All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Just as you say, Splunk is not SQL.  So, forget join.  Please let us know what is the nature of the two searches, how close are they?  What are their search periods?  Most of the time, you shouldn't ... See more...
Just as you say, Splunk is not SQL.  So, forget join.  Please let us know what is the nature of the two searches, how close are they?  What are their search periods?  Most of the time, you shouldn't run two separate searches, but instead, combine the two into one search, then try to get the result you need from that one search. Criteria being if there are duplicate values in fieldA, only the row with the latest value is kept and each row with fieldB joined to fieldA on same ID. or if there are no values for fieldA, just join with null/blank value Ideally, we can also throw away all rows with col fieldB that have a timestamp earlier than fieldA but not a hard requirement if that adds too much complexity to the query Here, you talk about "latest" and "earlier".  But your mock data illustration contains no time information.  How are volunteers supposed to help? Now, if you MUST run the two searches separately, yes, there are ways to produce right join output in SPL without using join command which most Splunkers advise against.  But let's start at the ABCs of asking answerable questions in a data analytics forum. (That's right, this is not a SQL forum.)  Here are four golden rules that I call Four Commandments: Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at. Illustrate the desired output from illustrated data. Explain the logic between illustrated data and desired output without SPL. If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious. Start from here.  
Is there any difference between a empty macro with    ()   or   ""   I see search with both both return results but do not behave the same as  index=* So what does these empty macro do actu... See more...
Is there any difference between a empty macro with    ()   or   ""   I see search with both both return results but do not behave the same as  index=* So what does these empty macro do actually? Any clues what logs or where I can further drill down this?
It doesn't work that way.  Splunk does not notify the user when their account is created.  It's up to the admin (you) to do that.
The simple calculation is daily ingestion times days times compression ratio (15%), but you must also include multipliers such as replication and datamodel acceleration.
@bowesmana Actually there is a lookup From which I want to extract such kind of pattern.  yesterday I performed so many hit and trial and finally the below one is working as expected. | input loo... See more...
@bowesmana Actually there is a lookup From which I want to extract such kind of pattern.  yesterday I performed so many hit and trial and finally the below one is working as expected. | input lookup dsa.csv | eval parts = split(Description, ".") | eval part1 = mvindex(parts, 0) | eval part2 = mvindex(parts, 1) | eval part3 = mvindex(parts, 2) | eval modified_part2= if(len(part2) == 1, "0" . part2, part2) | eval modified_part3 = if(len(part3) == 1, "0" . part3, part3) | eval modified_description = part1 . "." . modified_part2 . "." . modified_part3 | table Description, modified_description
This issue just happened to me this morning.. it was after I performed the data mapping. I was able to fix the issue without clearing my bookmarking etc by going to setup->review app configuration->u... See more...
This issue just happened to me this morning.. it was after I performed the data mapping. I was able to fix the issue without clearing my bookmarking etc by going to setup->review app configuration->update content->force update.
.
Hi,  I have a single search that produces the following table where fieldA and fieldB are arbitrary strings that may be duplicate. This is an exact representation of each event where each event... See more...
Hi,  I have a single search that produces the following table where fieldA and fieldB are arbitrary strings that may be duplicate. This is an exact representation of each event where each event may have a key "fieldA" or a key "fieldB" but not both but they always have an ID and Timestamp Timestamp ID fieldA fieldB 11115 1   "z" 11245 1 "a"   11378 1 "b"   11768 1   "d" 11879 1   "d" 12550 2 "c"   13580 2   "e" 15703 2   "f" 18690 3   "g" and I need help to transform the data as follows. ID fieldA fieldB 1 "b" "d" 1 "b" "d" 2 "c" "e" 2 "c" "f" 3   "g" Thanks to suggestion below, I have tried `stats latest(fieldA) list(fieldB)` but I would prefer to not have any multivalued fields For every distinct value for "fieldA", the latest record with that value would be kept and any records with that ID occuring before that record would be discard. There is no requirement to have 2 searches. Hope that makes it more clear and easier.
You're probably going to need streamstats - here's an example that demonstrates 5 printers with randomised printing, error and spooling statuses and it then uses streamstats to find each occurrence o... See more...
