Hello Siddharth, how to track changes performed on correlation search by a user? (Identify user which performed the change on saved searches) I did look into /servicesNS/-/-/saved/searches, but dint see any usernames who performed changes:(
This works great most of the time. However, I've found that in the config tracker log that there are times where an event has multiple stanzas that are updated. Each of those stanzas can have multiple properties and each property has and old and new value. So, to truly work you would need to account for the multiple stanzas as well. I tried just mvzipping the stanza on to the front, but that doesn't totally work. When I do that I only get the first property under the edited stanza.
What if time logged show 10:15:22.985 and the config tracker shows 10:15:23? Join will not happens since 10:15:22 is not equal to 10:15:23. Can this happen?
New nice video, but take care. Path in Linux do use / and not \ ans Windows do use, so this needs to be change for it to work in Linux. @Splunk & Machine Learning: I think it would be better if you change from using Splunk in Windows to use Splunk in Linux that most other use. I know it work mostly in Windows, but its created for and works better with Linux.
@@splunk_ml I maybe a bit too late but in my case I have KOs from both windows and linux machines and well this works for windows paths. Any tips on how I can use the eval function to extract from both linux and windows paths?
![Lethal Company Music Video 🎵 "Follow The Orders" [VERSION A]](http://i.ytimg.com/vi/QeooZB4Z7RA/mqdefault.jpg)
![[#2024MAMA] BIGBANG (빅뱅) - 뱅뱅뱅 (BANG BANG BANG) + FANTASTIC BABY | Mnet 241123 방송](http://i.ytimg.com/vi/EQsYfiPR9uM/mqdefault.jpg)
It's good channel for complete splunk, Thank you for sharing the knowledge
Thank you for the video,
Please make videos on splunk version upgrades of clusters sh and indexer
Very useful, thank you
thanks for sharing!
Very useful sir
Hello Siddharth, how to track changes performed on correlation search by a user? (Identify user which performed the change on saved searches)
I did look into /servicesNS/-/-/saved/searches, but dint see any usernames who performed changes:(
Maracuyá 🤷🏻♂
This works great most of the time. However, I've found that in the config tracker log that there are times where an event has multiple stanzas that are updated. Each of those stanzas can have multiple properties and each property has and old and new value. So, to truly work you would need to account for the multiple stanzas as well. I tried just mvzipping the stanza on to the front, but that doesn't totally work. When I do that I only get the first property under the edited stanza.
Thank you Davin for pointing this out, I will do this fix in the next video.
What if time logged show 10:15:22.985 and the config tracker shows 10:15:23? Join will not happens since 10:15:22 is not equal to 10:15:23. Can this happen?
As far I have seen the log this should not happen. Anyway this is new feature in splunk 9 probably we need to keep an eye on this.
New nice video, but take care. Path in Linux do use / and not \ ans Windows do use, so this needs to be change for it to work in Linux. @Splunk & Machine Learning: I think it would be better if you change from using Splunk in Windows to use Splunk in Linux that most other use. I know it work mostly in Windows, but its created for and works better with Linux.
Yes true, I have mentioned about the path in the initial video, I should have mentioned it again here.
@@splunk_ml I maybe a bit too late but in my case I have KOs from both windows and linux machines and well this works for windows paths. Any tips on how I can use the eval function to extract from both linux and windows paths?