Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mahesh27
mahesh27
Communicator
Member since:
09-02-2022
Sunday
Community Statistics
| Posts | 89 |
| Solutions | 0 |
| Karma Given | 21 |
| Karma Received | 2 |
| Member Since | 09-02-2022 |
Activity Feed
- Posted How to get 1st 3 count on Splunk Search. Sunday
- Posted Re: Alert Query not working as expected on Splunk Search. 3 weeks ago
- Posted Re: Alert Query not working as expected on Splunk Search. 3 weeks ago
- Posted Alert Query not working as expected on Splunk Search. 3 weeks ago
- Posted Re: Need help to combine queries on Splunk Search. 4 weeks ago
- Karma Re: Need help to combine queries for bowesmana. 4 weeks ago
- Posted Re: Need help to combine queries on Splunk Search. a month ago
- Posted Re: Fields are missing on Splunk Search. a month ago
- Posted Fields are missing on Splunk Search. a month ago
- Posted Re: Need help to combine queries on Splunk Search. a month ago
- Karma Re: Need help to combine queries for bowesmana. a month ago
- Posted Re: Need help to combine queries on Splunk Search. a month ago
- Posted Need help to combine queries on Splunk Search. a month ago
- Posted Re: How to compare pervious hour events with present hour on Splunk Search. 04-02-2024 06:34 PM
- Karma Re: How to compare pervious hour events with present hour for yuanliu. 04-02-2024 06:34 PM
- Posted Need help on a query on Splunk Search. 04-01-2024 05:31 PM
- Posted Re: How to compare pervious hour events with present hour on Splunk Search. 03-30-2024 06:17 PM
- Tagged Re: How to compare pervious hour events with present hour on Splunk Search. 03-30-2024 06:17 PM
- Posted Re: How to compare pervious hour events with present hour on Splunk Search. 03-28-2024 06:15 PM
- Posted How to compare pervious hour events with present hour on Splunk Search. 03-28-2024 05:32 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Sunday
Query:
|mstats sum(error.count) as Count where index=metrics_data by provider errorid errorname
|search errorname=apf
Results:
provider
errorid
errorname
Count
Digital it
401
apf
200.0000
Data St
200
apf
500.0000
dtst
0
apf
18.0000
Digital it
100
apf
55.0000
dtst
501
apf
16.0000
Digital it
0
apf
20.0000
Data St
200
apf
300.0000
dtst
201
apf
12.0000
Data St
404
apf
20.0000
Digital it
201
apf
10.0000
Data St
501
apf
10.0000
dtst
201
apf
9.0000
Data St
401
apf
8.0000
dtst
500
apf
3.0000
Data St
555
apf
5.0000
dtst
200
apf
2.0000
expected results:
provider
errorname
errorid
Count
Digital it
apf
401 100 0
200.0000 55.0000 20.0000
Data St
apf
200 200 404
500.0000 300.0000 20.0000
dtst
apf
0 501 201
18.0000 16.0000 12.0000
... View more
Labels
- Labels:
-
stats
3 weeks ago
index=app-logs sourcetype=app-data source=*app.logs* host=appdatajs01 OR host=appdatajs02 OR host=appdatajs03 OR host=appdatajs04
| eval event_ct=1
| append [| makeresults
| eval host="appdatajs01, appdatajs02, appdatajs03, appdatajs04"
| rex field=host mode=sed "s/\s+//g"
| eval host=split(host,",")
| mvexpand host
| eval event_ct=0
]
| stats sum(event_ct) AS event_ct BY host
| where event_ct <100 tried the above query its working as expected, but i need to see data in a span of1m i tried add |bin span=1m but its not working Can anyone help on this request????
