All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage... See more...
Hi experts, I am in early experiment journey with Splunk App for DSDL (aka DLTK) to pull in some events into Jupyter note book by way of Option 2, i.e:  <SPL search> | fit MLTKContainer mode=stage algo=my_test * into app:my_test_data where my_test is just cloned from barebone_template, and I want the input data file to be created with name of "my_test_data". I ran into following error since the SPL returns 500+ events: Input event count exceeds max_inputs for MLTKContainer (100000), model will be fit on a sample of events. To configure limits, use mlspl.conf or the "Settings" tab in the app navigation bar. Upon checking mlspl.confg and fair enough max_input is set as default 100,000. However, the resulting my_test_data.csv only contains 1153 lines and excluding the header row only 1152 of events of interest. Why don't I get 100,000 events into the csv file and it's not a disk space issue either having verified it. More importantly, how can I get the full 100,000 events into my csv file? Any advice is greatly appreciated. Thanks, MCW
I have a follow up question.  What I am trying to figure out is how to introduce 'time' into the results so that I can create a graph showing each ranges calculated percentage and the relative time f... See more...
I have a follow up question.  What I am trying to figure out is how to introduce 'time' into the results so that I can create a graph showing each ranges calculated percentage and the relative time for that range. If each range has a min and max time how would I go about showing the results as: aRange(1), MaxTime (1), aPercentage(1) aRange(2), MaxTime (2), aPercentage(2) aRange(...), MaxTime (...), aPercentage(...) aRange(8), MaxTime (8), aPercentage(8) Here is the query im working with: index=anIndex sourcetype=aSourcetype aString1 OR aString2 earliest=-481m@m latest=-1m@m | addinfo | eval age=info_max_time - _time | eval age_ranges=split("1,6,11,31,61,91,121,241",",") | eval aRange=null() | eval aType = case(match(_raw,"aString1"), 0, match(_raw,"aString2"), 1, true(),9) | foreach 0 1 2 3 4 5 6 7 [ eval r=tonumber(mvindex(age_ranges, <<FIELD>>))*60, zone=if(age < 14400 + r AND age > r, <<FIELD>>, null()), aRange=mvappend(aRange, zone) ] | where isnotnull(aRange) | chart count over aRange by aType | eval aRange = aRange+1 | rename 0 AS A, 1 AS B | eval aPercentage = round((A / B) * 100) | table aRange, A,B, aPercentage I have tried putting an eventstats before the chart count and use the indexes 0 to 7 but have not been able to get it to produce the result im looking for ?
@John.Gregg , attaching an example, hopefully, that helps. The idea would be to define an application variable first, and then use that in the Node or Tier Variable definition. 
Take a look at psuedo code in Can I save mvexpand when matching a multivalue lookup? I use regex in one of my lookups and the manipulation is crazy, so much so I named the intermediate field crazystr... See more...
Take a look at psuedo code in Can I save mvexpand when matching a multivalue lookup? I use regex in one of my lookups and the manipulation is crazy, so much so I named the intermediate field crazystring to this day. (Perhaps carefully read the entire discussion.)  I have practical considerations to want to use regex for this purpose.  Think carefully if that is really necessary. (Basically you are using lookup to store code.  This is not really how Splunk is designed.) With JSON functions introduced in Splunk 8.1, today this problem can be solved with more semantic expressions.  But the method will be the same.
Hi @John.Gregg, I'm going to see what I can find on this topic. In the meantime, can you share the Docs link you were looking at so I can also send this feedback to their team? 
This only means that your data set is not as you described.  Alternatively, there was some mistake in your search as @ITWhisperer speculated.  For example, maybe you misspelled A or B (these are not ... See more...
