Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
01-03-2024
09:59 AM
I am measuring the lag diff=_time - event_time
01-03-2024
09:57 AM
1 Karma
Since it sounds like event_time is preferred over orig_time and it is possible for them to exist in the same event then I would suggest using a coalesce() function. The inputs in that function go fro...
See more...
Since it sounds like event_time is preferred over orig_time and it is possible for them to exist in the same event then I would suggest using a coalesce() function. The inputs in that function go from highest precedence on the leftmost side and each entry after is the next step lower precedence. So the first non-null field from left to right is what will be used. And to find avg diff over time for each rule can probably be done with a simple timechart. I don't have access to ES or a notable index at the moment so I will just use fields described in your original question in the example. Example: index=notable
| eval
event_time_standardized=coalesce(event_time, orig_time),
diff_seconds='_time'-'event_time_standardized',
diff_minutes='diff_seconds'/60
| timechart span=1h
avg(diff_seconds) as avg_diff_in_seconds,
avg(diff_minutes) as avg_diff_in_minutes
by search_name
01-03-2024
09:45 AM
1 Karma
You can do that in 3 steps. 1) Verify the user add/update/delete/activate events are indexed in Splunk. 2) Search the appropriate index for the events. 3) When you have search results you like, se...
See more...
You can do that in 3 steps. 1) Verify the user add/update/delete/activate events are indexed in Splunk. 2) Search the appropriate index for the events. 3) When you have search results you like, select "Alert" from the Save As menu. Complete the form and select "Send email" from the Trigger Actions menu.
01-03-2024
09:21 AM
how to show the how long alert took triggered from the time the event occurred. To calculate the "diff" in times, to subtract either (_time - event_time) or, if event_time is null, (_time - orig_ti...
See more...
how to show the how long alert took triggered from the time the event occurred. To calculate the "diff" in times, to subtract either (_time - event_time) or, if event_time is null, (_time - orig_time), and then calculate the average time it took for each rule to fire, over time. i have tried to calculate the diff but event_time and orig_time is present in same event and some doest have. Please help me to identify the difference in event time and alert triggering time delay. index=notable
| eval diff = _time - event_time
| convert ctime(diff), ctime(orig_time)
| table event_time orig_time _time diff search_name
01-03-2024
09:10 AM
1 Karma
I think doing something like this should work. | inputlookup running_data.csv
| eval
EP=strptime(Date, "%m/%d/%Y")
| chart
sum(sats) as sats
over EP
...
See more...
I think doing something like this should work. | inputlookup running_data.csv
| eval
EP=strptime(Date, "%m/%d/%Y")
| chart
sum(sats) as sats
over EP
by team
| sort 0 +EP
| eval
Date=strftime(EP, "%m/%d/%Y")
| fields - EP
| transpose 25 header_field=Date
| rename
column as team This will first sort the dates while they are in epoch time and then we convert to human readable timestamps. Then, a transpose is used to retain the order of ascending time from left to right in the header. Screenshot of local example:
01-03-2024
09:08 AM
Hi, is it possible to change the date format to YYYY-MM-DD and then something like this? | chart sum(sats) over team by Date useother=false
| sort 13 Date Thank you.
01-03-2024
09:01 AM
1 Karma
Hi @bigll - I would use strptime() and strftime() for any changes with Date and/or Time Format. | makeresults
| eval myfield="2020-11-25T11:40:42.001198Z"
| eval myfieldepoch=strptime(myfield,"%Y-%m...
See more...
Hi @bigll - I would use strptime() and strftime() for any changes with Date and/or Time Format. | makeresults
| eval myfield="2020-11-25T11:40:42.001198Z"
| eval myfieldepoch=strptime(myfield,"%Y-%m-%dT%H:%M:%S.%6NZ")
| eval UpdateDate=strftime(myfieldepoch,"%Y-%m-%d")
| eval UpdateTime=strftime(myfieldepoch,"%H:%M:%S.%1N")
| table _time myfield myfieldepoch UpdateDate UpdateTime Thank you.
01-03-2024
08:58 AM
Im using the search below and basically want a chart showing last 12 dates going oldest to newest from left to right by date.
| inputlookup running_data.csv
| eval EP=strptime(Date, "%m/%d/%Y")
| ...
See more...
Im using the search below and basically want a chart showing last 12 dates going oldest to newest from left to right by date.
| inputlookup running_data.csv
| eval EP=strptime(Date, "%m/%d/%Y")
| eval Date=strftime(EP, "%m/%d/%Y")
| chart sum(sats) over team by Date useother=false limit=12
| fillnull value=0
The search was working fine up until January and year change, now the search only shows the last date in December and is missing the newest 01/02/2024 date. If I change the limit to be large enough to include all date entries in the csv file, I discovered the below:
Its putting the 01/02/2024 date before the oldest date in the csv, instead of putting that 01/02/2024 column after the 12/18/2023 date column. So its like its ignoring the year and going by month chronologically. Done quite a bit of searching on this to no avail, and seems like this should be an easy thing to do... Im not opposed to not using "chart" if someone has a better way. Ideally the search returns the last 12 dates from oldest to newest in the columns and then the team name and numbers sats on that date in the rows. Thansk for any suggestions!
Labels
- Labels:
-
chart
01-03-2024
08:49 AM
Hello @petra_bee, Hello @letsgopats39, Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users. Thank you. P.S.: Karma Points are appreciated ...
See more...
Hello @petra_bee, Hello @letsgopats39, Did this resolve your query? If yes then please mark the answer as "Accepted" for other community users. Thank you. P.S.: Karma Points are appreciated
01-03-2024
08:36 AM
1 Karma
I figured it out, the universal _time would be used by default when no earliest/latest parameters are specified.
