Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- About spitchika
spitchika
Path Finder
Member since:
07-22-2020
07-26-2022
Community Statistics
| Posts | 30 |
| Solutions | 2 |
| Karma Given | 7 |
| Karma Received | 7 |
| Member Since | 07-22-2020 |
Activity Feed
- Posted Can anyone guide me on how to add dropdown inputs at panel level in Dashboard Studio on Dashboards & Visualizations. 07-26-2022 04:19 AM
- Tagged Can anyone guide me on how to add dropdown inputs at panel level in Dashboard Studio on Dashboards & Visualizations. 07-26-2022 04:19 AM
- Karma Re: Not able to STore Job earliest time and latest time in variables for further use for richgalloway. 06-09-2022 05:57 PM
- Posted Why am I not able to store job earliest time and latest time in variables for further use? on Splunk Search. 06-09-2022 05:12 PM
- Posted Re: Set the time range picker in my query? on Splunk Search. 08-15-2020 03:22 PM
- Posted Re: Set the time range picker in my query? on Splunk Search. 08-15-2020 02:53 PM
- Karma Re: How to extract multiple values for multiple fields within a single event? for to4kawa. 08-07-2020 12:05 PM
- Karma Re: How to extract multiple values for multiple fields within a single event? for cbwillh. 08-07-2020 12:03 PM
- Posted Re: How to extract multiple values for multiple fields within a single event? on Splunk Search. 08-07-2020 11:59 AM
- Got Karma for Re: How to extract multiple values for multiple fields within a single event?. 08-07-2020 11:34 AM
- Got Karma for Re: How to extract multiple values for multiple fields within a single event?. 08-07-2020 11:34 AM
- Got Karma for Re: How to extract multiple values for multiple fields within a single event?. 08-07-2020 11:34 AM
- Posted Re: How to extract multiple values for multiple fields within a single event? on Splunk Search. 08-07-2020 10:54 AM
- Posted Re: How to extract multiple values for multiple fields within a single event? on Splunk Search. 08-07-2020 10:09 AM
- Posted Re: How to extract multiple values for multiple fields within a single event? on Splunk Search. 08-07-2020 08:43 AM
- Posted Re: Compare value of row'1', column'1' with row'n', column'n' and if matched then diff=(Size_In_MB_new-Size_In_MB) on Splunk Search. 08-05-2020 02:12 PM
- Karma Re: Is it possible to have drop-down choice value as a link to another dashboard? for niketn. 08-05-2020 12:35 PM
- Got Karma for Re: Different colors for each column in chart?. 08-03-2020 01:53 AM
- Posted Re: Different colors for each column in chart? on Dashboards & Visualizations. 08-02-2020 07:10 AM
- Posted Re: Token not getting set on default value of input dropdown on Dashboards & Visualizations. 07-31-2020 06:53 AM
Topics I've Started
07-26-2022
04:19 AM
Hello, In my classic dashboards, I have created input fields with in my panel so that I can use them only for that specific panel. However, with dashboard studio I am able to create inputs at global level only and I am unable to place them next to my panels unlike classic version. Can anyone help me, if you already tried achieving this? Thank You.
... View more
- Tags:
- Dashboard Studio
Labels
- Labels:
-
Dashboard Studio
06-09-2022
05:12 PM
Hi, I want to store earliest and latest times of my search in variables to use them in further operations.
But I am unable to do so. I am trying like below.
| makeresults | eval jobEarliestTime = $job.earliestTime$ | eval jobLatestTime = $job.latestTime$
Could anyone help me on this?
Thank You.
... View more
- Tags:
- splunk-search
Labels
- Labels:
-
other
08-15-2020
03:22 PM
Atleast same query working for me... I selected last 15 mins on 8/15 but I gave time in 8/14 and I still get results.
