldname) by host ... View more

Can you check the format of StartTime? To make sure they are all valid and consistent. DBX might be failing to parse an unexpected StartTime value. ... View more

Seems it is still not able to find java. Go to configurations/settings can put in the path to your java. ... View more

It should work in both cases. Can you try adding time_format = %s Otherwise check your permissions on the lookup and set to global to see if it helps. ... View more

See below link http://dev.splunk.com/view/webframework-developapps/SP-CAAAEW3 Instead of mytoken use form.search And in your simple xml you can refer to the token as $search$ ... View more

It is not a bug. You can just set the value yourself. ... View more

Have you added order by timestamp as part of your SQL query? ... View more

You should get the enrichment data into a lookup file and do a query like below. Search for alert and eval alert_type | lookup instructions_lookup alert_type output instructions ... View more

Are you guys on windows? With slow disk it can take some time to load all the libraries, but haven't seem it take that long. ... View more

Wow, probably better to try and convert the message into a proper XML message and have splunk automatically extract the tags for you. You can then get rid of all the regex and setup field alises if you need the fields to be different names to the tags. ... View more

Check in your _internal logs E.g. index=_internal source=access l stats count by user ... View more

It needs to be | before the inputlookup. Did you also try the earliest and latest setting I suggested in previous comment? ... View more

Have you tried setting local = true in your command.py? Your first step should be making sure it runs just on search head once. ... View more

You need to use SQL to convert it to a char field E.g Select to_char(clob_field) from table ... View more