Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
03-21-2024
10:37 PM
Hi @HarishSamudrala , in addition to the hint of @richgalloway , remember that in interesting fields you see only the fields present in at least 20% of the events, probably these fields have a minor...
See more...
Hi @HarishSamudrala , in addition to the hint of @richgalloway , remember that in interesting fields you see only the fields present in at least 20% of the events, probably these fields have a minor percentage. Instead running a search with these fields (e.g. field1=*), they are present at the 100% of the events. If you open the "All fields" panel, you can see fields present (by default) in more than 1% of the events and you can use also a filter to have all the fields without a threshold Ciao. Giuseppe
03-21-2024
10:33 PM
1 Karma
Hi @LearningGuy , As I said, using 1000 instead of 1 you have a string. I don't know why with a different number you have a different type. You eventually could to try: | makeresults
| eval num =...
See more...
Hi @LearningGuy , As I said, using 1000 instead of 1 you have a string. I don't know why with a different number you have a different type. You eventually could to try: | makeresults
| eval num = 1
| eval var_type = typeof(num)
| eval num2 = tostring(num,"commas")." "
| eval var_type2 = typeof(num2) Ciao. Giuseppe
03-21-2024
10:29 PM
1 Karma
Hi @slearntrain, you have to use stats instead table: index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<ap...
See more...
Hi @slearntrain, you have to use stats instead table: index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))"
| stats
latest(eval(if(steptype="endNBflow"))) AS endNBflow
latest(eval(if(steptype="end payload"))) AS endPayload
BY appid flowname
| eval diff=endPayload-endNBflow Ciao. Giuseppe
03-21-2024
09:06 PM
We have a use case where we need to calculate the time difference between the maximum infotime (steptype="endNBflow") and infotime where steptype is "end payload". This particular message has 16 even...
See more...
We have a use case where we need to calculate the time difference between the maximum infotime (steptype="endNBflow") and infotime where steptype is "end payload". This particular message has 16 events comprising request and response flows. Request flow ends with "end Payload" and response flow ends with steptype "end NB Flow".
I have the below query:
index="xyz" sourcetype=openshift_logs openshift_namespace="qaenv" "a9ecdae5-45t6-abcd-35tr-6s9i4ewlp6h3"
| rex field=_raw "\"APPID\"\:\s\"(?<appid>.*?)\""
| rex field=_raw "\"stepType\"\:\s\"(?<steptype>.*?)\""
| rex field=_raw "\"flowname\"\:\s\"(?<flowname>.*?)\""
| rex field=_raw "INFO ((?<infotime>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2},\d{3}))" | sort infotime
| table appid,flowname, steptype, infotime
How can I retrieve the value what I am looking for. Any guidance here would be much appreciated.
03-21-2024
05:48 PM
Thanks I tried both eval as well as fieldformat , still not getting the % appended.
03-21-2024
05:44 PM
Can this work for passing value to Splunk add on for Servicenow. Description section. Thank you
03-21-2024
04:19 PM
Since the vt4splunk app uses the VirusTotal API, it will not work off-line.
03-21-2024
04:06 PM
Make sure you're running the search in Verbose mode. In Smart mode, Splunk only extracts fields explicitly referenced in the query.
03-21-2024
04:02 PM
Thanks. I don't have a lot of experience with the JSON functions, but I think this should help. index=index1 sourcetype=sourcetype1 hostname=* software != ""
| eval software=mvexpand(json_array_to_...
See more...
Thanks. I don't have a lot of experience with the JSON functions, but I think this should help. index=index1 sourcetype=sourcetype1 hostname=* software != ""
| eval software=mvexpand(json_array_to_mv(software)
| rex field=software "cpe:\/a:(?<Vendor>[^:]+):(?<Product>[^:]+):(?<Version>.*)"
| table hostname, Vendor, Product, Version
| dedup hostname, Vendor, Product, Version The idea is to convert the software field from a JSON array into a multi-value field so it can be split into separate events using mvexpand.
03-21-2024
03:34 PM
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0. I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit). This, I know how to ...
See more...
I'm building dashboards in a Splunk app, using Splunk Enterprise 9.2.0. I want to be able to run a query on a dashboard, based on my filters, time picker, etc. (with a Submit). This, I know how to do. But, I need to be able to scroll down and do the exact same thing again below, so I can keep my original output up at the top. I need to know how to basically do this sort of dashboard (all in the same dashboard) Fieldset 1 <Filters, Time-picker, Submit, etc> Panels for Fieldset 1 (charts, tables, etc.) ** Run the first one, keep that output, and then run the one below, while the other results remain the same Fieldset 2 (or duplicate) <Filters, Time-picker, Submit, etc> Panels for Fieldset 2 (charts, tables, etc.) ...and if it's any different, how to keep drilling down to: Fieldset 3, Fieldset 4, and so on... Does anyone know how to do that, or is there a book/reference on that? Thanks.