... View more
3 weeks ago
@bowesmana , tried below query but its not working index=app-logs sourcetype=app-data source=*app.logs* host=appdatajs01 OR host=appdatajs02 OR host=appdatajs03 OR host=appdatajs04
| inputlookup append=t host_lookup.csv
| fillnull count value=0
| stats count by host below is the csv file used: Hosts appdatajs01 appdatajs02 appdatajs03 appdatajs04
... View more
3 weeks ago
index=app-logs sourcetype=app-data source=*app.logs* host=appdatajs01 OR host=appdatajs02 OR host=appdatajs03 OR host=appdatajs04
|stats count by host
|where count < 100
|bin span=1m _time
We have an alert with the above query, Alert is getting triggered when the count of hosts is less than 100. but not getting triggered when the count of any host is zero. How to make the alert to trigger even when the count=0
... View more
Labels
- Labels:
-
stats
4 weeks ago
@bowesmana , thank you for ur inputs. We created queries according to our data working now. Thank you once again.
... View more
a month ago
Hi @bowesmana, As you suggested We tried below query, but i am getting same values for each msgs strings. Can you please let me know is my query correct?? index=app-index source=application.logs
|rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
| eval msgs=split("Initial message received with below details,Letter published correctley to ATM subject,Letter published correctley to DMM subject,Letter rejected due to: DOUBLE_KEY,Letter rejected due to: UNVALID_LOG,Letter rejected due to: UNVALID_DATA_APP",",")
| mvexpand msgs
| rex field=msgs "(Initial message |Letter published correctley to |Letter rejected due to: )(?<reason>.*)"
|chart count over RampdataSet by reason
|addtotals OUTPUT: Rails below details ATM subject DMM subject DOUBLE_KEY UNVALID_LOG UNVALID_DATA_APP Total WAC 0 0 0 0 0 0 0 WAX 15 15 15 15 15 15 90 WAM 20 20 20 20 20 20 120 STC 12 12 12 12 12 12 72 STX 30 30 30 30 30 30 180 OTP 10 10 10 10 10 10 60 TTC 5 5 5 5 5 5 30 TAN 7 7 7 7 7 7 42 TXN 10 10 10 10 10 10 60 WOU 12 12 12 12 12 12 72
... View more
a month ago
@yuanliu , yes i tried the below query, but i getting 0 results index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success")
| rex field=DATA mode=sed "s/ *[\|}\]]/\"/g s/: *\[*/=\"/g"
| rename DATA AS _raw
| kv
|search ACTION= start OR ACTION=done NOT SERVICE="null"
|eval split=SERVICE.":".ACTION
|timechart span=1d count by split
|eval _time=strftime(_time, "%d/%m/%Y")
| table _time *START *DONE
... View more
a month ago
Here is the sample log: {"date": "1/2/2022 00:12:22,124", "DATA": "[http:nio-12567-exec-44] DIP: [675478-7655a-56778d-655de45565] Data: [7665-56767ed-5454656] MIM: [483748348-632637f-38648266257d] FLOW: [NEW] { SERVICE: AAP | Applicationid: iis-675456 | ACTION: START | REQ: GET data published/data/ui } DADTA -:TIME:<TIMESTAMP> (0) 1712721546785 to 1712721546885 ms GET /v8/wi/data/*, GET data/ui/wi/load/success", "tags": {"host": "GTU5656", "insuranceid": "8786578896667", "lib": "app"}} We have around 10 services, by using below query i am getting 8 services and other 2 are not getting displayed in the table. But we can view them in events. Filed extraction is working correctly. not sure why other 2 services are not showing up in the table. index=test-index (data loaded) OR ("GET data published/data/ui" OR "GET /v8/wi/data/*" OR "GET data/ui/wi/load/success")
|rex field=_raw "DIP:\s+\[(?<dip>[^\]]+)."
|rex field=_raw "ACTION:\s+(?<actions>\w+)"
|rex dield=_raw "SERVICE:\s+(?<services>\S+)"
|search actions= start OR actions=done NOT service="null"
|eval split=services.":".actions
|timechart span=1d count by split
|eval _time=strftime(_time, "%d/%m/%Y")
|table _time *start *done Current output: (DCC:DONE &PIP:DONE fields are missing) _time AAP:START ACC:START ABB:START DCC:START PIP:START AAP:DONE ACC:DONE ABB:DONE 1/2/2022 1 100 1 100 1 1 66 1 2/2/2022 5 0 5 0 3 3 0 3 3/2/2022 10 0 10 0 8 7 0 8 4/2/2022 100 1 100 1 97 80 1 80 5/2/2022 0 5 0 5 350 0 4 0 Expected output: _time AAP:START ACC:START ABB:START DCC:START PIP:START AAP:DONE ACC:DONE ABB:DONE DCC:DONE PIP:DONE 1/2/2022 1 100 1 100 1 1 66 1 99 1 2/2/2022 5 0 5 0 3 3 0 3 0 2 3/2/2022 10 0 10 0 8 7 0 8 0 3 4/2/2022 100 1 100 1 97 80 1 80 1 90 5/2/2022 0 5 0 5 350 0 4 0 5 200
... View more
Labels
- Labels:
-
field extraction
a month ago
Hi @bowesmana , Thank you for sharing the query, it worked. But i have another query, how do we write rex to extract these strings: index=app-index source=application.logs ("Initial message received with below details" OR "Letter published correctley to ATM subject" OR Letter published correctley to DMM subject" OR "Letter rejected due to: DOUBLE_KEY" OR "Letter rejected due to: UNVALID_LOG" OR "Letter rejected due to: UNVALID_DATA_APP")
... View more
a month ago
Query1:
index=app-index source=application.logs "Initial message received with below details"
|rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
|stats count as IntialMessage by RampdataSet
output:
RampdataSet
IntialMessage
WAC
10
WAX
30
WAM
22
STC
33
STX
66
OTP
20
Query2:
index=app-index source=application.logs "Initial message Successfull"
|rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
|stats count as SuccessfullMessage by RampdataSet
output:
RampdataSet
SuccessfullMessage
WAC
0
WAX
15
WAM
20
STC
12
STX
30
OTP
10
TTC
5
TAN
7
TXN
10
WOU
12
Query3:
index=app-index source=application.logs "Initial message Error"
|rex field= _raw "RampData :\s(?<RampdataSet>\w+)"
|stats count as ErrorMessage by RampdataSet
output:
RampdataSet
ErrorMessage
WAC
0
WAX
15
WAM
20
STC
12
We want to combine three queries and want to get the output as shown below, how to do that???
RampdataSet
IntialMessage
SuccessfullMessage
ErrorMessage
Total
WAC
10
0
0
10
WAX
30
15
15
60
WAM
22
20
20
62
STC
33
12
12
57
STX
66
30
0
96
OTP
20
10
0
30
TTC
0
5
0
5
TAN
0
7
0
7
TXN
0
10
0
10
WOU
0
12
0
12
... View more
Labels
- Labels:
-
stats
04-02-2024
06:34 PM
Hi @yuanliu , thank you so much, it worked
... View more
04-01-2024
05:31 PM
|msats sum(count-error) as Failed where index=metrics_index by service errorNumber errortype Results: service errorNumber errortype Failed aaca 0 fail 8 aaca 10 pass 1000 aaca 25 fail 290 aaca 120 fail 8 aaca 80 pass 800 aaca 200 fail 400 aaca 210 pass 22 aaca 500 fail 10 aaw 120 fail 8 aaw 80 pass 2000 aaw 200 fail 3 aaw 210 pass 56 aaw 500 fail 22 aaw 0 pass 0 www 0 fail 8 www 10 pass 1000 www 25 fail 290 www 120 fail 8 www 80 pass 800 www 200 fail 400 amb 500 fail 10 amb 120 fail 8 amb 80 pass 2000 amb 200 fail 3 amb 210 pass 56 amb 500 fail 22 amb 0 pass 0 asf 0 fail 8 asf 10 pass 1000 asf 0 pass 0 asf 0 fail 8 asf 10 pass 1000 But we want the output as shown below: We need only top 4 errornumber show up along with the failed count service errorNumber errortype Failed aaca 0 fail 2538 10 pass 25 fail 120 fail 80 pass 200 fail 210 pass 500 fail aaw 120 fail 2089 80 pass 200 fail 210 pass 500 fail 0 pass www 0 fail 2506 10 pass 25 fail 120 fail 80 pass 200 fail amb 500 fail 2099 120 fail 80 pass 200 fail 210 pass 500 fail 0 pass asf 0 fail 2016 10 pass 0 pass 0 fail 10 pass
... View more
Labels
- Labels:
-
field extraction
03-30-2024
06:17 PM
Hi @yuanliu , as suggested, I tried below query, but i am not getting expected output. I mean i am not getting previous hour data under delta row. all values are 0. please see my output. |mstats sum(transaction) as Trans where index=host-metrics service=login application IN(app1, app2, app3, app4) span=1h by application
|streamstats window=2 global=false range(Trans) as delta max(Trans) as Trans_max max(_time) as _time by application
|sort application _time
|eval delta = if(Trans_max == Trans, delta, "-" . delta)
|eval pct_delta = delta / Trans * 100
|fields - Trans_max Output: _time application Trans delta_Trans pct_delta_Trans 2022-01-22 02:00 app1 3456.000000 0.000000 0.000000 2022-01-22 02:00 app2 5632.000000 0.000000 0.000000 2022-01-22 02:00 app3 5643.000000 0.000000 0.000000 2022-01-22 02:00 app4 16543.00000 0.000000 0.000000
... View more
- Tags:
- other
03-28-2024
06:15 PM
