All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @jcorcorans , as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event displ... See more...
Hi @jcorcorans , as @marnall said, your events should take the timestamp from the time in epochtime in square parenthesis and assign it to the _time field: it will be readable during the event display. If not, you can extract this epochtime using a regex and then convert it using an eval, regex cannot be used for convertion: <your_search> | rex "\[(?<epoch_timestamp>\d+)\]" | eval timestamp=strftime(epoch_timestamp, "%Y-%m-%d %H:%M:%S")  Ciao. Giuseppe
could  you tell how
Try using ReST to retrieve the saved searches and look for the search you are interested in
Okay I only know the index("_internal")
How would you identify it if you found it? Do you know if it has been executed and if so when? Do you know which index(es) are searched? Do you know who wrote it?
I have a saved search but I don't know the name of that saved search how do I get it.
Hi,  Thank you so much for your inputs, sorry i didn't convey my question properly. query : For example : we have fieldname1, fieldname2,fieldname3 all are long texts. we want to use reveal token ... See more...
Hi,  Thank you so much for your inputs, sorry i didn't convey my question properly. query : For example : we have fieldname1, fieldname2,fieldname3 all are long texts. we want to use reveal token and drill down option for all the 3 fieldnames. when i click the fieldname1, it should expand fieldname1 only instead of expanding fieldname1,fieldname2,fieldname3. similarly when i click the fieldname2 , it should expand fieldname2 but not all the three fieldnames, if i click on all the 3 fieldnames then only it should expand all the 3 fieldnames otherwise it should expand based on selection of fieldname.   query2 : If its possible to have below additional feature then it will be very much helpful. for example : All 3 fieldnames are column names in a table .table have more than 10  rows with longer text ,is it possible to expand single row and for a single column name/fieldname based on the selection.   Thanks, Srinivasulu S    
Is this what you're looking for? https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/secretstorage/
You possibly want this ... | chart count max(_time) as MaxTime over aRange by aType | eval aRange = aRange+1 | rename "count: 0" AS A, "count: 1" AS B | eval aPercentage = round((A / B) * 100) and ... See more...
You possibly want this ... | chart count max(_time) as MaxTime over aRange by aType | eval aRange = aRange+1 | rename "count: 0" AS A, "count: 1" AS B | eval aPercentage = round((A / B) * 100) and then you will have also two columns MaxTime: 0 and MaxTime:1 and then you can do | eval MaxTime=max('MaxTime: 0', 'MaxTime: 1')  
Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage... See more...
Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage algo=my_test * into app:my_test_data where my_test is just cloned from barebone_template, and I want the input data file to be created with name of "my_test_data". I ran into following error since the SPL returns 500+ events: Input event count exceeds max_inputs for MLTKContainer (100000), model will be fit on a sample of events. To configure limits, use mlspl.conf or the "Settings" tab in the app navigation bar. Upon checking mlspl.confg and fair enough max_input is set as default 100,000. However, the resulting my_test_data.csv only contains 1153 lines and excluding the header row only 1152 of events of interest. Why don't I get 100,000 events into the csv file and it's not a disk space issue either having verified it. More importantly, how can I get the full 100,000 events into my csv file? Any advice is greatly appreciated. Thanks, MCW
I have a follow up question.  What I am trying to figure out is how to introduce 'time' into the results so that I can create a graph showing each ranges calculated percentage and the relative time f... See more...
I have a follow up question.  What I am trying to figure out is how to introduce 'time' into the results so that I can create a graph showing each ranges calculated percentage and the relative time for that range. If each range has a min and max time how would I go about showing the results as: aRange(1), MaxTime (1), aPercentage(1) aRange(2), MaxTime (2), aPercentage(2) aRange(...), MaxTime (...), aPercentage(...) aRange(8), MaxTime (8), aPercentage(8) Here is the query im working with: index=anIndex sourcetype=aSourcetype aString1 OR aString2 earliest=-481m@m latest=-1m@m | addinfo | eval age=info_max_time - _time | eval age_ranges=split("1,6,11,31,61,91,121,241",",") | eval aRange=null() | eval aType = case(match(_raw,"aString1"), 0, match(_raw,"aString2"), 1, true(),9) | foreach 0 1 2 3 4 5 6 7 [ eval r=tonumber(mvindex(age_ranges, <<FIELD>>))*60, zone=if(age < 14400 + r AND age > r, <<FIELD>>, null()), aRange=mvappend(aRange, zone) ] | where isnotnull(aRange) | chart count over aRange by aType | eval aRange = aRange+1 | rename 0 AS A, 1 AS B | eval aPercentage = round((A / B) * 100) | table aRange, A,B, aPercentage I have tried putting an eventstats before the chart count and use the indexes 0 to 7 but have not been able to get it to produce the result im looking for ?