... View more
08-15-2020
02:53 PM
You can append earliest and latest tags to your query like below. index=* earliest=08/15/2020:17:0:0 latest=08/15/2020:18:0:0
... View more
08-07-2020
11:59 AM
I took one event and tried like below. | makeresults | eval value= "Aug 7 03:01:12 NSX-Edge03-0 MsgMgr[2349]: [MDCM]: payload len:1019 data:{\"systemEvents\":[{ \"moduleName\":\"vShield Edge LoadBalancer\", \"severity\":\"Informational\", \"eventCode\":\"30302\", \"message\":\"A Loadbalancer Server Status is changed to DOWN\", \"timestamp\":1596794458, \"metaData\":{ \"listener\" : \"Carson_MDCM_Servers\", \"server\" : \"Server69\" } },{ \"moduleName\":\"vShield Edge LoadBalancer\", \"severity\":\"Informational\", \"eventCode\":\"30302\", \"message\":\"A Loadbalancer Server Status is changed to DOWN\", \"timestamp\":1596794458, \"metaData\":{ \"listener\" : \"WT_MDCM_Servers\", \"server\" : \"Server81\" } },{ \"moduleName\":\"vShield Edge LoadBalancer\", \"severity\":\"Informational\", \"eventCode\":\"30301\", \"message\":\"A Loadbalancer Server Status is changed to UP\", \"timestamp\":1596794468, \"metaData\":{ \"listener\" : \"WT_MDCM_Servers\", \"server\" : \"Server81\" } },{ \"moduleName\":\"vShield Edge LoadBalancer\", \"severity\":\"Informational\", \"eventCode\":\"30301\", \"message\":\"A Loadbalancer Server Status is changed to UP\", \"timestamp\":1596794478, \"metaData\":{ \"listener\" : \"Carson_MDCM_Servers\", \"server\" : \"Server69\" } }]}" | rex field=value max_match=0 "message\":\"(?<TotalMessage>[^\"]+)" | rex field=value max_match=0 "listener\" : \"(?<Site>[^\"]+)" | rex field=value max_match=0 "server\" : \"(?<Server>[^\"]+)" | table Server,Site,TotalMessage
... View more
08-07-2020
10:54 AM
1 Karma
Please try this... Your extracted variable is "TotalMessage". So I changed it in your query sourcetype=syslog_nsxedge host="NSX-Edge03-0" server!="NULL" | rex field=_raw max_match=0 "message\":\"(?<TotalMessage>[^\"]+)" |sort - _time |fieldformat _time = strftime(_time, "%b %d, %Y - %H:%M") |mvexpand TotalMessage |table _time,server,site,TotalMessage
... View more
08-07-2020
10:09 AM
1 Karma
Before |Table statement, use "| mvexpand message" if you already captured messages using | rex max_match=0
... View more
08-07-2020
08:43 AM
1 Karma
Please try this Rex | rex field=_raw max_match=0 "message\":\"(?<TotalMessage>[^\"]+)" | stats values(TotalMessage)
... View more
08-05-2020
02:12 PM
Try this way, it works as I am using similar joins. Fields names in both tables should be same otherwise rename them using "rename " command index=abc source=abc | join type=inner owner,table_name [ search index=xyz source=xyz | stats Size_In_MB_New] | stats owner,table_name,Size_In_MB,Size_In_MB_New | eval DiffSize= Size_In_MB -Size_In_MB_New
... View more
08-02-2020
07:10 AM
1 Karma
If you want simplified version then you can use "Chart" instead of "Stats" like below. index="nephos" "item" | eval TimeOfTheDay=case(date_hour>=0 AND date_hour<=6,"Dawn", date_hour>6 AND date_hour<=12,"Morning", date_hour>12 AND date_hour<=18,"Afternoon", date_hour>18 AND date_hour<=23,"Evening") | eval orderedTimeOfTheDay=case(TimeOfTheDay=="Dawn",1,TimeOfTheDay=="Morning",1,TimeOfTheDay=="Afternoon",1,TimeOfTheDay=="Evening",1) | chart usenull=f count as Orders by orderedTimeOfTheDay,TimeOfTheDay
... View more
07-31-2020
06:53 AM
Try this It works perfectly for me... <form> <label>Dummy</label> <init> <set token="custom_time_token">$dailytoken$</set> <unset token="daily_enable"></unset> <unset token="weekly_enable"></unset> <unset token="monthly_enable"></unset> </init> <search> <query> | makeresults | eval today=strftime(now()+19800, "%m/%d/%Y") , currentweek=strftime(now()+19800, "%U-%Y") , currentmonth=strftime(now()+19800, "%b-%Y") | table today currentweek currentmonth </query> <done> <set token="dailytoken">$result.today$</set> <set token="weeklytoken">$result.currentweek$</set> <set token="monthtoken">$result.currentmonth$</set> </done> </search> <search id="basequery"> <query> searchterms | search scheduled_delivery_date="$tok_daily$" AND week_of_year="$tok_weekly$" AND delivery_month="$tok_monthly$" </query> <earliest>-1mon@mon</earliest> <latest>now</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="custom_time_token" searchWhenChanged="true"> <label>Select View</label> <choice value="dailytok">Daily</choice> <choice value="weekly">Weekly</choice> <choice value="monthly">Monthly</choice> <change> <condition value="dailytok"> <set token="tok_daily">$dailytoken$</set> <set