hi @yuanliu , when i run the below query, trans values are fine, but getting negative values and empty row for the delta_Trans and pct_delta_Trans fields values are not correct. _time application Trans delta_Trans pct_delta_Trans 2022-01-22 02:00 app1 3456.000000 2022-01-22 02:00 app2 5632.000000 -1839.000000 -5438.786543 2022-01-22 02:00 app3 5643.000000 36758.000000 99.76435678 2022-01-22 02:00 app4 16543.00000 -8796.908678 -8607.065438
... View more
03-28-2024
05:32 PM
I want to compare pervious hour data with present hour data and get the percentage using below query. |mstats sum(transaction) as Trans where index=host-metrics service=login application IN(app1, app2, app3, app4) span=1h by application
... View more
Labels
- Labels:
-
stats
03-28-2024
10:40 AM
Hi @richgalloway @isoutamo , thank you for the information and help.
... View more
03-27-2024
02:49 PM
we are trying to set up a cron schedule on alert to run only on weekends(sat and sun) at 6am, 12pm, 8pm , 10pm i tired giving below cron in Splunk, it is saying invalid cron, can any one help on this??
... View more
Labels
- Labels:
-
other
03-19-2024
03:00 PM
Sample Logs: <<< Reporting.logs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.SampleDBinternalexternal:::XII KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 34567d34-1245-4asd-a27f-42345cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters
<<< Applicationlogs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.AccountBinding:::XIS KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 7854d34-7623-4asd-a27f-90864cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters
<<< IntialLogs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.IntialReortbinding:::XIP KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 12345d34-1288-8asd-a26f-42348cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters
<<< PartialReportingLogs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.totalDBinternalexternal:::XII KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 09876d34-6753-3asd-a30f-87654cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters
<<< FailedLogs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.SampleDBinternalexternal:::ZII KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 56744d34-1245-4asd-a11f-89765cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters
<<< Reporting.logs : 2454 : 15671231232345:INFO :com.am.sss.inws.sample.connector.notalwayslogs:::PII KEY:: g67a124-6f55-433a-345aexwc vx:: REQS REQUID :: 89765d34-9875-4asd-a2f-87654cvdwwxz:: SUB REQUID:: 7866-ghnb5-33333:: Application :barcode! company :: Org : Branch-loc :: TIME:<TIMESTAMP> (12) 2022/01/22 17:17:58:208 to 17:17:58:212 4 ms Generic BF Invoice time for one statment with parameters I am not sure how to write rex to do field extraction. please find the below screenshot, i need rex for the highlighted ones:
... View more
Labels
- Labels:
-
field extraction
-
rex
03-14-2024
04:10 PM
i have a dashboard, In that there is a drop down for services. we have 10 panels in a dashboard. When i select service drop down my all 10 panels will get displays as per the service chosen from the from drop down. For example if i choose "passed services" from the drop down instead of showing all panels i want to see only panle1 to panel5 and hide panel 6 to panel 10 how i can do that? <form>
<label>Services_Dashboard</label>
<fieldset submitButton="true" autoRun="true">
<input type="time" token="time" searchWhenChanged="true">
<label> </label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<inputype type="dropdown" token="services" searchWhenChanged="true">
<label>Services</label>
<choice value="*">all</choice>
<choice value="Lgn_srvc">Login services</choice>
<choice value="Fld_srvc">Failed services</choice>
<choice value="Pass_srvc">passed services</choice>
<choice value="Tmout_srvc">timeout services</choice>
<choice value="Lgout_srvc">logout service</choice>
<choice value="Err_srvc">error services</choice>
<choice value="War_srvc">warning services</choice>
<intialValue>*</intialValue>
</input>
</fieldset>
<row>
<panel>
<title>panel1 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel2 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel3 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel4 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel5 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel6 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel7 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel8 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel9 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
<panel>
<title>panel10 for $services$</title>
<search>
<query> index=xxx stats count by app</query>
<earliest>time.earliest</earliest>
<latest>time.latest</latest>
</search>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeValues">[0]</option>
<option name="refresh.display">progressbar</option>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
stats
02-17-2024
03:34 PM
Where I should add that, near application drop down?? can u pls share me the code????