This only means that your data set is not as you described.  Alternatively, there was some mistake in your search as @ITWhisperer speculated.  For example, maybe you misspelled A or B (these are not real field names I am certain). I can run my code with this mock dataset: A B StatusCode Upgrade   200   Downgrade 200   Upgrade 200 Retain   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Cancel 200 Cancel   200   Retain 200 Retain   200 Retain   200   Retain 200 Retain   200 Retain   200   Retain 200 Retain   200 If you manually count, this dataset should give your mock result and it does.  Here is full emulation that you can run an compare with real data:   | makeresults format=csv data="StatusCode, A, B 200, Upgrade, 200, , Downgrade 200, , Upgrade 200, Retain, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Cancel 200,Cancel, 200, , Retain 200, Retain, 200, Retain, 200, , Retain 200, Retain, 200, Retain, 200, , Retain 200, Retain, 200, Retain, 200, New Customer, 200, , New Customer 200, , New Customer 200, New Customer, 200, , New Customer" ``` the above emulates index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 ``` | eval "A OR B" = coalesce(A, B) | stats count by "A OR B" StatusCode   The output is exactly like your mock result: A OR B StatusCode count Cancel 200 8 Downgrade 200 1 New Customer 200 5 Retain 200 10 Upgrade 200 2
I'm not sure I understand the question - where is the JS coming from? Are you saying you want to create a list of dropdown choices from the result of that search If so, simply set your input to be ... See more...
I'm not sure I understand the question - where is the JS coming from? Are you saying you want to create a list of dropdown choices from the result of that search If so, simply set your input to be <input type="dropdown" token="your_token" searchWhenChanged="true"> <label>Example Dropdown from search</label> <fieldForLabel>source</fieldForLabel> <fieldForValue>source</fieldForValue> <search> <query>index=_internal |stats count by source</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input>
That mvjoin simply turns your list of regexes into  (A|B|C|D|E|F|...) i.e. A OR B OR C OR D... How many regexes do you have - I suspect there is a practical limit and you've probably reached it. ... See more...
That mvjoin simply turns your list of regexes into  (A|B|C|D|E|F|...) i.e. A OR B OR C OR D... How many regexes do you have - I suspect there is a practical limit and you've probably reached it.  
I tried adding it via the gui, but I get the error "JAVA_HOME path does not exist".  I'm curious if Splunk is it's a syntax issue - I'm inputting %JAVA_HOME% as the path. I also found that if I leav... See more...
I tried adding it via the gui, but I get the error "JAVA_HOME path does not exist".  I'm curious if Splunk is it's a syntax issue - I'm inputting %JAVA_HOME% as the path. I also found that if I leave the field blank, Splunk auto-populates the value.  I'll see if it auto-populates it with a new path at next upgrade.  
Please share the search which is giving this result.
When I am trying your query, it is showing that number events on the top. But not displayin the results in the statistics. Like below  
A & B coulmns should come together as one and based on their values it should add to the count. This is clearer than the original description.  If A and B should come together, they have to be co... See more...
A & B coulmns should come together as one and based on their values it should add to the count. This is clearer than the original description.  If A and B should come together, they have to be combined before groupby, and used as a single groupby.  The reason why your first attempt did produce results is because as two separate groupby terms, both must exist in the same events. The solution will depend on whether A and B are mutually exclusive.  From your original result, it seems that they are exclusive.  So,   index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | eval "A OR B" = coalesce(A, B) | stats count by "A OR B" StatusCode  
example : when we have 2 or more column names with longer text and want to get expand field values for the one column name which we have selected(specific) but not to expand all the columns where t... See more...
example : when we have 2 or more column names with longer text and want to get expand field values for the one column name which we have selected(specific) but not to expand all the columns where this drilldown is used. My demo dashboard only act on one column named "fieldname".  That is exactly what you describe here.  Can you explain why this does not meet the requirement?  Let's say, you have "fieldname" and "fieldname2" both can get very long.  You set the token on "fieldname" only.  For fieldname2, if you want to make it short, simply do | eval fieldname2 = substr(fieldname2, 0, 47) . " ..." (47 so there is room for ellipses.)  Here is a full demo <dashboard version="1.1" theme="light"> <label>Very long text</label> <description>https://community.splunk.com/t5/Dashboards-Visualizations/Splunk-dashboards/m-p/692394#M56730</description> <init> <set token="reveal_tok">init</set> </init> <search> <query> | makeresults format=csv data="reveal short" </query> </search> <row> <panel> <title>reveal = $reveal_tok$</title> <table> <search> <query>| makeresults format=csv data="fieldname, fieldname2 not as long, 2nd field really really really really really loooooooooooooooooong very very very very very very very very very very loooooooooooooooooooooog, shorter second field" | rename fieldname as _fieldname | eval fieldname = if(len(_fieldname) &gt; 50 AND len("$reveal_tok$") &lt; 51, substr(_fieldname, 0, 46) . " ... " , _fieldname) | eval fieldname2 = if(len(fieldname2) &gt; 50, substr(fieldname2, 0, 46) . " ...", fieldname2)</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> <drilldown> <set token="reveal_tok">$row._fieldname$</set> </drilldown> </table> </panel> </row> </dashboard>
Thanks for swift reply @yuanliu . Here is the sample table I am looking for StatusCode A or B Count 200 some A/B value 2 200 some A/B value 1 200 some A/B value 10 200 some A... See more...