token="daily_enable"></set> <unset token="monthly_enable"></unset> <unset token="weekly_enable"></unset> </condition> <condition value="weekly"> <set token="tok_weekly">$weeklytoken$</set> <set token="weekly_enable"></set> <unset token="daily_enable"></unset> <unset token="monthly_enable"></unset> </condition> <condition value="monthly"> <set token="tok_monthly">$monthtoken$</set> <set token="monthly_enable"></set> <unset token="daily_enable"></unset> <unset token="weekly_enable"></unset> </condition> </change> <default>dailytok</default> <initialValue>dailytok</initialValue> </input> </fieldset> <row> <panel depends="$weekly_enable$"> <html> <div>Hello_Its Weekly</div> </html> </panel> <panel depends="$daily_enable$"> <html> <div>Hello_Its Daily</div> </html> </panel> <panel depends="$monthly_enable$"> <html> <div>Hello_Its Monthly</div> </html> </panel> </row> </form>
... View more
07-30-2020
01:17 PM
Yes, it will not set because you are validating "Daily" only on change event... Instead do like below in "Init" tags itself. This works for your scenario. If you are using form then include after <form> and same case with <dashboard> tag as well. <form> <init> <set token="tok_daily">$dailytoken$</set> <set token="tok_weekly">$weeklytoken$</set> </init>
... View more
07-29-2020
04:40 PM
1 Karma
This will give all log values irrespective of number logs. Trick is you need use "max_match" option with rex. | makeresults | eval value= "log:word1 log:word2 log:word3" | rex field=value max_match=0 "log:(?[^ ]+)" | mvexpand LogValue | fields LogValue | fields - _*
... View more
07-27-2020
08:04 PM
You should go with "inner Join" with subsearch... Something like this Index=index1 sourcetype="st1" field1="abc" | join type=inner ID [search index=index2 ... remaining query} | table your fields Note : Joining field names should be same, so if you have different names then rename them using "rename" command. Hope it gives you some clue. Thanks.
... View more
07-27-2020
07:53 PM
This works for you... | makeresults | eval value="https://abc.com/a1/countries/456/av/int/orig/curr" | rex field=value "coun\D+(?<Num_value>\d+)" | stats values(Num_value)
... View more
07-27-2020
01:48 PM
Try this... | makeresults | eval _raw="2020-07-27T17:55:40.990228+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Begin Execution 2020-07-27T17:55:40.990270+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Establishing connection as: user@domain 2020-07-27T17:55:41.677376+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Connection elapsed time: 0.6870694829999948 2020-07-27T17:55:42.149634+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Result: {\"EXPR$0\":{\"0\":1595872451}} 2020-07-27T17:55:42.149669+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Status: Success 2020-07-27T17:55:42.149685+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Elapsed Time 0.4722382859999996 2020-07-27T17:55:42.218875+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Total Execution Time: 1.2286392209999946 2020-07-27T17:55:42.218918+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 End Execution 2020-07-27T17:55:42.218952+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Overall Executions in this runtime: 20 2020-07-27T17:55:42.522960+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Begin Execution 2020-07-27T17:55:42.523002+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Establishing connection as: user@domain 2020-07-27T17:55:43.120431+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Connection elapsed time: 0.5973759029999997 2020-07-27T17:55:43.690096+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Result: {\"EXPR$0\":{\"0\":1595872453}} 2020-07-27T17:55:43.690128+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Status: Success 2020-07-27T17:55:43.690144+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Elapsed Time 0.5696396760000013 2020-07-27T17:55:43.747893+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Total Execution Time: 1.224972496999996 2020-07-27T17:55:43.747934+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 End Execution 2020-07-27T17:55:43.747947+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Overall Executions in this runtime: 21" | multikv noheader=t | table _raw | rename COMMENT as "this is sample" | rex "\d+ (?<common>[^ ]+)\W(?<ID>\S+)\s(?<messages>.*)" | rex field=messages "(?<field>.*):? (?<value>\S+)" | eval {field}=value | fields - field value message | rename "Query Status:" as Query_status | rename "Query Elapsed Time" as Query_time | rename "Total Execution Time:" as Total_time | chart values(Query_status), values(Query_time), values(Total_time) by ID
