cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
mushkevych
Explorer
Member since: ‎09-11-2018
‎03-14-2022
Community Statistics
Posts 10
Solutions 1
Karma Given 8
Karma Received 2
Member Since ‎09-11-2018
Activity Feed
View All

Re: ERROR DistributedTracer [389066 MainThread] - ...

by in Installation
‎03-14-2022 01:39 PM
‎03-14-2022 01:39 PM
I am seeing the same error after recent Splunk upgrade. Any advise on how to resolve the error? ... View more

Re: auto-decode UTF-8 encoded-string

by in Dashboards & Visualizations
‎12-06-2019 04:47 PM
‎12-06-2019 04:47 PM
Thank you @woodcock. it seems as manual UTF-8 decoding function. I am wondering if Splunk has anything in place for this. ... View more

Re: What are some examples of saved search via pyt...

by in Splunk Dev
‎12-06-2019 10:20 AM
‎12-06-2019 10:20 AM
Below is the approach I used to dispatch/run a saved search job by its name with a custom latest and earliest boundaries. NO changes are required to the saved search code/configuration/etc. In the case below, the date-time is represented in epoch, so the format is set to "%s": import time import splunklib.client as client import splunklib.results as results def _run_job(job: client.Job): # small delay to sync server and client time.sleep(2) # Wait for the job to finish--poll for completion and display stats is_done = False while not is_done: job.refresh() time.sleep(10.0) is_done = job.is_done() output = list() rr = results.ResultsReader(job.results()) for result in rr: if isinstance(result, results.Message): # Diagnostic messages may be returned in the results print('Diagnostic message {0}: {1}'.format(result.type, result.message)) elif isinstance(result, dict): # Normal events are returned as dicts output.append(result) return output def get(name): connection_kwargs = { 'host': 'your_host_ip', 'username': 'your username', 'password': 'your password', } service = client.connect(**connection_kwargs) return service.saved_searches[name, 'YOUR_APP_NAMESPACE'] def run(name, **kwargs): saved_search = get(name) job = saved_search.dispatch(**kwargs) print('Dispatched Splunk Search Job <{0}> with params {1}'.format(name, kwargs)) return _run_job(job) def main(): kwargs = { 'dispatch.latest_time': end_epoch, 'dispatch.earliest_time': start_epoch, 'dispatch.time_format': '%s', } result = run('YOUR_SEARCH_NAME', **kwargs) ... View more

auto-decode UTF-8 encoded-string

by in Dashboards & Visualizations
‎12-05-2019 02:18 PM
‎12-05-2019 02:18 PM
In our system we have 2 pipelines: one via Kafka->Connector->HEC->Splunk, the other DB Connect->Splunk. Both pipelines are transporting data with the same sourcetype, which is marked with UTF-8 in props.conf: CHARSET=UTF-8 . UTF-8 strings that flow thru DB Connect are shown in Search app in their decoded format: While the data flowing via Connector->HEC is still encoded: Later on, the encoded values (such as "\u30a2...") are shown in the drop-down filters and so on. Advise is very appreciated. ... View more

Re: What are some examples of saved search via pyt...

by in Splunk Dev
‎08-19-2019 09:02 AM
‎08-19-2019 09:02 AM
@DavidHourani Thank you for reply. My main concern with this approach is that it updates the server side instance of the saved search. I would like to keep the saved search on the server side "as-is", and call it with custom parameters. Moreover, i am now wondering if Splunk supports execution of multiple concurrent saved searches with the same name. Dan ... View more

What are some examples of saved search via python ...

by in Splunk Dev
‎08-09-2019 03:56 PM
2 Karma
‎08-09-2019 03:56 PM
2 Karma
I am looking for an example of dispatching a saved search job with custom latest and earliest boundaries. A bit of history: my python program finds a Saved Search by its name and instantiates a job via .dispatch() command [1]. The .dispatch() method supports two ways of transferring parameters – via *args.* * and *dispatch.* * It seems as *args.* * would require modification of the saved search query itself; Following *dispatch.* * parameters, however, look promising: dispatch.latest_time dispatch.earliest_time dispatch.time_format Does anybody using those in their Python programs? [1] http://dev.splunk.com/view/python-sdk/SP-CAAAEK2#runsaved ... View more
Labels

Re: changing `host` and persisting the result

by in Splunk Search
‎10-16-2018 09:35 AM
‎10-16-2018 09:35 AM
@Vijeta thank you for reply. Perhaps you can advise how to override default field host in collect command? ... View more

Re: changing `host` and persisting the result

by in Splunk Search
‎10-16-2018 08:36 AM
‎10-16-2018 08:36 AM
@jbjerke_splunk and @pwild_splunk thank you for comments. could you perhaps help me understand why the SPL index="main" | eval host=asset_id | collect index="scanned_app" works without |collect... and does not work with |collect... ? What is happening during |collect... ? ... View more

Re: changing `host` and persisting the result

by in Splunk Search
‎09-12-2018 08:53 AM
‎09-12-2018 08:53 AM
asset_id is a field. my goal is to transform the data set by changing host value and persist it in another index. P.S. Updated the question to reflect your comment ... View more

changing `host` and persisting the result

by in Splunk Search
‎09-11-2018 04:22 PM
‎09-11-2018 04:22 PM
I am trying to make this query work: index="main" | eval host=asset_id | collect index="scanned_app" where asset_id is a field, not a static value. Two observations regarding the query: - without | collect ... , the search shows data as i expect it - with the meta-field host changed - with | collect ... , the resulting index carries host unchanged from the main index Q: how do i change the host , so that it can be persisted in another index ? index="main" | eval *magic_here* | collect index="scanned_app" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-14-2022 05:47 PM
Karma from
View All