cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
liuce1
Explorer
Member since: ‎02-12-2019
‎06-14-2023
Community Statistics
Posts 6
Solutions 1
Karma Given 2
Karma Received 2
Member Since ‎02-12-2019
Activity Feed
View All

Re: How to insert dummy data into the first few en...

by in Splunk Search
‎02-05-2023 12:37 AM
2 Karma
‎02-05-2023 12:37 AM
2 Karma
The SPL as below, I store your previous table in a lookup table test.csv | inputlookup test.csv | sort Filed_A | autoregress Field_B as newfield p=2 | fields Time Filed_A newfield | streamstats count as num | foreach newfield [| eval <>=if(isnull(newfield),"DUMMY".num,<>)] | rename newfield as Field_B | fields Time Filed_A Field_B   If my answer can help you ,please kindly vote it .  Thank you ... View more

Re: How to convert timestamp to date and time with...

by in Getting Data In
‎08-26-2022 08:06 PM
‎08-26-2022 08:06 PM
| makeresults | eval field1="2022-08-27T02:00:00" | eval field2=strptime(field1,"%Y-%m-%dT%H:%M:%S") | eval field3=relative_time(field2,"+8h") | eval field4=strftime(field3,"%a %b %d %H:%M:%S.%Z %Y") | table field1 field2 field3 field4   First , using "strptime" function to transform String time "2022-08-27T02:00:00" to Unix timestamp field2 base on my time zone( My time zone setting is UTC+8, Splunk consider the time zone of String time as UTC+8,  so the Unix timestamp value is 1661536800). You can check your time zone setting as below.   Second,  I know the time zone of String time is UTC not UTC+8,  so I use "relative_time" function to add 8 hous to field2 , then I get field3 Finally, using "strftime" function to transform Unix timestamp to human readable format field 4 The date and time format variables I used ,  you can find them in this link Date and time format variables - Splunk Documentation Hope my answer can help you. ... View more

One search head becomes unhealthy , the whole sear...

by in Splunk Enterprise
‎07-14-2022 06:46 AM
‎07-14-2022 06:46 AM
We have a 10 members(16CPU,64GB RAM) search head cluster in the same data center. 3 members are preferred captain and F5 will not forward traffic  to these 3 members , and parameter captain_is_adhoc_searchhead is configured on 10 members. Sometimes , one of the search head's load average exceeds 1 because of CPU or memory overuse, then this search head will be not able to response captain's call in time. This member will launch a captain election, and this member will become the new captain even if it not a preferred captain.  The captain election process is not over yet until a member with preferred captain parameter become the captain . The search head cluster is unstabitily during the captain election, profuse schedule search and alert will be skipped, some critical alert will miss . How to solve this problem, how to prevent a non-preferred captain to be elected as captain ? ... View more

Re: SHC - failed on handle async replicate request

by in Deployment Architecture
‎05-20-2021 10:49 PM
‎05-20-2021 10:49 PM
I encountered the same problem in my environment , we use "schedule search"+"| loadjob" in our dashboard for access control to avoid granting user index access. We seek help from Splunk support, they suggested us to increase the number of max_peer_rep_load,  but they didn't know what the number should be increased to, we need to try it by self . ... View more

Loadjob performance: sid is faster than "user:app:...

by in Splunk Dev
‎04-06-2021 07:26 PM
‎04-06-2021 07:26 PM
We have a search head cluster with 8 search head nodes ( captain was set to ad-hoc search only), and replication factor is 2 , we use schedule search to grant user access to the data they need instead of granting user access to index. This method is working for access control , but we are facing performance issue because of the huge amount of artifact(more than 10 thousands of artifact in the cluster). The loadjob command will run 30-40s even if  the saved search only has 1 event ,  we checked the job inspector and found the most of time was spent on loadjob command. Drilling down to the detail log, the most of time were likely spent on finding the artifact according to the owner,app and search name and pull the artifact from the search head it's stored. Then we try to use sid instead in the loadjob command, it's really faster than using "owner:app:search name", runtime is less than 1 second. Do you know the difference between using sid and "owner:app:search name" ?   Thanks ... View more
Labels

ITSI 4.1.2 - Services are not displayed in default...

by in Splunk IT Service Intelligence
‎05-19-2019 07:42 AM
‎05-19-2019 07:42 AM
ITSI 4.1.2 - Services are not displayed in default service analyzer, no data from source service_health_monitor KPIs' calculation are working well. But service health score stop calculation from May 11 2019 . No data from the search "index=itsi_summary source=service_health_monitor" ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-14-2023 09:36 AM
Karma from
View All
Karma given to
View All