Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
04-17-2024
11:05 AM
Hi,
I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot.
Note: Panel A and ...
See more...
Hi,
I was trying the below token logic to get the results count from two different panels and find the variance between results. However, it gives error message as in snapshot.
Note: Panel A and Panel B i have enabled the set token ( basically tic marked "Use search results or job status as tokens")
Also, please suggest how to draw line not just horizontally but also vertically or custom?
SPL:
| makeresults
| eval variance=$A:result.count$ - $B:result.count$
| table variance
Error:
Thanks,
Selvam.
Labels
- Labels:
-
using Splunk Enterprise
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query .........| stats count by srcip,dstip,title Result : srcip dstip title s...
See more...
Hi All, I have data like below with three fields : srcip,dstip and title . When I execute below query .........| stats count by srcip,dstip,title Result : srcip dstip title srcip1 dstip1 title srcip1 dstip2 title srcip2 dstip2 title1 srcip2 dstip3 title1 srcip1 dstip2 title2 So we required to alert separate on basis title values. For all events of one title, there should be one alert. So above example there should be trigger 3 separate alerts . Thank you ! in Advance
Labels
- Labels:
-
alert condition
04-17-2024
10:43 AM
Is there anybody who can help me here ?
04-17-2024
10:33 AM
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But ...
See more...
The overall difficulty of this whole exercise will depend on your logstash configuration and the use case - if you have just one sourcetype to ingest - maybe you can do it relatively reasonably. But if you want to send multiple sourcetypes over a single connection, that can be tricky to separate on the receiving side. You could send multiple sourcetypes using multiple tokens so they are received into separate indexes/with separate sourcetypes but it's getting complicated and - as I said before - needs proper configuration on the logstash side. Anyway - it's still up to logstash to filter events before sending.
04-17-2024
09:39 AM
1 Karma
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$$La...
See more...
Try doubling up the $'s as single $ are for tokens in dashboards. index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$$LatestTime$$"
| stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
04-17-2024
09:37 AM
1 Karma
Assuming you already have the fields extracted: <your index search>
| stats count by Name Version host
| eventstats count by Name Version
| eventstats max(count) as top
| where count=top
04-17-2024
09:30 AM
Hi,
if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input.
Please could you advise?
index=hello sourcety...
See more...
Hi,
if i run this query in simple search bar it works fine. However, when i create panel and add the below, i'm getting error as waiting for input.
Please could you advise?
index=hello sourcetype=welcome
| stats max(DATETIME) as LatestTime
| map search="search index=hello sourcetype=welcome DATETIME=$LatestTime$"
| stats sum(HOUSE_TRADE_COUNT) as HOUSE_Trade_Count
Thanks,
selvam.
Labels
- Labels:
-
single value
04-17-2024
09:24 AM
Please share some anonymised representative events in raw format in a code block </>
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts. The line I am searching may populate multiple times depending on if th...
See more...
I am searching for "Unified Payment Platform Version=" which contains the specific version of firmware from about 2000+ hosts. The line I am searching may populate multiple times depending on if the device was rebooted. The search I need: - list all the versions, but only one count from each host - if possible, the list the hosts on the version
04-17-2024
08:54 AM
1 Karma
| eval TeamStart=mvindex(split(TeamWorkTimings,"-"),0)
| eval TeamEnd=mvindex(split(TeamWorkTimings,"-"),1)
04-17-2024
08:50 AM
You could try something like this <your index search>
| eventstats count by Version
| eventstats max(count) as top
| where count=top
04-17-2024
08:44 AM
The timechart command accepts only one field name in the by clause. Anything else will result in an error.
04-17-2024
08:40 AM
Hi All, I have an output from a lookup table in splunk where the team work timings field is coming as:: TeamWorkTimings 09:00:00-18:00:00 I want the output to be separated in two fields, like: T...
See more...
Hi All, I have an output from a lookup table in splunk where the team work timings field is coming as:: TeamWorkTimings 09:00:00-18:00:00 I want the output to be separated in two fields, like: TeamStart TeamEnd 09:00:00 18:00:00 Please help me in getting this output in splunk
Labels
- Labels:
-
fields
Hello, I've below dataset from Splunk search. Name percentage A 71% B 90% C 44% D 88% E 78% All I need to change the percentage field values color as per below rule i...
See more...
Hello, I've below dataset from Splunk search. Name percentage A 71% B 90% C 44% D 88% E 78% All I need to change the percentage field values color as per below rule in the email alert. My requirement to achieve this by updating the sendemail.py. 95+ green, 80-94 amber, <80 = red @tscroggins @ITWhisperer @yuanliu @bowesmana
04-17-2024
08:26 AM
Hi @KendallW , I reread you post and realized I didn't answer the Identity question. I do not get an error when saving the identity.
04-17-2024
07:51 AM
Try something like this | eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STAR...
See more...
Try something like this | eval {Function}_TIME=_time
| stats values(Date_of_reception) as Date_of_reception values(*_TIME) as *_TIME by JOBNAME
| eval Diff=ENDED_TIME-STARTED_TIME
| fieldformat STARTED_TIME=strftime(STARTED_TIME,"%H:%M:%S")
| fieldformat ENDED_TIME=strftime(ENDED_TIME,"%H:%M:%S")
| fieldformat PURGED_TIME=strftime(PURGED_TIME,"%H:%M:%S")
| fieldformat Diff=tostring(Diff,"duration")
04-17-2024
07:42 AM
Please make sure you have entered correct username and password for an admin user on the remote search peer.
04-17-2024
07:35 AM
Hi, I am getting Axios 500 errors after installing the Salesforce Streaming API add-on app on my Splunk Cloud Trial (Classic). I can't configure the Inputs or Configuration tabs at all. I have a feel...
See more...
Hi, I am getting Axios 500 errors after installing the Salesforce Streaming API add-on app on my Splunk Cloud Trial (Classic). I can't configure the Inputs or Configuration tabs at all. I have a feeling that this add-on isn't properly supported in the Trial Cloud instances. Has anyone had any luck getting this to work on Cloud Classic? Am I missing an additional configuration or app that I need to install to get this to work? Any help would be greatly appreciated. P.S.: I was able to get the Salesforce add-on to install, configure, and connect to my Sandbox just fine. It is this streaming api add-on that seems to be an issue.
Labels
- Labels:
-
configuration
-
installation
-
troubleshooting