You're probably going to need streamstats - here's an example that demonstrates 5 printers with randomised printing, error and spooling statuses and it then uses streamstats to find each occurrence of printer_error and then counts the occurrences of spooling after the error - it handles multiple occurences of error followed by spooling | makeresults count=1000 | streamstats c | eval _time=now() - (c * 60) | sort _time | eval printer="Printer ".(random() % 5), r=random() % 100, status=case(r<3, "printing,error", r<90, "printing", r<100, "spooling") | fields - r c | search status IN ("printing,error","spooling") ``` Up to the above is just creating dummy data then removing all the printing events so just error and spooling are left ``` ``` Create an occurrence group for each failure ``` | streamstats count(eval(status="printing,error")) as occurrence by printer ``` Ignore the first as it's not relevant here ``` | where occurrence>0 ``` Now count spooling events by failure occurrence and save start/end times ``` | stats min(_time) as printer_error max(_time) as last_spooling count(eval(status="spooling")) as spooling by occurrence printer | fieldformat last_spooling=strftime(last_spooling, "%F %T") | fieldformat printer_error=strftime(printer_error, "%F %T") | sort printer printer_error Hopefully this will give you something to start with
I want to know how much CPU is utilized in our environment along with the trendline @ITWhisperer 
How are you getting your current results - what's your existing SPL?
Have you tried setting TIME_FORMAT in props.conf, e.g. TIME_FORMAT = %s%9Q I suspect you won't get nanoseconds, but you should get microseconds, for example this can get microseconds | makeresults... See more...
Have you tried setting TIME_FORMAT in props.conf, e.g. TIME_FORMAT = %s%9Q I suspect you won't get nanoseconds, but you should get microseconds, for example this can get microseconds | makeresults | eval tf="1707613171105412540" | eval t=strptime(tf, "%s%9Q")
That's fine, but it still doesn't say which servers go in the left panel and which go in the right - how do you decide that logic - anyway, my previous post gives you an example to work with, I hope ... See more...
That's fine, but it still doesn't say which servers go in the left panel and which go in the right - how do you decide that logic - anyway, my previous post gives you an example to work with, I hope you can give that a go and see if it can get you where you're trying to get to.
So I have a schedule search running on DS to summery index which pulls all the info from two DS. Index=summery source=sc. which has the serveclass, forwarder, deplyment server, deployementappname inf... See more...
So I have a schedule search running on DS to summery index which pulls all the info from two DS. Index=summery source=sc. which has the serveclass, forwarder, deplyment server, deployementappname info.   
Yes, I realised as soon as I posted, so did the isnotnull test
The problem with this is that you will get the same count for all time periods whether or not the node was "present" in that time period. The original (second) search uses dc(node) which will only co... See more...
The problem with this is that you will get the same count for all time periods whether or not the node was "present" in that time period. The original (second) search uses dc(node) which will only count the unique instances of node present in each time period.
It is not clear what your events look like but assuming each event has an ERROR_MESSAGE field and you want to count by that message and work out the percentage of the total this represents, you could... See more...
It is not clear what your events look like but assuming each event has an ERROR_MESSAGE field and you want to count by that message and work out the percentage of the total this represents, you could do something like this | stats count by ERROR_MESSAGE | eventstats sum(count) as total | eval count=100*count/total
There's always a way to get where you want to go with Splunk, The issue you have is that timechart with a split by does not end up with a field called node anymore, as the value of node is now the c... See more...
There's always a way to get where you want to go with Splunk, The issue you have is that timechart with a split by does not end up with a field called node anymore, as the value of node is now the column name. You could use stats by time and other mangling of data, but you'd have to handle missing buckets of time in the average, so a simple solution is to effectively count the columns like this   | timechart avg(stat1) by node | eval _nodes=0 | foreach * [ eval _nodes=_nodes + if(isnotnull('<<FIELD>>'), 1, 0) ] | rename _nodes as nodes   Note the underscore in front of the field name - this prevents Splunk from including this in the * matching for foreach. It will create one more column called nodes with the count of nodes.
Try something like this | timechart span=1h avg(stat1) by node | untable _time node avg | appendpipe [| stats count as avg by _time | eval node="Nodes"] | xyseries _time node avg
You haven't explained a fundamental part of the problem - how do you know which servers go in to US and which servers go into UK (or EAST and WEST as in your example). You need to know how you can t... See more...
You haven't explained a fundamental part of the problem - how do you know which servers go in to US and which servers go into UK (or EAST and WEST as in your example). You need to know how you can tell if server 1 belongs to panel 1 or panel 2. Then you simply need to have a base search that splits up the selected servers according to their region, e.g. | makeresults | eval servers=split($server|s$, ",") | eval region=<<DEFINE YOUR LOGIC HERE TO CREATE REGION BASED ON HOST>>> | stats values(server) as server by region | eval server=mvjoin(server, ",") | transpose 0 header_field=region and then you have a <done> clause where you set the tokens for each panel accordingly <done> <set token="region_1">$result.region_1$</set> <set token="region_2">$result.region_2$</set> </done> and you then use the region_1 and 2 tokens in your panels instead of $server$