Hi @bigll - I would use strptime() and strftime() for any changes with Date and/or Time Format. | makeresults
| eval myfield="2020-11-25T11:40:42.001198Z"
| eval myfieldepoch=strptime(myfield,"%Y-%m...
See more...
Hi @bigll - I would use strptime() and strftime() for any changes with Date and/or Time Format. | makeresults
| eval myfield="2020-11-25T11:40:42.001198Z"
| eval myfieldepoch=strptime(myfield,"%Y-%m-%dT%H:%M:%S.%6NZ")
| eval UpdateDate=strftime(myfieldepoch,"%Y-%m-%d")
| eval UpdateTime=strftime(myfieldepoch,"%H:%M:%S.%1N")
| table _time myfield myfieldepoch UpdateDate UpdateTime Thank you.
Im using the search below and basically want a chart showing last 12 dates going oldest to newest from left to right by date.
| inputlookup running_data.csv
| eval EP=strptime(Date, "%m/%d/%Y")
| ...
See more...
Im using the search below and basically want a chart showing last 12 dates going oldest to newest from left to right by date.
| inputlookup running_data.csv
| eval EP=strptime(Date, "%m/%d/%Y")
| eval Date=strftime(EP, "%m/%d/%Y")
| chart sum(sats) over team by Date useother=false limit=12
| fillnull value=0
The search was working fine up until January and year change, now the search only shows the last date in December and is missing the newest 01/02/2024 date. If I change the limit to be large enough to include all date entries in the csv file, I discovered the below:
Its putting the 01/02/2024 date before the oldest date in the csv, instead of putting that 01/02/2024 column after the 12/18/2023 date column. So its like its ignoring the year and going by month chronologically. Done quite a bit of searching on this to no avail, and seems like this should be an easy thing to do... Im not opposed to not using "chart" if someone has a better way. Ideally the search returns the last 12 dates from oldest to newest in the columns and then the team name and numbers sats on that date in the rows. Thansk for any suggestions!
Hello @petra_bee, Hello @letsgopats39, Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users. Thank you. P.S.: Karma Points are appreciated ...
See more...
Hello @petra_bee, Hello @letsgopats39, Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users. Thank you. P.S.: Karma Points are appreciated
Hi @VatsalJagani - In my data source, after making changes as below - this worked as expected. This was suggested by Camden Marchetti in Slack Splunk Usergroup. From: | eval epoch=relative...
See more...
Hi @VatsalJagani - In my data source, after making changes as below - this worked as expected. This was suggested by Camden Marchetti in Slack Splunk Usergroup. From: | eval epoch=relative_time(now(),$temp$) To: | eval epoch=relative_time(now(),$$temp$$) Thank you very much for your inputs on this as well as my other questions in this forum.
Removing the double quotes from around the myfield in the substr() function I think should fix it. The substr() is acting on the "myfield" as a literal string instead of a placeholder for a field va...
See more...
Removing the double quotes from around the myfield in the substr() function I think should fix it. The substr() is acting on the "myfield" as a literal string instead of a placeholder for a field value. Example: | makeresults
| eval
myfield="2020-11-25T11:40:42.001198Z"
| eval
UpdateDate=substr(myfield,1,10),
UpdateTime=substr(myfield,12,10) Screenshot:
I noticed in the upgrade scripts, you run
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk start
What if systemd is being used? Every time I try splunk stop or start, I get this:
Shutti...
See more...
I noticed in the upgrade scripts, you run
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk start
What if systemd is being used? Every time I try splunk stop or start, I get this:
Shutting down. Please wait, as this may take a few minutes. ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: --whatever user-- Password:
How do I get past this to automate upgrades that use systemd?
I see that the desktopexetension.exe is also in the message so would something like this work? blacklist = EventCode=4673 message="DesktopExtension.exe" Here is an example message: A privileg...
See more...
I see that the desktopexetension.exe is also in the message so would something like this work? blacklist = EventCode=4673 message="DesktopExtension.exe" Here is an example message: A privileged service was called. Subject: Service: Server: Security Service Name: - Process: Process ID: 0x2fcc Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege
I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect. <input type="multiselect" token="Typ...