03-21-2024
03:14 PM
If you want to use fieldformat, that's fine, but you still need to use the foreach command as I suggested index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_P...
See more...
If you want to use fieldformat, that's fine, but you still need to use the foreach command as I suggested index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| fieldformat "<<FILED>>"=round('<<FIELD>>',2)."%"] https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach
03-21-2024
02:26 PM
Update, configuration profile works, no notifications are seen from the users perspective and workstation is added into Splunk
03-21-2024
02:21 PM
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i r...
See more...
I have a strange issue, when i search for specific event in Splunk and I am looking for specific fields( ex field1, field2) i can not see them in selected fields and interested fields. But, when i run the same query and table those fields , i can see them. index=1234 sourcetype=4567 --> can not see those fields when this search is triggered. But when i add a table command with those field names in the search i can see the fields and the values for them. index=1234 sourcetype=4567 | table field1, field2 --> this query i can see the fields. Did any one face this issue ? We are on latest Splunk version 9.0.X..
Labels
- Labels:
-
subsearch
03-21-2024
02:04 PM
You can start the REST search query with index=* and then add the subsequent commands one-by-one to see where the results get filtered out or when the errors come up
03-21-2024
02:01 PM
Hello all, I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data adde...
See more...
Hello all, I have a dashboard with a field "id" that I want to add to the end of a custom URL that I have defined in the "interactions" on click section. My Goal is to have this field data added to the end of my custom url and when clicked will load the exact page I need with that value at the end in the browser. This is what I have tried. I tried to add the "$click.value$" then also tried "=$click.value$" I also tried to put just "$id$" at the end. No results it just loads the URL with my addition as text (does not pull the actual value) "eventHandlers": [ { "type": "drilldown.customUrl", "options": { "url": "https://myURL.com/abcd/=$click.value$", "newTab": true
Labels
- Labels:
-
Dashboard Studio
-
drilldown
-
javascript
-
table
03-21-2024
01:56 PM
Probably the best thing for that, as bowesmana suggested, is the predict command, which would estimate what the data may look like in the future based on its behavior in the past. Unless you have d...
See more...
Probably the best thing for that, as bowesmana suggested, is the predict command, which would estimate what the data may look like in the future based on its behavior in the past. Unless you have data with timestamps in the future, you can't actually look at future data. now()+1d should be empty.
03-21-2024
01:54 PM
You could leave the index=index1 field in the inputs.conf stanza. That way all non-matching events would go to index1, and all matching events would go to index 2
03-21-2024
01:29 PM
Hi, Thanks for the reply, I am still learning splunk pardon for my ignorance. I tried as you mentioned
index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_P...
See more...
Hi, Thanks for the reply, I am still learning splunk pardon for my ignorance. I tried as you mentioned
index=MyPCF
| fields server_instance cpu_percentage
| timechart mAX(cpu_percentage) as CPU_Percentage by server_instance usenull=true limit=0
| foreach * [| fieldformat cpu_percentage=round('cpu_percentage',2)."%"]
Still same result
Time
Server1
Server2
2024-03-21T15:00:00.000-0400
1.869638272
2.384320706
2024-03-21T15:01:00.000-0400
1.879958176
2.083629971
2024-03-21T15:02:00.000-0400
8.669585777
8.115720288
2024-03-21T15:03:00.000-0400
1.907194392
2.248362057
2024-03-21T15:04:00.000-0400
1.735136924
2.030363275
2024-03-21T15:05:00.000-0400
1.753416379
1.682836294
2024-03-21T15:06:00.000-0400
1.792363893
1.862924138
2024-03-21T15:07:00.000-0400
5.003060737
2.801886629
03-21-2024
01:14 PM
No. Firstly, using foreach with staticaly named fields makes no sense. Secondly, you should modify your results _after_ the timechart. Thirdly, I prefer using fieldformat in such case, not eval - ...
See more...
No. Firstly, using foreach with staticaly named fields makes no sense. Secondly, you should modify your results _after_ the timechart. Thirdly, I prefer using fieldformat in such case, not eval - this way you can display values with the format you want but not lose the original values. So use the solution @ITWhisperer showed but afhter your timechart command (and you can replace the eval command with fieldformat as I wrote).
03-21-2024
01:06 PM
I tried this but getting the same result, % not getting uppended to cpu_percent value
index=MyPCF
| fields server_instance cpu_percentage
| foreach * [| eval cpu_percent=round('cpu_percentage',2)."...
See more...
I tried this but getting the same result, % not getting uppended to cpu_percent value
index=MyPCF
| fields server_instance cpu_percentage
| foreach * [| eval cpu_percent=round('cpu_percentage',2)."%"]
| timechart mAX(cpu_percent) as CPU_Percentage by server_instance usenull=true limit=0
