Good Morning Does anyone currently use Splunk or an App in Splunk to monitor folder size? We are currently been asked to set up new folders for fileshare for various teams and as our storage reso...
See more...
Good Morning Does anyone currently use Splunk or an App in Splunk to monitor folder size? We are currently been asked to set up new folders for fileshare for various teams and as our storage resource are near end we'd like to monitor each users' folder size. The ideal scenario would be that there would be a threshold in size put on each folder and when the folder is near capacity then an alert would trigger and the IT Team would take action. Kind regards, Paula
Do you mean that when you actively zoom a single panel, that same zoom should apply to the other panels. I don't believe there is any way for the dashboard to get feedback when you zoom a single map...
See more...
Do you mean that when you actively zoom a single panel, that same zoom should apply to the other panels. I don't believe there is any way for the dashboard to get feedback when you zoom a single map, so that you could set tokens that could be used by other panels.
What do you mean it's showing null values - your mvmap statement looks like it's doing what you want it to do, i.e. making sure that it only takes data with at least 1 character. Can you demonstrate...
See more...
What do you mean it's showing null values - your mvmap statement looks like it's doing what you want it to do, i.e. making sure that it only takes data with at least 1 character. Can you demonstrate the issue as the mvmap statement works, i.e. this example shows that it will remove the empty middle element | makeresults
| fields - _time
| eval ImpConReqID=mvappend("a","","b")
| eval ImpCon=mvmap(ImpConReqID,if(match(ImpConReqID,".+"),"ImpConReqID: ".ImpConReqID, null()))
| eval base_elements=mvcount(ImpConReqID)
| eval reduced_elements=mvcount(ImpCon) What is the relevance of the 2nd two lines of your example to your question?
We have the same problem here. The “Performance Monitor Users” group does not exist on a domain controller. Accordingly, the domain account for the forwarder cannot be added.
Referring to previous question (Solved: How to insert hyperlink to the values of a column ... - Splunk Community) how can I add 2 different URLs for 2 different columns in the table such that, the re...
See more...
Referring to previous question (Solved: How to insert hyperlink to the values of a column ... - Splunk Community) how can I add 2 different URLs for 2 different columns in the table such that, the respective hyperlink opens only when the value in the respective column is clicked. "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "$row.firstLink.value$", "newTab": true } }, { "type": "drilldown.customUrl", "options": { "url": "$row.secondLink.value$", "newTab": true } } ]
Hi @vstan , check if in all events you have the User field (fields are case sensitive!), if not add in the coalesce command all the fields containing the User values to use as correlation key. Then...
See more...
Hi @vstan , check if in all events you have the User field (fields are case sensitive!), if not add in the coalesce command all the fields containing the User values to use as correlation key. Then check the exact field name of TOTAL_ATTACHMENT_SIZE_SEGMENT and EMAIL_ADDRESS. Ciao. Giuseppe P.S.: Karma Points are appreciated
Hello @karthi2809 , I do not understand the use of mvmap command here. Generally, mvmap command is used to perform some iterative operations on the multivalue field. Your SPL currently interpretes a...
See more...
Hello @karthi2809 , I do not understand the use of mvmap command here. Generally, mvmap command is used to perform some iterative operations on the multivalue field. Your SPL currently interpretes as you're trying to map ImpConReqId field with following string: "ImpConReqId: <<value of ImpConReqId>>". And if the "if condition" fails, the value gets updated to null() and then ImpConReqId gets mapped with null() value. I would suggest you to first filter out the null values using isnull() or isnotnull() functions and then perform multi value operations. Also, if you can share the full SPL query, it would be helpful to assist you better. Thanks, Tejas.
Hi @Siddharthnegi , yes, when you save the panel (creating the dashboard), you can setup a starting zoom level and default starting cohordinates that you save with the dashboard. Ciao. Giuseppe
Hi @norbertt911, this isn't a Splunk question, but a Linux question. Anyway, we had a similar issue with rsyslog and we soved changing the default template: in rsysog, for each rule, you have dyna...
See more...
Hi @norbertt911, this isn't a Splunk question, but a Linux question. Anyway, we had a similar issue with rsyslog and we soved changing the default template: in rsysog, for each rule, you have dynafile (in which you insert the template addressing the file to write) and template (by default "rsyslog-fmt", that you use to give a format to your output). Ciao. Giuseppe
Hi @Siddharthnegi , I don't think that's possible: the zoom level in a map is predefined by you when you created the panel. You can only manually modify it, using the buttons in the map or your mou...
See more...
Hi @Siddharthnegi , I don't think that's possible: the zoom level in a map is predefined by you when you created the panel. You can only manually modify it, using the buttons in the map or your mouse. Ciao. Giuseppe
hello , I have a dashboard in which there are many panels and in each panels I am using geostats command to show the results of the search of that particular panel in world map. I want to add zoom f...
See more...
hello , I have a dashboard in which there are many panels and in each panels I am using geostats command to show the results of the search of that particular panel in world map. I want to add zoom feature in it. Let me explain So lets say I am on panel 1 and i have zoom on America to see in which area are the results showing just like this. Now what I want is that if I switch to different panel it should also be zoomed in from America. Is that possible.
Hi All,
I want to filter out null values.In my field the ImpCon having null values.Now i want to filter the values which i dont want to show in the table.I am trying below query .which is showing t...
See more...
Hi All,
I want to filter out null values.In my field the ImpCon having null values.Now i want to filter the values which i dont want to show in the table.I am trying below query .which is showing the null values.
| eval ImpCon=mvmap(ImpConReqID,if(match(ImpConReqID,".+"),"ImpConReqID: ".ImpConReqID,null()))
| eval orcaleid=mvfilter(isnotnull(oracle))
| eval OracleResponse=mvjoin(orcaleid," ")
Specifically speaking the dataSources section discussed here: https://docs.splunk.com/Documentation/Splunk/9.2.1/DashStudio/dashDef#The_dataSources_section Hypothetically, I have two tables, eac...
See more...
Specifically speaking the dataSources section discussed here: https://docs.splunk.com/Documentation/Splunk/9.2.1/DashStudio/dashDef#The_dataSources_section Hypothetically, I have two tables, each stored in individual data source stanzas: Table 1 = ds.search stanza 1 Table 2 = ds.search stanza 2 The goal is to append the tables together, and then use the "stats join" method to merge the two tables together. If possible, this merge could be done as a ds.chain type stanza with two extend options, but it does not appear to be allowed. Here's the documentation for Data source options. https://docs.splunk.com/Documentation/Splunk/9.2.1/DashStudio/dsOpt The document seems to be missing options like "extend", so I'm hoping someone knows if there's any additional options that is hidden. Now, I am trying to avoid using the [] subsearches because of 50,000 row limit, so the following append command will not be desired: <base search> | append [search ....] Anyone with mastery of JSON hacks might know if appending two data sources stanzas together be possible? Thank you.