... View more
02-17-2024
10:43 AM
Created 2 drop downs in a dashboard. 1. Country 2. Applications (getting data from .csv file) In applications drop down i am seeing individual applications in the drop down but I need "All" options in the dropdown. How can i do it?? <input type="radio" token="country">
<label>Country</label>
<choice value="india">India</choice>
<choice value="australian">Australian</choice>
<default>india</default>
<intialValue>india</intialValue>
<change>
<condition label="India">
<set token="sorc">callsource</set>
</condition>
<condition label="Australian">
<set token="sorc">callsource2</set>
</condition>
</change>
</input>
<input type="dropdown" token="application" searchWhenChanged="false">
<label>Application</label>
<fieldForLabel>application_Succ</fieldForLabel>
<fieldForValue>application_Fail</fieldForValue>
<search>
<query> |inputlookup application_lists.csv
|search country=$country$
|sort country application_Succ
|fields application_Succ application_Fail</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
</input>
</fieldset>
... View more
Labels
- Labels:
-
lookup
10-13-2023
09:38 AM
Below is the complete xml. here i am not getting how to add the token values to the other panels in the dashboard. Can you help me on that <dashboard>
<label> Dashboard title</label>
<row>
<panel>
<table depends="$hide$">
<title>$Time_Period_Start$ $Time_Period_End$</title>
<search>
<query>| makeresults
| addinfo
| eval SearchStart = strftime(info_min_time, "%Y-%m-%d %H:%M:%S"), SearchEnd = strftime(info_max_time, "%Y-%m-%d %H:%M:%S")
| table SearchStart, SearchEnd</query>
<earliest>-7d@d</earliest>
<latest>@d</latest>
<done>
<set token="Time_Period_Start">$result.SearchStart$</set>
<set token="Time_Period_End">$result.SearchEnd$</set>
</done>
</search>
</table>
</panel>
</row>
<row>
<panel>
<title>first panel</title>
<single>
<search>
<query>|tstats count as internal_logs where index=_internal
</query>
<earliest>-7d@d</earliest>
<latest>@d</latest>
<sampleRatio>1<sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>second panel</title>
<single>
<search>
<query>|tstats count as audit_logs where index=_audit
</query>
<earliest>-7d@d</earliest>
<latest>@d</latest>
<sampleRatio>1<sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Third panel</title>
<single>
<search>
<query>|tstats count as main_logs where index=main
</query>
<earliest>-7d@d</earliest>
<latest>@d</latest>
<sampleRatio>1<sampleRatio>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</single>
</panel>
</row>
</dashboard>
... View more
10-05-2023
01:37 PM
Hi @Thulasinathan_M , i tried your xml and generated PDF the start and end date are showing as Invalid in PDF report. And moreover can u take my xml and show me how to add tokens to the panels. so that i can see start and end date in the report.
... View more
- Tags:
- Splunk Enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Sunday
|
Karma given to
