Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
12-13-2023
01:47 PM
The odd thing about the IN command is that it is not consistent across search and where. If using SEARCH you need to put the IN in capital letters, not lowercase, so technically you need to do | se...
See more...
The odd thing about the IN command is that it is not consistent across search and where. If using SEARCH you need to put the IN in capital letters, not lowercase, so technically you need to do | search pp_user_action_name IN ... However, as @dtburrows3 suggests, you are better off using the standard subsearch syntax for doing IN style searching, i.e. | search [ | inputlookup test.csv
| fields YOUR_CSV_FIELD
| rename YOUR_CSV_FIELD as pp_user_action_name ] You don't actually need the format statement as there is an implicit format statement applied to the subsearch.
12-13-2023
01:37 PM
Does it happen for all users or just some? If so, it could be cached JS
12-13-2023
01:34 PM
1 Karma
Rounding down is done using floor, as you have tried, but you are adding +1 so it will be 1130 You have row numbers turned on in the format menu, so you cannot influence row numbers to remove the 11...
See more...
Rounding down is done using floor, as you have tried, but you are adding +1 so it will be 1130 You have row numbers turned on in the format menu, so you cannot influence row numbers to remove the 11, but you can make your own row numbers by adding this ``` Round Score DOWN ```
| eval Score = if(isnull(Student), floor(Score), Score)
``` Now do row processing ```
| streamstats count as Row
| eval Row=if(isnull(Student), null(), Row)
| table Row Student Score
12-13-2023
01:24 PM
There is no good reason why it would not find it if it is present. You should be able to figure out the issue by just finding a single dashboard you know has that expression and running this | rest ...
See more...
There is no good reason why it would not find it if it is present. You should be able to figure out the issue by just finding a single dashboard you know has that expression and running this | rest splunk_server="local" "/servicesNS/-/-/data/ui/views"
| search title="xyz"
| eval match=if(match('eai:data', "(?i)index=murex_metrics", 1, 0)
| table match eai:data replace xyz with your dashboard title and then you will have two columns match and eai:data - match will be 1 or 0 depending if found and you should be able to do a visual check on the data
12-13-2023
01:24 PM
Should be able to fit both conditions into one if() logic statement if((spath(logs, "test_name")=="Motor" OR spath(logs, "test_name")=="Pass"), 'logs', null()) or maybe even something like ...
See more...
Should be able to fit both conditions into one if() logic statement if((spath(logs, "test_name")=="Motor" OR spath(logs, "test_name")=="Pass"), 'logs', null()) or maybe even something like this. if(spath(logs, "test_name") IN ("Motor", "Pass"), 'logs', null())
12-13-2023
01:19 PM
So there are two ways I can think of parsing this One using MVExpand <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indi...
See more...
So there are two ways I can think of parsing this One using MVExpand <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 1 using MVExpand ```
| mvexpand time_count_indicator_json
| spath input=time_count_indicator_json
| fields - time_count_indicator_json and another that is parsing an array of json_objects matching your criteria of only events "timeCountIndicator" <base_search>
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 2 parsing MV Field as array of json_objects ```
| eval
time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]"
| spath input=time_count_indicator_json_array
| fields - time_count_indicator_json, time_count_indicator_json_array
| rename
"{}.*" as * I personally find the mvexpand method to be a much cleaner output to work with. Method 2 could potentially lead to mvfields being unaligned if any of the json_objects have a null value for that field. But depend on the use case and data volume you are trying to parse because mvexpand can be memory intensive. SPL used to replicate: | makeresults
| eval
_raw="{\"env\": \"prod\", \"host\": \"prod\", \"name\": \"appName\", \"info\": {\"data\": [], \"indicators\": [{\"details\": {\"A.runTime\": 434, \"A.Count\": 0, \"B.runTime\": 0, \"B.Count\": 0}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.downCount\": 2, \"A.nullCount\": 0, \"B.downCount\": 0, \"B.nullCount\": 0}, \"name\": \"downCountIndicator\", \"status\": \"UP\"}, {\"details\": {\"A.runTime\": 333, \"A.Count\": 2, \"B.runTime\": 21, \"B.Count\": 4}, \"name\": \"timeCountIndicator\", \"status\": \"UP\"}], \"status\": \"DOWN\"}, \"metrics\": {}, \"ping\": 1}"
| spath path=info.indicators{} output=indicators
| table indicators
| eval
time_count_indicator_json=case(
isnull(indicators), null(),
mvcount(indicators)==1, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()),
mvcount(indicators)>1, mvmap(indicators, if(spath(indicators, "name")=="timeCountIndicator", 'indicators', null()))
)
| fields - indicators
``` Method 1 using MVExpand ```
| mvexpand time_count_indicator_json
| spath input=time_count_indicator_json
| fields - time_count_indicator_json
``` Method 2 parsing MV Field as array of json_objects ```
```
| eval
time_count_indicator_json_array="[".mvjoin(time_count_indicator_json, ",")."]"
| spath input=time_count_indicator_json_array
| fields - time_count_indicator_json, time_count_indicator_json_array
| rename
"{}.*" as *
```
12-13-2023
01:01 PM
Is there a way to include multiple conditions? for example: if(spath(logs, "test_name")=="Motor", 'logs', null()), if(spath(logs, "result")=="Pass", 'logs', null()) In this case only using the...
See more...