See more...
I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect. <input type="multiselect" token="Type" searchWhenChanged="true">
<choice value="ADZ">ADZ</choice>
...
<change>
<eval token="assetname_filter">if(match('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")</eval>
</change>
...
</input> And then in the search you are wanting to filter you can use the $assetname_filter$ token after a where command like this <base_search>
| where $assetname_filter$ Examples of functionality: No ADZ selected (All assets showing) ADZ one of the values selected in the multiselect (Only **Z* Assetname are in final output)
I have a "myfiled" for the last update in format 2020-11-25T11:40:42.001198Z. I want to create two new fields UpdateDate and UpdateTime I used "eval" + "substr" --------
| eval UpdateDate=sub...
See more...
I have a "myfiled" for the last update in format 2020-11-25T11:40:42.001198Z. I want to create two new fields UpdateDate and UpdateTime I used "eval" + "substr" --------
| eval UpdateDate=substr("myfield",1,10)
| eval UpdateTime=substr("myfield",12,10)
-------- But in the table UpdateDate and UpdateTime are empty. while "myfield" has value as shown above. Any suggestions? Thank you.
Hi, I am trying to create a splunk classic dashboard, but struggling with setting the earliest values. The goal is to run a search, and have the results pull data from 2 different index files whil...
See more...
Hi, I am trying to create a splunk classic dashboard, but struggling with setting the earliest values. The goal is to run a search, and have the results pull data from 2 different index files while controlling the data pulled from the first index by a dropdown time parameter. The SPL is part of a radio button option with the dashboard and starts as such: ( (index=first_index source="first_file_location" $time_range$ latest=-1d@d() ) OR (index=second_index earliest=@d latest=now() source="second_file_location") ... rest of the SPL time_range token is the dropdown input with a static value set to earliest=-7d@d() When I run the search, it is not substituting the static value into the search, and is populating it as the token name with the $ sign. Would it be possible to set the earliest value for the first index using a dropdown menu. Any assistance would be greatly appreciated. Thanks
You may need to add the correct license before you can remove the incorrect one. Failing that, there is another untested method. Go to $SPLUNK_HOME/etc/licenses/ and move the .lic files (except ent...
See more...
You may need to add the correct license before you can remove the incorrect one. Failing that, there is another untested method. Go to $SPLUNK_HOME/etc/licenses/ and move the .lic files (except enttrial.lic) to another location. Restart Splunk and you should be able to add the right license.
Hi @vijreddy30 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all ...
See more...
Hi @vijreddy30 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors
Hello,
I created a dashboard with one column of timeStamp EndTimeUTC which stores AH_TIMESTAMP4 or EHActivityItem.EH_ENDTIME. That works.
result= 2024-01-01 10:09:28
Now the customer wants ...
See more...
Hello,
I created a dashboard with one column of timeStamp EndTimeUTC which stores AH_TIMESTAMP4 or EHActivityItem.EH_ENDTIME. That works.
result= 2024-01-01 10:09:28
Now the customer wants to see the time in timezone CET. I can show him the offset time with
| eval "EndTime (CET)"=strftime(strptime(EndTimeUTC,"%Y-%m-%d %T"),"%Y-%m-%d %T %z")
result: 2024-01-01 10:09:28 +0100
But how can I show the time in a calculated format ?
expected result: 2024-01-01 11:09:28
Thanks!
You can use a token modifier |s to escape double quotes. $token$ $token|s$ The value of the tokens get parsed asdf="asdf" "asdf=\"asdf\"" Unfortunately, this also adds double quotes...
See more...
You can use a token modifier |s to escape double quotes. $token$ $token|s$ The value of the tokens get parsed asdf="asdf" "asdf=\"asdf\"" Unfortunately, this also adds double quotes around it, which makes this modifier useless in all my work. I would have preferred only having 1 effect per modifier that can stack with others for those that want both, but this might work for others. The modifiers for tokens inside of alert action email bodies may not be available, but it will work in dashboards. Source: https://docs.splunk.com/Documentation/Splunk/9.1.2/Viz/tokens#Syntax_to_consume_tokens