01-03-2024
08:31 AM
Hi @VatsalJagani - In my data source, after making changes as below - this worked as expected. This was suggested by Camden Marchetti in Slack Splunk Usergroup. From: | eval epoch=relative...
See more...
Hi @VatsalJagani - In my data source, after making changes as below - this worked as expected. This was suggested by Camden Marchetti in Slack Splunk Usergroup. From: | eval epoch=relative_time(now(),$temp$) To: | eval epoch=relative_time(now(),$$temp$$) Thank you very much for your inputs on this as well as my other questions in this forum.
01-03-2024
08:21 AM
1 Karma
Yes, that should work. blacklist = EventCode=4673 message="DesktopExtension\.exe"
01-03-2024
08:15 AM
1 Karma
Removing the double quotes from around the myfield in the substr() function I think should fix it. The substr() is acting on the "myfield" as a literal string instead of a placeholder for a field va...
See more...
Removing the double quotes from around the myfield in the substr() function I think should fix it. The substr() is acting on the "myfield" as a literal string instead of a placeholder for a field value. Example: | makeresults
| eval
myfield="2020-11-25T11:40:42.001198Z"
| eval
UpdateDate=substr(myfield,1,10),
UpdateTime=substr(myfield,12,10) Screenshot:
01-03-2024
08:01 AM
I noticed in the upgrade scripts, you run
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk start
What if systemd is being used? Every time I try splunk stop or start, I get this:
Shutti...
See more...
I noticed in the upgrade scripts, you run
$SPLUNK_HOME/bin/splunk stop
$SPLUNK_HOME/bin/splunk start
What if systemd is being used? Every time I try splunk stop or start, I get this:
Shutting down. Please wait, as this may take a few minutes. ==== AUTHENTICATING FOR org.freedesktop.systemd1.manage-units === Authentication is required to manage system services or units. Authenticating as: --whatever user-- Password:
How do I get past this to automate upgrades that use systemd?
01-03-2024
07:56 AM
I see that the desktopexetension.exe is also in the message so would something like this work? blacklist = EventCode=4673 message="DesktopExtension.exe" Here is an example message: A privileg...
See more...
I see that the desktopexetension.exe is also in the message so would something like this work? blacklist = EventCode=4673 message="DesktopExtension.exe" Here is an example message: A privileged service was called. Subject: Service: Server: Security Service Name: - Process: Process ID: 0x2fcc Process Name: C:\Program Files\WindowsApps\AD2F1837.myHP_26.52343.948.0_x64__v10z8vjag6ke6\win32\DesktopExtension.exe Service Request Information: Privileges: SeTcbPrivilege
01-03-2024
07:54 AM
1 Karma
I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect. <input type="multiselect" token="Typ...
See more...
I think you could put in a change tag in the multiselect to evaluate a new token to use as a conditional filter based on the selection of the multiselect. <input type="multiselect" token="Type" searchWhenChanged="true">
<choice value="ADZ">ADZ</choice>
...
<change>
<eval token="assetname_filter">if(match('Type', "ADZ"), "match(Assetname, \"^\\S{2}Z\")", "isnotnull(Assetname)")</eval>
</change>
...
</input> And then in the search you are wanting to filter you can use the $assetname_filter$ token after a where command like this <base_search>
| where $assetname_filter$ Examples of functionality: No ADZ selected (All assets showing) ADZ one of the values selected in the multiselect (Only **Z* Assetname are in final output)
01-03-2024
07:34 AM
I have a "myfiled" for the last update in format 2020-11-25T11:40:42.001198Z. I want to create two new fields UpdateDate and UpdateTime I used "eval" + "substr" --------
| eval UpdateDate=sub...
See more...
I have a "myfiled" for the last update in format 2020-11-25T11:40:42.001198Z. I want to create two new fields UpdateDate and UpdateTime I used "eval" + "substr" --------
| eval UpdateDate=substr("myfield",1,10)
| eval UpdateTime=substr("myfield",12,10)
-------- But in the table UpdateDate and UpdateTime are empty. while "myfield" has value as shown above. Any suggestions? Thank you.
- Tags:
- fields creation
Labels
- Labels:
-
eval
01-03-2024
07:27 AM
Hi, I am trying to create a splunk classic dashboard, but struggling with setting the earliest values. The goal is to run a search, and have the results pull data from 2 different index files whil...
See more...
Hi, I am trying to create a splunk classic dashboard, but struggling with setting the earliest values. The goal is to run a search, and have the results pull data from 2 different index files while controlling the data pulled from the first index by a dropdown time parameter. The SPL is part of a radio button option with the dashboard and starts as such: ( (index=first_index source="first_file_location" $time_range$ latest=-1d@d() ) OR (index=second_index earliest=@d latest=now() source="second_file_location") ... rest of the SPL time_range token is the dropdown input with a static value set to earliest=-7d@d() When I run the search, it is not substituting the static value into the search, and is populating it as the token name with the $ sign. Would it be possible to set the earliest value for the first index using a dropdown menu. Any assistance would be greatly appreciated. Thanks
01-03-2024
07:12 AM
1 Karma
You may need to add the correct license before you can remove the incorrect one. Failing that, there is another untested method. Go to $SPLUNK_HOME/etc/licenses/ and move the .lic files (except ent...
See more...
You may need to add the correct license before you can remove the incorrect one. Failing that, there is another untested method. Go to $SPLUNK_HOME/etc/licenses/ and move the .lic files (except enttrial.lic) to another location. Restart Splunk and you should be able to add the right license.
01-03-2024
07:02 AM
Hi @vijreddy30 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all ...
See more...
Hi @vijreddy30 , let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the Contributors