... View more
07-27-2020
01:33 PM
| makeresults | eval _raw="2020-07-27T17:55:40.990228+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Begin Execution 2020-07-27T17:55:40.990270+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Establishing connection as: user@domain 2020-07-27T17:55:41.677376+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Connection elapsed time: 0.6870694829999948 2020-07-27T17:55:42.149634+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Result: {\"EXPR$0\":{\"0\":1595872451}} 2020-07-27T17:55:42.149669+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Status: Success 2020-07-27T17:55:42.149685+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Query Elapsed Time 0.4722382859999996 2020-07-27T17:55:42.218875+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Total Execution Time: 1.2286392209999946 2020-07-27T17:55:42.218918+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 End Execution 2020-07-27T17:55:42.218952+00:00 test-test-test 62a14dc4-d032-11ea-a166-acde48001122 Overall Executions in this runtime: 20 2020-07-27T17:55:42.522960+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Begin Execution 2020-07-27T17:55:42.523002+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Establishing connection as: user@domain 2020-07-27T17:55:43.120431+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Connection elapsed time: 0.5973759029999997 2020-07-27T17:55:43.690096+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Result: {\"EXPR$0\":{\"0\":1595872453}} 2020-07-27T17:55:43.690128+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Status: Success 2020-07-27T17:55:43.690144+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Query Elapsed Time 0.5696396760000013 2020-07-27T17:55:43.747893+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Total Execution Time: 1.224972496999996 2020-07-27T17:55:43.747934+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 End Execution 2020-07-27T17:55:43.747947+00:00 test-test-test 638b2c5a-d032-11ea-a166-acde48001122 Overall Executions in this runtime: 21" | multikv noheader=t | table _raw | rename COMMENT as "this is sample" | rex "\d+ (?<common>[^ ]+)\W(?<ID>\S+)\s(?<messages>.*)" | rex field=messages "(?<field>.*):? (?<value>\S+)" | eval {field}=value | fields - field value message | rename "Query Status:" as Query_status | rename "Query Elapsed Time" as Query_time | rename "Total Execution Time:" as Total_time | chart values(Query_status), values(Query_time), values(Total_time) by ID
... View more
- Tags:
- chart
07-27-2020
10:28 AM
Yes your answer perfectly works... | makeresults | eval value="98.32%" | eval Availability = round(tonumber(rtrim(value, "%")) / 100, 4)
... View more
07-27-2020
10:01 AM
This works perfectly for your requirement. index=abc host=* source=/var/opt/appworkr/logs/logname "item" | timechart span=1h count | eval Throughput=round(count/3600,0) | timechart span=1h values(Throughput)
... View more
- Tags:
- timechart
07-27-2020
08:43 AM
While joining 2 queries... try to use join type as inner. "| join type=inner"
... View more
07-27-2020
08:27 AM
1 Karma
In both these cases you need to use input field token in your query like $Token$ to use it as variable.
... View more
07-27-2020
08:24 AM
1# Best way is, populate all your _time into Dropdown input and select from there. You can just include dropdown and in search string you can give a query to populate dates (I think you already have that query based on your screenshot) 2# in case your dates are too many then its difficult to select from drop down, in that case you can go with "Textbox" input type, It will act as variable in programming language :).
... View more
07-27-2020
08:04 AM
index=testIndex namespace=testNameSpace host=\*testHost* log=\*EVENT_PROCESSED* | eventstats count as "TotalCount" | eval throughput=TotalCount/3600 | timechart span=1h values(throughput) Your query might look like this.
... View more
07-27-2020
07:59 AM
When you use your first query, you need to say throughput in "per sec" unit. With span=1h, you can still use "count" only say throughput in "Per hour" unit. If you still want to calculation then store count into another variable like | eventstats count as "Totalcount" then do calculation using eval
... View more
- Tags:
- eventstats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-26-2022
10:07 PM
|
