yeah sorry. im not accusing you of anything. Its just the problem is showing itself in a much more rigid way. index=dct_foglight_shr "host.domain"=prd is not working and "host.domain"=prd was adde...
See more...
yeah sorry. im not accusing you of anything. Its just the problem is showing itself in a much more rigid way. index=dct_foglight_shr "host.domain"=prd is not working and "host.domain"=prd was added completely with mouseclicks so no possibility at all of whitespace being added as splunk itself is adding it in response to mouse clicks. So once I have fixed the issue with the field in general if case is still acting wonky I will attempt your fix advice.
I think you may be missing the significance of it. You see its not responding to the field at all for searching. even when filtering for it using mouse clicks so there is no possibility of errant s...
See more...
I think you may be missing the significance of it. You see its not responding to the field at all for searching. even when filtering for it using mouse clicks so there is no possibility of errant spaces at that point since splunk itself puts the text in based on mouse selection. There is something very strange going on. I have done filtering on other fields with mouseclicks jut in case and they react fine. Not sure what the issue is with this specific field but its enough of an issue with splunk directly that I just put in a ticket about it.
My last response still holds to test if it in fact whitespace in the string. As you can see by this screenshot I was able to replicate you issue with trailing whitespace. But when updating th...
See more...
My last response still holds to test if it in fact whitespace in the string. As you can see by this screenshot I was able to replicate you issue with trailing whitespace. But when updating the eval it fixes the output to intended behavior At the very least this would rule out if whitespace in the string is the issue. You could also try this on the search bar and see what returns index=dct_foglight_shr "host.domain"="*prd*"
| stats count by "host.domain"
| eval
dct_domain=case(match('host.domain', "prd"), "Production", match('host.domain', "uat"), "Pre-Production", match('host.domain', "dev"), "Development", true(), "test" )
I updated the question maybe just as you where answering. I found the field was not showing results even when I did a simple search and through the gui chose the value for host.domain. something fi...
See more...
I updated the question maybe just as you where answering. I found the field was not showing results even when I did a simple search and through the gui chose the value for host.domain. something fishy is going on.
Maybe there is a space on the edges of the string? What do you get when you do this in your eval instead? | eval
dct_domain=case(match('host.domain', "prd"), "Production", match('host...
See more...
Maybe there is a space on the edges of the string? What do you get when you do this in your eval instead? | eval
dct_domain=case(match('host.domain', "prd"), "Production", match('host.domain', "uat"), "Pre-Production", match('host.domain', "dev"), "Development", true(), "test" )
If I recall right, there is no need to do anything special, just follow the instructions. Another option is use this https://bots.splunk.com/login?redirect=/
Thanks for the reply. I tried the above but its still showing 0 events. I searched "index=botsv1 earliest=1" and also only index="botsv1" but no events. I am all stuck. Thanks again.
Unfortunately there is no function to do this kind of action. Basically you could do your own command to do it, but probably easier way is use e.g. lookup which contains offsets and then macro which ...
See more...
Unfortunately there is no function to do this kind of action. Basically you could do your own command to do it, but probably easier way is use e.g. lookup which contains offsets and then macro which return that value based on utc time + offset calculation.
I have the follow time: EPOCH HUMAN READABLE 1703630919 12/26/2023 19:48:39 I would like to convert the EPOCH to CST time. Currently I am testing the following, but I am curious to kno...
See more...
I have the follow time: EPOCH HUMAN READABLE 1703630919 12/26/2023 19:48:39 I would like to convert the EPOCH to CST time. Currently I am testing the following, but I am curious to know if there is an easier way. | makeresults
| eval _time = 1703630919
| eval cst_offset = "06:00"
| convert ctime(_time) as utc_time timeformat="%H:%M"
| eval utc_time = strptime(utc_time,"%H:%M")
| eval cst_offset = strptime(cst_offset,"%H:%M")
| eval cst_time = (utc_time - cst_offset)
| convert ctime(cst_time) as cst_time timeformat="%H:%M"."CST"
| convert ctime(utc_time) as utc_time timeformat="%H:%M"."UTC" Results in: _time cst_offset cst_time utc_time 2023-12-26 19:48:39 1703667600.000000 16:48.CST 22:48.UTC
Try single quotes around the fieldname in the case statement Splunk can be finicky about fieldnames with certain characters such as ".", "{}" Example: | eval dct_domain=case('host.domain'...
See more...
Try single quotes around the fieldname in the case statement Splunk can be finicky about fieldnames with certain characters such as ".", "{}" Example: | eval dct_domain=case('host.domain'=="prd", "Production", 'host.domain'=="uat", "Pre-Production", 'host.domain'=="dev", "Development", true(), "test" )
Hi @gcusello , Yes, Hostname field is already exists in the event. Thank you for quick response! Mentioned query is a perfect solution for this issue. Regards, Nagalakshmi A
Hello, I'm currently working on a dashboard. I want to move the menus that are marked in green, in the space bellow the data (also marked in green) could someone help me how to do it, cause you can't...
See more...
Hello, I'm currently working on a dashboard. I want to move the menus that are marked in green, in the space bellow the data (also marked in green) could someone help me how to do it, cause you can't drag and move down there.