1. Your problem is not clearly specified. You might want to find out how many users are logged in at some given point in time or which ones are logged in (also possibly counting or not duplicate logi...
See more...
1. Your problem is not clearly specified. You might want to find out how many users are logged in at some given point in time or which ones are logged in (also possibly counting or not duplicate logins). 2. Do you have a separate login and logout events? 3. Remember that as you're logging only login and logout events you won't find sessions which "overlap" your search time range. For example - if your user logged in at 9am and logged out at 12pm you won't find this session if you only search through 10am-11am because you have no events regarding this session during that time range. (this problem can be alleviated for specific use cases by using summary indexing).
The below 2 commands are not working | `histogram("event.Properties.duration", 31)` bin "$var$" bins=$bins$ | stats count by "$var$" | makecontinuous "$var$" | fillnull count What type of grap...
See more...
The below 2 commands are not working | `histogram("event.Properties.duration", 31)` bin "$var$" bins=$bins$ | stats count by "$var$" | makecontinuous "$var$" | fillnull count What type of graph or visualization would you like to create? Just want to create a dashboard tile to show the metric
Hello I've sample data with exactly 10 characters with the combination of alphabet (2-4 characters) followed by spaces (2-4 characters) and number (2-4 characters). Refer table for sample field valu...
See more...
Hello I've sample data with exactly 10 characters with the combination of alphabet (2-4 characters) followed by spaces (2-4 characters) and number (2-4 characters). Refer table for sample field values. underscore represents a space. SI.No ID 1 ABCD__1234 2 AB____1234 3 ABCD___123 4 ABCDE__123 In dashboard, I've got filter for ID. The requirement is user can enter single or two spaces between the ABCD and 1234 in the filter box. By passing this token value with irrespective space values we need to fetch the results. Thank you.
Remember that after each step in your processing pipeline you get only those restults from the immediately preceeding command. So if you do all those | where commands in a row, first one will filter ...
See more...
Remember that after each step in your processing pipeline you get only those restults from the immediately preceeding command. So if you do all those | where commands in a row, first one will filter out all those results for which the getperct wasnt more than 50, the second one will filter out (of those remaining after first where) those that do not fit the next condition and so on. So your three wheres in a row are equivalent to | where getperct>50 AND putperct>10 AND deleteperct>80 but you want at least one of those condiitons fulfilled so you want | where (getperct>50) OR (putperct>10> OR (deleteperct>80)
Hello, Thank you for your answer! I made sure that all the points you mentioned are correctly implemented and also checked the documentation you sent. I fixed the problem by enabling the indexing o...
See more...
Hello, Thank you for your answer! I made sure that all the points you mentioned are correctly implemented and also checked the documentation you sent. I fixed the problem by enabling the indexing on the Heavy Forwarder and now the client is appearing in it's fowarder management UI aswell. However, it's still showing in the other instances (Manager Server, Indexers etc.) aswell. Also, I don't want to turn on Indexing on the Heavy Forwarder, to not index data, is there a way to avoid enabling it and still get the client showing on the UI? It's a real pain bug i hope they fix it
Hi @anandhalagaras1, regex substitution is correct. Are you sure about the sourcetype? is there any sourcetype replacement in your data? are there some other Heavy Forwarders before the one you ...
See more...
Hi @anandhalagaras1, regex substitution is correct. Are you sure about the sourcetype? is there any sourcetype replacement in your data? are there some other Heavy Forwarders before the one you used for the masking? Ciao. Giuseppe
Hi All, I have a dashboard built using dashboard studio. I want to pass multiple tokens to another dashboard on click of value in one of the panels. I am using interactions --> Link to dashboar...
See more...
Hi All, I have a dashboard built using dashboard studio. I want to pass multiple tokens to another dashboard on click of value in one of the panels. I am using interactions --> Link to dashboard. Adding tokens here. But not getting how to pass multiple tokens so it reflects in another dashboard. Please can anyone suggest me on this. Regards, pnv
Hi @sle, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points ar...
See more...
Hi @sle, good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
https://www.nike.com/in/t/air-max-90-lv8-shoes-5KhTdP/FD4328-102 https://www.nike.com/in/t/air-max-dn-shoes-FtLNfm/DV3337-006 i need to extract value 5KhTdP, FtLNfm
I have replicated the issue and here's what I have found Only the top four values will be shown on the pie chart no matter how many fields are present in the table and no matter what value is used...
See more...
I have replicated the issue and here's what I have found Only the top four values will be shown on the pie chart no matter how many fields are present in the table and no matter what value is used in Minimum Size / sliceCollapsingThreshold if there are: six or more fields at least one of them is significantly smaller than the largest number the sum of all values is greater than 64,250 Test it yourself: Run this search and look what happens when you change the value of 'f' from 53138 to 53139 | makeresults
| eval a=1
| eval b=10
| eval c=100
| eval d=1000
| eval e=10000
| eval f=53138
| fields - _time
| transpose
| rename column as Status, "row 1" as count Could someone from Splunk please explain what is going on here, or add this to the known issues?
Hi @alvesri It sounds like the token from the date picker is not plugged in to any searches on the dashboard. The searches should look something like this: <search>
<query>index=someindex sourc...
See more...
Hi @alvesri It sounds like the token from the date picker is not plugged in to any searches on the dashboard. The searches should look something like this: <search>
<query>index=someindex sourcetype=somesourcetype</query>
<earliest>$time_tok$</earliest>
<latest>now</latest>
</search> Could you share the dashboard's XML?
I am encountering exactly the same issue - only 6 fields but one of them is collapsed. Also tried charting.chart.sliceCollapsingThreshold = 0 - no luck
Add a space between the two timechart functions. E.g. | timechart avg(event.Properties.duration) stdev(event.Properties.duration) Also, you can remove the | iplocation as we aren't using any ...
See more...
Add a space between the two timechart functions. E.g. | timechart avg(event.Properties.duration) stdev(event.Properties.duration) Also, you can remove the | iplocation as we aren't using any of the fields that command adds for this visualization, so it will only slow down the search.
Hi @Dean.Marchetti
If your question is about dynamically starting appd, the closest match will be:
https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agen...
See more...
Hi @Dean.Marchetti
If your question is about dynamically starting appd, the closest match will be:
https://docs.appdynamics.com/appd/24.x/latest/en/application-monitoring/install-app-server-agents/java-agent/install-the-java-agent#id-.InstalltheJavaAgentv24.3-AttachtheJavaAgenttoaRunningJVMProcess
Not sure if this is what you looking for?
regards,
Terence