Thanks for swift reply @yuanliu . Here is the sample table I am looking for StatusCode A or B Count 200 some A/B value 2 200 some A/B value 1 200 some A/B value 10 200 some A/B value 8 200 some A/B value 5 A & B coulmns should come together as one and based on their values it should add to the count. More detailed way StatusCode A or B Count 200 Upgrade 2 200 Downgrade 1 200 Retain 10 200 Cancel 8 200 New Customer 5  
I am using SaaS 23.11.7-1552 How can I create a dash studio time series for all nodes in a particular tier?  Currently I've defined an app variable.  When a user views the dashboard, he selects the ... See more...
I am using SaaS 23.11.7-1552 How can I create a dash studio time series for all nodes in a particular tier?  Currently I've defined an app variable.  When a user views the dashboard, he selects the appropriate app.  However I can't figure out how to create or use another variable where the user selects the tier within the app.  When defining a tier variable, I am not allowed to enter $AppName for the app name. I see the docs talk about nested variables but do not say how to create them, nor can I find any examples. thanks
Hi @Rajesh.Ganapavarapu , I tried the command that you just gave me with my access_key, but I think curl is not installed in the operator pod, and also don't have the permission to install it, it ju... See more...
Hi @Rajesh.Ganapavarapu , I tried the command that you just gave me with my access_key, but I think curl is not installed in the operator pod, and also don't have the permission to install it, it just replies me: /bin/sh: curl: not found Regards Gustavo Marconi
You need to first think through what the problem you are trying to solve by using sample data.  Let's say the search index="XYZ"  (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 returns the... See more...
You need to first think through what the problem you are trying to solve by using sample data.  Let's say the search index="XYZ"  (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 returns the following results. StatusCode A B 200 some A value   200 some other A value   200   Some B value 200   Some other B value 200 Even more A value   Can you show the result table that you are looking for? How to display both A and B colums combined and have the status code as well in the table? If A and B do not exist in the same event, I see no meaningful way to display both of them.
the format of the query is the problem. A simple way to populate the query is to reference a table from the Resource Graph table here... https://learn.microsoft.com/en-us/azure/governance/resource-g... See more...
the format of the query is the problem. A simple way to populate the query is to reference a table from the Resource Graph table here... https://learn.microsoft.com/en-us/azure/governance/resource-graph/concepts/query-language#resource-graph-tables For example, "ServiceHealthResources" works, as does "SecurityResources".
Hi Team, I have two different fields (Ex. A and B). Value A will come for some results and B will come for some. While I am using below query, it is only pulling A or B. index="XYZ" (ProxyPath="... See more...
Hi Team, I have two different fields (Ex. A and B). Value A will come for some results and B will come for some. While I am using below query, it is only pulling A or B. index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by A StatusCode - only A events are getting displayed index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by B StatusCode - only B events are getting displayed index="XYZ" (ProxyPath="/xyz" OR ProxyPath="/abc") AND StatusCode=200 | stats count by A B StatusCode - it is not displaying any table   How to display both A and B colums combined and have the status code as well in the table?
Hi @JF.Lu, Thanks for asking your question on the Community. It looks like the community did not chime in, did you happen to find a solution or anything new you can share?