All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Replace stats in the query with timechart and it should work. index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage... See more...
Replace stats in the query with timechart and it should work. index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | timechart span=1d sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(Used, "commas")  
As an alternative you can use other functions | eval trimmed_email=trim(Employee_Email,"\"[]") or | eval substr_email=substr(Employee_Email,3,len(Employee_Email)-4)
You're doing stats aggregation to a single value. Your stats sum(b) will produce just one overall number.
Hi @scout29 , see in the Monitoring Console App or in [Settins > License < License Conuption Report > previous 30 days] and you'll have your search. ciao. Giuseppe
I am trying to create a bar chart that shows the total daily splunk ingestion (in TB) by day for the past month. I am using the below search, but i am not able to get the |timechart to work to displa... See more...
I am trying to create a bar chart that shows the total daily splunk ingestion (in TB) by day for the past month. I am using the below search, but i am not able to get the |timechart to work to display the total ingestion by day. What am i missing? index=_internal source="/opt/splunk/var/log/splunk/license_usage.log" type=Usage idx=* | stats sum(b) as usage | eval usage=round(usage/1024/1024/1024) | eval usage = tostring(Used, "commas")
thanks for clarifying
You need to escape the square brackets and double quotes | eval test1=replace(replace(Employee_Email,"\[\"",""),"\"\]","")
Hi, we moved a customer from virtualized splunk indexers to physical machines with nvme storages. Since me performed this migration the customer experiences slower results when running dense searche... See more...
Hi, we moved a customer from virtualized splunk indexers to physical machines with nvme storages. Since me performed this migration the customer experiences slower results when running dense searches. So i checked the job inspector and it seems, that there is an issue . As far as i understood the value "dispatch.fetch" is the time the SH waits for the idx to return the results. Is this value based on network or storage conditions? Attached the slightly blurred job inspector
Hi, Thanks for your reply. I just had a look in transforms.conff file and seen such stanzas [system_props_xml_attributes] # Extracts values from following fields: # Provider: Name, Guid # TimeC... See more...
Hi, Thanks for your reply. I just had a look in transforms.conff file and seen such stanzas [system_props_xml_attributes] # Extracts values from following fields: # Provider: Name, Guid # TimeCreated: SystemTime, RawTime # Correlation: ActivityID, RelativeActivityID # Execution: ProcessID, ThreadID, ProcessorID, SessionID, KernelTime, UserTime, ProcessorTime # Security: UserID So, for the element "Provider" - Name & Guid are attributes similarly for the element "Timecreated" - systemtime & rawtime are attributes So the fields are parsing correctly right ?
Edit: I tried:  | eval test1 = replace (Employee_Email, "[" , "")
Hi, I have a field called "Employee_Email". This field contains the value: ["firstname.lastname@gmail.com"] How do I remove the special characters [" and "]?   I tried:  | eval test1 = repl... See more...
Hi, I have a field called "Employee_Email". This field contains the value: ["firstname.lastname@gmail.com"] How do I remove the special characters [" and "]?   I tried:  | eval test1 = replace (Employee_Email "[" , "")   But when I tried to remove either [ or " it gives me the following errors: Error in 'EvalCommand': Regex: missing terminating ] for character class Or: Unbalanced quotes.   Is there a way to ignore the normal effect of [ and "?
The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element. For example, if you extract the fields with spath you will get ...Provider@Name showing that it is ... See more...
The element (field) is "Provider", "Name" and "Guid" for that matter are attribute of the element. For example, if you extract the fields with spath you will get ...Provider@Name showing that it is an attribute. 
You could consider area charts which sort of mixes line and column charts
thanks, for your help.... it works 
On one hand thank you very much, changing this to a column makes the stacked work.   On the other hand the documentation I was reading did list the stackmode under line charts, so that is a bit confu... See more...
On one hand thank you very much, changing this to a column makes the stacked work.   On the other hand the documentation I was reading did list the stackmode under line charts, so that is a bit confusing. Chart configuration reference - Splunk Documentation The teams would prefer the line graphs as that is more common for us, but this does get the desired visual. Thank you
It is not clear what you are trying to achieve here - you already have your tokens in your table search! btw, your ipaddress dropdown has a fieldForLabel with is not returned by the search.
Stacked mode is not a valid option for line charts - try column charts
Try something like this index=gc source=apps | eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT) | eval GLBL1=if(FCR="DR", GLBL*-1, GLBL) | eval DATE="20".REC_DATE | where DATE = strftime(relative_time(n... See more...
Try something like this index=gc source=apps | eval AMT=if(IND="DR", BASE_AMT*-1, BASE_AMT) | eval GLBL1=if(FCR="DR", GLBL*-1, GLBL) | eval DATE="20".REC_DATE | where DATE = strftime(relative_time(now(), "-30d@d"),"%Y%m%d") OR DATE=strftime(relative_time(now(), "@d"),"%Y%m%d") | stats sum(AMT) as w3AMT, sum(GLBL1) as w3FEE_AMT by DATE id | eval w4AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3AMT) | eval w3AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3AMT,null()) | eval w4FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),null(),w3FEE_AMT) | eval w3FEE_AMT=if(DATE=strftime(relative_time(now(), "@d"),"%Y%m%d"),w3FEE_AMT,null()) | eval DATE=strftime(relative_time(now(), "@d"),"%Y%m%d") | stats values(*) as * by DATE id
I created a splunk dashboard that has a lot of filters (multiple dropdowns), and text input with different tokens, and with dynamic tables too. I want make it dynamic foreach filter that I choose, bu... See more...
I created a splunk dashboard that has a lot of filters (multiple dropdowns), and text input with different tokens, and with dynamic tables too. I want make it dynamic foreach filter that I choose, but for now it still can't be dynamic for every existing output and filter. Here my xml:     <form version="1.1" theme="dark"> <label>Dashboard Overview</label> <fieldset submitButton="false"> <input type="time" token="global_time" searchWhenChanged="true"> <label>Select Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="owner" searchWhenChanged="true"> <label>Select Owner</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <fieldForLabel>owner</fieldForLabel> <fieldForValue>owner</fieldForValue> <search> <query>index=db_warehouse | dedup owner | fields owner | table owner</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="hostname" searchWhenChanged="true"> <label>Select Hostname</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>hostname</fieldForLabel> <fieldForValue>hostname</fieldForValue> <search> <query>index=db_warehouse hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ cve=$cve$ | dedup hostname | fields hostname | table hostname</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <initialValue>*</initialValue> </input> <input type="dropdown" token="ipaddress" searchWhenChanged="true"> <label>Select by IP Address</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>ipaddress</fieldForLabel> <fieldForValue>dest</fieldForValue> <search> <query>index=db_warehouse | search hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ | dedup dest | fields dest | table dest</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> <input type="text" token="cve"> <label>Search CVE</label> <default>*</default> </input> </fieldset> <table> <title>Detail Information Table</title> <search> <query>index=db_warehouse | fields _time, hostname, dest, mac_address, vulnerability_title, os_version, os_description, severity, cvss_score, last_assessed_for_vulnerabilities, solution_types,cve, owner, dest_category | search hostname=$hostname$ owner=$owner$ ipaddress=$ipaddress$ cve=$cve$ | rename dest as ip, dest_category as category | table _time, hostname, ip, mac_address, vulnerability_title, owner, category, cve, os_version, os_description, severity, cvss_score, last_assessed_for_vulnerabilities, solution_types | dedup hostname</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search>      Is there any reference or solution for this?