@John.Gregg , attaching an example, hopefully, that helps. The idea would be to define an application variable first, and then use that in the Node or Tier Variable definition. 
Take a look at psuedo code in Can I save mvexpand when matching a multivalue lookup? I use regex in one of my lookups and the manipulation is crazy, so much so I named the intermediate field crazystr... See more...
Take a look at psuedo code in Can I save mvexpand when matching a multivalue lookup? I use regex in one of my lookups and the manipulation is crazy, so much so I named the intermediate field crazystring to this day. (Perhaps carefully read the entire discussion.)  I have practical considerations to want to use regex for this purpose.  Think carefully if that is really necessary. (Basically you are using lookup to store code.  This is not really how Splunk is designed.) With JSON functions introduced in Splunk 8.1, today this problem can be solved with more semantic expressions.  But the method will be the same.
Hi @John.Gregg, I'm going to see what I can find on this topic. In the meantime, can you share the Docs link you were looking at so I can also send this feedback to their team? 
This only means that your data set is not as you described.  Alternatively, there was some mistake in your search as @ITWhisperer speculated.  For example, maybe you misspelled A or B (these are not ... See more...
This only means that your data set is not as you described.  Alternatively, there was some mistake in your search as @ITWhisperer speculated.  For example, maybe you misspelled A or B (these are not real field names I am certain). I can run my code with this mock dataset: A B StatusCode Upgrade   200   Downgrade 200   Upgrade 200 Retain   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Retain 200 Retain   200 Retain   200   Retain 200 Retain   200 Retain   200   Retain 200 Retain   200 If you manually count, this dataset should give your mock result and it does.  Here is full emulation that you can run an compare with real data:   | makeresults format=csv data="StatusCode, A, B 200, Upgrade, 200, , Downgrade 200, , Upgrade 200, Retain, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Retain 200, Retain, 200, Retain, 200, , Retain 200, Retain, 200, Retain, 200, , Retain 200, Retain, 200, Retain, 200, New Customer, 200, , New Customer 200, , New Customer 200, New Customer, 200, , New Customer" ``` the above emulates index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 ``` | eval "A OR B" = coalesce(A, B) | stats count by "A OR B" StatusCode   The output is exactly like your mock result: A OR B StatusCode count Cancel 200 8 Downgrade 200 1 New Customer 200 5 Retain 200 10 Upgrade 200 2
I'm not sure I understand the question - where is the JS coming from? Are you saying you want to create a list of dropdown choices from the result of that search If so, simply set your input to be ... See more...
I'm not sure I understand the question - where is the JS coming from? Are you saying you want to create a list of dropdown choices from the result of that search If so, simply set your input to be <input type="dropdown" token="your_token" searchWhenChanged="true"> <label>Example Dropdown from search</label> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index=_internal |stats count by source</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input>
That mvjoin simply turns your list of regexes into  (A|B|C|D|E|F|...) i.e. A OR B OR C OR D... How many regexes do you have - I suspect there is a practical limit and you've probably reached it. ... See more...
That mvjoin simply turns your list of regexes into  (A|B|C|D|E|F|...) i.e. A OR B OR C OR D... How many regexes do you have - I suspect there is a practical limit and you've probably reached it.  
I tried adding it via the gui, but I get the error "JAVA_HOME path does not exist".  I'm curious if Splunk is it's a syntax issue - I'm inputting %JAVA_HOME% as the path. I also found that if I leav... See more...
I tried adding it via the gui, but I get the error "JAVA_HOME path does not exist".  I'm curious if Splunk is it's a syntax issue - I'm inputting %JAVA_HOME% as the path. I also found that if I leave the field blank, Splunk auto-populates the value.  I'll see if it auto-populates it with a new path at next upgrade.  
Please share the search which is giving this result.