what is the quickest way to list files that exit on index.I am use this spl command usually but it take long time specially if index size is huge!index="my-index" | dedup source | table sourceany idea?Thanks Labels configuration other troubleshooting using Splunk Enterprise ...
What you might see is multiple instances of the same field from a user's search - for example multiple src_ip. This has the potentially to artificially inflate the results of how often a field is being used if you did a stats count at this point so I threw in the dedup com...
| dedup physicalElementId | sort -deviceName the problem is that the resulting table has holes on them because of the join type=left. devProductId is absent in sourcetype = A. devProductId is present in sourcetype = B. I'm thinking, i will need to create another Table - Table C....
Hi Splunkers, To insert a single new value into a lookup table, I've been running something like this: index=_audit earliest=-10s | eval myfield="foo" | dedup myfield | table myfield | outputlookup append=true mylookup But it seems clunky. Any other recommendatio...
The indication is that the log file has not updated for a while. I have the following Splunk search to monitor the log for this condition. Is there any better way to track this ? Planning to run this every 5 minutes or so. index=jboss_prod | eval lastseen=strftim...
|dedup 1 host "Update Title" And that now looks correct. It gives me one unique entry (most recent) for each update per host that failed rather than listing the same update for each host each time it fails. Much appreciated! 0 Karma Reply Get Updates on the Splunk C...
If you have a device like F5 in your network, configure the virtual IP and fail-over rules there Send syslog to both Splunk and perform a Dedup before index the data - waste of bandwidth/load? Send syslog to both Splunk but one of the destinations will be off-line or b...