To add numpy, scipy, pandas, scikit-learn, or statsmodels, there's an app on Splunkbase you can install - Python for Scientific Computing. You need to use the correct version for your OS, as many of these libraries have OS specific dependencies. Here's the Linux 64 bit link: https://splunkbase.splunk.com/app/2882/. The README in the app contains instructions on how to import the libraries into other scripts once that app is installed.
... View more
You have a few options:
simply add the library locally to the bin folder of your app that will hold your scripted input (or $SPLUNK_HOME/bin/scripts if a script). Local imports will always work
If it needs to be global, add to $SPLUNK_HOME/lib/python2.7/site-packages, although that might be harder/less friendly to keep up to date between upgrades/different environments.
My recommendation would be the first option. All you need to do is place your library in the same folder, and then you can simply call import from your script. import always searches the local folder in addition to any system paths.
... View more
I'm not familiar with that particular app, but I can tell you that the error you're getting in python means that the connection to an SSL server is timing out. In order to solve permanently, you would need to edit the actual urlping.py file to handle that exception properly and return something (or nothing) to Splunk if the connection times out. That timeout probably is indicating an error condition you were trying to detect.
... View more
Is the column a string or in datetime format? DB Connect requires datetime format - it won't take a string or integer timestamp properly (as regular Splunk can). If it's a string, just modify your query to cast to datetime.
... View more
You used the Windows version? The correct link is https://splunkbase.splunk.com/app/2883/. The error you're getting is related to loading one of the C libraries used by numpy, which suggests an OS compatibility issue.
... View more
Have you logged into your cluster master? Any index clustering errors will be displayed there. How many indexers do you have and what is your search and replication factor? I'm assuming each of them has plenty of disk space available?
... View more
Also check out the "Python for Scientific Computing" app - note that you need to install it for the correct OS. Here's the link to the 64-bit linux version: https://splunkbase.splunk.com/app/2882/. It includes numpy, sklearn, pandas, etc. You can use it in your scripts without too much additional effort - just take a look at the readme in the app for instructions.
... View more
Did you take a look at http://docs.splunk.com/Documentation/Splunk/6.5.1/Viz/Savedsearches#Post-process_searches? It looks like you could use a base search (or maybe 3 base searches, one per combination of criteria 1 with criteriaA/B/C) and build the panels with post processing searches. That will speed up your dashboard since the raw data will only need to be loaded to execute the base search. It looked like you found something similar, but I'm not sure why you think it won't make your dashboard faster if you adapt it for your needs.
... View more
You should join in SQL. That way, you'll be able to setup a DB Input if you so desire. An example query for your join:
SELECT * FROM (
(SELECT * FROM prod.dbo.TRANSACT_MONETARY) t1
join (SELECT * FROM prod.dbo.ACCOUNT) t2
on t1.ACCOUNT_NBR=t2.ACCOUNT_NBR)
Note that this join is not particularly efficient if you are trying to filter in time - if you are trying to write a rising input make sure to use advanced mode and add a WHERE clause to the t1 query.
Notice the SELECT * FROM (...) structure to the query. Since it is already wrapped, dbx query wrapping can be disabled. Otherwise, you'll be double wrapping.
... View more
You'll need to place the splunk-sdk python library in {{SPLUNK_HOME}}/lib/python-2.7/site-packages or locally in {{SPLUNK_HOME}}/etc/apps/TA-prtg/bin. Download it from here: http://dev.splunk.com/python. You should then be able to import packages from splunklib in the default Splunk python interpreter.
... View more