Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$$La...
See more...
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$"
| stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Assuming you already have the fields extracted: <your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top
Hi,
if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input.
Please could you advise?
index=hello sourcety...
See more...
Hi,
if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input.
Please could you advise?
index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$LatestTime$"
| stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Thanks,
selvam.
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts. The line I am searching may populate multiple times depending on if th...
See more...
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts. The line I am searching may populate multiple times depending on if the device was rebooted. The search I need: - list all the versions, but only one count from each host - if possible, the list the hosts on the version
Hi All, I have an output from a lookup table in splunk where the team work timings field is coming as:: TeamWorkTimings 09:00:00-18:00:00 I want the output to be separated in two fields, like: T...
See more...
Hi All, I have an output from a lookup table in splunk where the team work timings field is coming as:: TeamWorkTimings 09:00:00-18:00:00 I want the output to be separated in two fields, like: TeamStart TeamEnd 09:00:00 18:00:00 Please help me in getting this output in splunk
Hello, I've below dataset from Splunk search. Name percentage A 71% B 90% C 44% D 88% E 78% All I need to change the percentage field values color as per below rule i...
See more...
Hello, I've below dataset from Splunk search. Name percentage A 71% B 90% C 44% D 88% E 78% All I need to change the percentage field values color as per below rule in the email alert. My requirement to achieve this by updating the sendemail.py. 95+ green, 80-94 amber, <80 = red @tscroggins @ITWhisperer @yuanliu @bowesmana
Try something like this | eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STAR...
See more...
Try something like this | eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STARTED_TIME=strftime(STARTED_TIME,"%H:%M:%S")
| fieldformat ENDED_TIME=strftime(ENDED_TIME,"%H:%M:%S")
| fieldformat PURGED_TIME=strftime(PURGED_TIME,"%H:%M:%S")
| fieldformat Diff=tostring(Diff,"duration")
Hi, I am getting Axios 500 errors after installing the Salesforce Streaming API add-on app on my Splunk Cloud Trial (Classic). I can't configure the Inputs or Configuration tabs at all. I have a feel...
See more...
Hi, I am getting Axios 500 errors after installing the Salesforce Streaming API add-on app on my Splunk Cloud Trial (Classic). I can't configure the Inputs or Configuration tabs at all. I have a feeling that this add-on isn't properly supported in the Trial Cloud instances. Has anyone had any luck getting this to work on Cloud Classic? Am I missing an additional configuration or app that I need to install to get this to work? Any help would be greatly appreciated. P.S.: I was able to get the Salesforce add-on to install, configure, and connect to my Sandbox just fine. It is this streaming api add-on that seems to be an issue.
This give me the result in the below format. is it possible to have 1 more field in the table and sort the columns in the below order: | JOBNAME | Date_of_reception | STARTED_TIME | EN...
See more...
This give me the result in the below format. is it possible to have 1 more field in the table and sort the columns in the below order: | JOBNAME | Date_of_reception | STARTED_TIME | ENDED_TIME | PURGED_TIME| Diff Between STARTED_TIME and ENDED_TIME | | $VVF119P | 2024/04/17 | 02:12:37 | 02:12:46 | 02:12:50 | 00:00:09|
Take a look at this solution: https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40938 You could use: (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{...
See more...
Take a look at this solution: https://community.splunk.com/t5/Splunk-Search/Convert-Hexadecimal-IP-v4-addresses-to-decimal/td-p/40938 You could use: (?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3}) for your particular example as the rex conversion. | makeresults count=1
| eval src_ip = "192.168.1.1"
| streamstats values(src_ip) as src_ip by _time
| rex field=src_ip "(?<d1>\d{1,3})\.(?<d2>\d{1,3})\.(?<d3>\d{1,3})\.(?<d4>\d{1,3})"
| eval dec_src_ip = 'd1'*16777216+'d2'*65536+'d3'*256+'d4'+0 There is also an app that provides you a command to do the conversion: https://splunkbase.splunk.com/app/512
Try something like this index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Func...
See more...
Try something like this index=events_prod_cdp_penalty_esa source="SYSLOG" sourcetype=zOS-SYSLOG-Console (TERM(VVF119P)) ("- ENDED" OR "- STARTED" OR "PURGED --")
| rex field=TEXT "(VVF119P -)(?<Function>[^\-]+)"
| fillnull Function value=" PURGED"
| eval DAT = strftime(relative_time(_time, "+0h"), "%Y/%m/%d")
| rename DAT as Date_of_reception
| table JOBNAME,Date_of_reception ,Function , _time
| sort _time
| eval {Function}_TIME=strftime(_time,"%H:%M:%S")
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME