Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- About dpeukert
dpeukert
Explorer
Member since:
07-16-2019
09-14-2020
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 15 |
| Karma Received | 1 |
| Member Since | 07-16-2019 |
Activity Feed
- Posted Re: Color code and color changes for data on Splunk Enterprise. 06-19-2020 03:33 AM
- Karma Re: How do you extract a timestamp from a filename? for FrankVl. 06-05-2020 12:50 AM
- Karma Re: How do you extract a timestamp from a filename? for mthomas_splunk. 06-05-2020 12:50 AM
- Karma Re: exclude events based on field for richgalloway. 06-05-2020 12:50 AM
- Karma Re: How to list of search results with a value > X in a specific search field for richgalloway. 06-05-2020 12:50 AM
- Karma Re: How to fake real time data on dashboard panel? for niketn. 06-05-2020 12:50 AM
- Karma Re: How to get the plain text of pass4Symmkey? for klischatb. 06-05-2020 12:50 AM
- Karma Re: Change font color of dashboard panel based on a condition for techiesid. 06-05-2020 12:50 AM
- Got Karma for Change font color of dashboard panel based on a condition. 06-05-2020 12:50 AM
- Karma Re: Indexer Cluster & Search Head Indexes.conf for woodcock. 06-05-2020 12:48 AM
- Karma Re: Initialize Token As Default Values Then Insert Latest Values When New Values Received for niketn. 06-05-2020 12:48 AM
- Karma Re: How do I disable Transparent Huge Pages (THP) and confirm that it is disabled? for mcederhage_splu. 06-05-2020 12:47 AM
- Karma Re: Do this in Simple XML? for helenashton. 06-05-2020 12:47 AM
- Karma enable integrity control on splunk 6.3 for arber. 06-05-2020 12:47 AM
- Karma Re: enable integrity control on splunk 6.3 for dbhagi_splunk. 06-05-2020 12:47 AM
- Karma Re: What data sources does Splunk for Enterprise Security require? for inventsekar. 06-05-2020 12:46 AM
- Karma Re: Is there a way to hide column in a table but still use it for drilldown in HTML Dashboards in Splunk 6 for iKate. 06-05-2020 12:46 AM
- Posted Re: Change font color of dashboard panel based on a condition on Dashboards & Visualizations. 11-26-2019 08:44 AM
- Posted Change font color of dashboard panel based on a condition on Dashboards & Visualizations. 11-25-2019 06:59 AM
- Tagged Change font color of dashboard panel based on a condition on Dashboards & Visualizations. 11-25-2019 06:59 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
06-19-2020
03:33 AM
Hi @thaara, i tried to reproduce your problem. I created an index with the name "wine" and filled it with this data. I created the following dashboard: <form>
<label>Pie Chart</label>
<fieldset submitButton="false">
<input type="multiselect" token="tok_quality" searchWhenChanged="true">
<label>quality</label>
<choice value="5">5</choice>
<choice value="6">6</choice>
<choice value="7">7</choice>
<initialValue>5,6,7</initialValue>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>quality=</valuePrefix>
<delimiter> OR </delimiter>
<default>5,6,7</default>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=wine $tok_quality$
| stats count by quality</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">none</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="charting.legend.labels">[5,6,7]</option>
<option name="charting.seriesColors">[B6C75A,F589AD,AAABAE]</option>
</chart>
</panel>
</row>
</form> Everything is working as expected. You might compare your dashboard to this one and see what you've done different. I hope this helps. If it doesn't help, you shall give more details about your problem like your complete dashboard code for example. And i don't know what "Also please help to get the color codes data as well." is supposed to mean.
... View more
11-26-2019
08:44 AM
Hello @techiesid,
thank you for your time and work! First of all, i tried to use your dashboard and what i see is only regarding the _internal index, which is not quite what i am looking for. You changed my base query, which is probably not a good idea. You should look at my data and my search query a little bit more carefully. I am using data with fields called inputsource and dest_index. I renamed them for my dashboard, but i do not need to rename them. Like i said dest_index and inputsource are determined by btool. Which means that there is not necessarily an existing input. Because there could be trouble with read access or there might be no file in that directory on the forwarder. I suppose index=_internal only mentions existing inputs.
The second thing is i do not know in which location i am supposed to put your script into. And i have almost no clue how your script works.
I want to provide some more information which might helps you:
I am using a script with the name btool_inputs with the following content.
/opt/splunkforwarder/bin/splunk btool inputs list | grep -e '^\[\|^index'
My props.conf is:
[inputsconf]
DATETIME_CONFIG = CURRENT
LINE_BREAKER = ([\r\n]+)\[
SHOULD_LINEMERGE = false
TRANSFORMS-throwaway = garbage
EXTRACT-source = \[monitor:\/\/(?[^\]]*)]
EXTRACT-index = index = (?.*)$
My transforms.conf is:
[garbage]
REGEX = ^(?!.*(\[monitor)).*
DEST_KEY = queue
FORMAT = nullQueue
And my inputs.conf is:
[script://$SPLUNK_HOME/etc/apps/input_monitor/bin/btool_inputs]
sourcetype = inputsconf
index = inputmonitor
interval = 60
I hope you might be able to adapt your work this configuration and to tell my how to use the script correctly.
Sincerely
@dpeukert
... View more
11-25-2019
06:59 AM
1 Karma
Hello,
I want to compare my desired monitor inputs to my actual monitor inputs. I am using btool in a script to gather my desired inputs from my forwarders. They look like this:
I want to create a dashboard panel which looks similar to this:
These are my desired inputs. Now I want my sources to be displayed with green font if there are events in the listed index with the listed host and the listed source. Otherwise, they should be displayed with red font. For example if the search query index=_internal host=uf1 source=/opt/splunkforwarder/var/log/splunk in the last hour retrieves at least 1 event, I want '/opt/splunkforwarder/var/log/splunk' to be displayed with green font.
So I have 3 problems. First, I need to know how to run a search for every single entry source in a dashboard.
Second, I need to know how to change font color in a dashboard.
Third, I need to know how to relate the search result to the color.
What I tried so far:
The search for my dashboard panel is
index=inputmonitor
| stats values(inputsource) as source by host, dest_index
| rename dest_index as index
I can not do something like
index=inputmonitor
| stats values(inputsource) as source by host, dest_index
| search index=_dest_index ...
Because the search command will only search my table and will not be able to search an index that is not inputmonitor.
So I really need a new search for every single combination of host, index, and source. Which means I need some kind of loop.
I suppose this is only possible with XML or probably even only with HTML and javascript. I do not have much experience with XML, HTML and javascript. I hope you know how to solve my problem or you have an idea how to solve this at least.
Here is my dashboard:
<dashboard>
<label>Forwarder Monitoring Clone</label>
<row>
<panel>
<title>input sources by host, index</title>
<table>
<search>
<query>index=inputmonitor | stats values(inputsource) as source by host, dest_index | rename dest_index as index</query>
<earliest>-10m</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<link target="_blank">search?q=index=$row.index$%20host=$row.host$%20$click.name2$=$click.value2$&earliest=-60m@m&latest=now</link>
</drilldown>
</table>
</panel>
</row>
</dashboard>
Thank you in advance!
... View more
10-23-2019
06:34 AM
Hello,
it seems like you want to use a sparkline in a single value visualization. The second link gives the most important information about it, namely that you need to use the timechart command to be able to get your desired visualization. (You've been using table instead.)
... View more
09-20-2019
06:26 AM
The answer is simple and tricky at the same time.
You just need to add limit=3 after stats.
It seem's simple, but limit doesn't get highlighted as you might be used to. And limit is not mentioned in https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Stats .
This is what you need in more detail:
| sort -elapseJobTime
| stats limit=3 list(JOBNAME) as JOBNAME list(JOBID) as JOBID list(elapseJobTime) as elapseJobTime by desc
... View more
08-20-2019
03:01 AM
First of all, "disabled" is not a key mentioned in props.conf.spec. So you don't need it. Second, you've used LINE_BREAKER = ([\r\n]+) and this is already the default. So you don't need to set this either. I tried to parse your data in my standalone instance and the following stanza was sufficient.
[answersxml]
TRUNCATE = 0
SHOULD_LINEMERGE = false
KV_MODE = xml
I added the "SHOULD_LINEMERGE = false" key-value-pair. I also deleted "CHARSET = UTF-8", because it is default in Linux machines.
The way, how you could have solved this on your own, was to try to input your data in Splunk Web. When you choose "Event Breaks" > Regex your events break correctly immediately. And you see a comment on the changes Splunk made.
... View more
08-12-2019
06:59 AM
First of all you are using $1 and $2 in FORMAT. Every $n represents exactly one capture group in your REGEX. So in your FORMAT you use one capture group more than in your REGEX. That can't work obviously. You don't want to capture what you want to change. You want to capture what you want to keep. So what you probably want to do is using something like this.
REGEX = (.*splunk\[)\d+(\].*)
FORMAT = $1####$2
I tested it and it worked.
... View more
08-09-2019
06:09 AM
You are using the following line:
token.0.replacementType = timestamp
Instead you should use:
token.0.replacementType = replaytimestamp
This should fix your problem.
Tip: The replaytimestamp is based on the difference of the timestamps in your sample file. So you might want to increase the difference in your sample.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-14-2020
07:40 AM
|
Karma given to