Is there a way to include multiple conditions? for example: if(spath(logs, "test_name")=="Motor", 'logs', null()), if(spath(logs, "result")=="Pass", 'logs', null()) In this case only using the data from the logs where test_name="Motor" and result="pass"
12-13-2023
12:25 PM
I have a data like this. { env: prod host: prod01 name: appName info: { data: [ ... ] indicators: [ { details: { A.runTime: 434 ...
See more...
I have a data like this. { env: prod host: prod01 name: appName info: { data: [ ... ] indicators: [ { details: { A.runTime: 434 A.Count: 0 B.runTime: 0 B.Count: 0 .... } name: timeCountIndicator status: UP } { details: { A.downCount: 2 A.nullCount: 0 B.downCount: 0 B.nullCount: 0 .... } name: downCountIndicator status: UP } ] status: DOWN } metrics: { ... } ping: 1 } I only want to extract fields in info.indicators{}.details ONLY when info.indicators{}.name of that field is "timeCountIndicator". I tried to use spath combined with table, mvexpand and where ... | spath path=info.indicators{} output=indicators | table indicators |mvexpand indicators| where match(indicators,"timeCountIndicator") It returns a record as a string, however. And it's really hard to convert string back to fields which is hard to process. (Technically extract/rex can deal with it, but it takes a REALLY long time to extract every fields in details when I need only some fields) Is there any way to deal with this in the easier way?
Labels
- Labels:
-
field extraction
-
fields
12-13-2023
12:06 PM
Found the way around it. Have to pipe "|fields metrics.data{}.name metrics.data{}.status". I don't know why I need to do that also, but apparently it works now.
12-13-2023
11:23 AM
1 Karma
mvmap() function loops through all values in multivalued field and applies an operation to each individual entry. Combining this functionality with if() conditions you can get pretty slick with wo...
See more...
mvmap() function loops through all values in multivalued field and applies an operation to each individual entry. Combining this functionality with if() conditions you can get pretty slick with working with MV fields. So for this situation you can see that we are looping through entries in the MV field `logs` So step one it it looks at the value... {"test_name": "Disable UGC USB Comm Watchdog", "result": "Pass"} We then apply the if() function to check a specific condition for this individual entry in our loop if(spath(logs, "test_name")=="Motor", 'logs', null()) spath is checking the value of key "test_name" in this entry and if it is equal to "Motor" then we are taking that individual entry (json_object) and dropping it into a new field named "selective_json" If there were multiple entries matching this criteria then selective_json would also be a multivalued field but but would be filtered down to only include the json_objects whose "test_name"=="Motor". MVMap function is great but I have found very odd bug with it sometimes. From what I can tell, without checking if the field is actually mutivalued before using mvmap against it there can be strange behavior when jumping between events. To get around that I have found that nesting it in a case() function to first check if the values of an field in each event is null, single_value, or multi_value to determine which operation to use.
12-13-2023
11:14 AM
Hello - I have several dashboards that are presenting the user with a pop up box Reviewing the Browser Console, I see the following: The culprit seems to be common.js Th...
See more...
Hello - I have several dashboards that are presenting the user with a pop up box Reviewing the Browser Console, I see the following: The culprit seems to be common.js The dashboard is already using the version=1.1, that I have seen in other posts. The dashboard doesn't reference any .js scripts nor does it use any lookups to generate results. <form version="1.1" hideEdit="false"> Any suggestions are appreciated. Thank you. However, this issue persists.
Labels
- Labels:
-
dashboard
12-13-2023
11:07 AM
Since you provided bytes_out data I presume that is the value you want to use for a threshold. Create a threshold by using the where command in the CS. | tstats `summariesonly` count
values(sourcet...
See more...
Since you provided bytes_out data I presume that is the value you want to use for a threshold. Create a threshold by using the where command in the CS. | tstats `summariesonly` count
values(sourcetype) AS sourcetype,
values(All_Traffic.src_zone) AS src_zone,
earliest(_time) as earliest,
latest(_time) as latest,
values(All_Traffic.action) AS action.
values(All_Traffic.bytes_out) AS bytes_out,
values(All_Traffic.bytes_in) AS bytes_in,
sum(All_Traffic.bytes) AS bytes,
values(All_Traffic.direction) AS direction,
values(All_Traffic.app) AS app,
from datamodel=Network_Traffic
| where bytes_out > 159 Adjust the "159" as necessary to get the expected number of notables.
12-13-2023
10:59 AM
Yes!!! That second table. Thank you....will try out your solution later this week. Much appreciation to you all for chiming in on this.
12-13-2023
10:59 AM
this function works well, thank you! Using it with eval _raw allows me to easily get the data i want using SPATH. eval _raw=selective_json| spath R_rpm_ugc output=reverseRPM| table serial_numbe...
See more...
this function works well, thank you! Using it with eval _raw allows me to easily get the data i want using SPATH. eval _raw=selective_json| spath R_rpm_ugc output=reverseRPM| table serial_number test_name selective_json reverseRPM Would you be able to explain how this function works? As a splunk novice I am unsure how the selective_json field is created?
12-13-2023
10:16 AM
Thank you very much for your valuable help, you are right the field below should be optional but for some reason it is a mandatory field. I will send a ticket
12-13-2023
10:15 AM
1 Karma
Hi @Vantine, don't use timechart: index=eits_wineventlog_security sourcetype=WinEventLog (EventCode=4771 OR EventCode=4776)
| bin span=60m _time
| stats count BY user _time
| where count>5 Ciao. ...
See more...
Hi @Vantine, don't use timechart: index=eits_wineventlog_security sourcetype=WinEventLog (EventCode=4771 OR EventCode=4776)
| bin span=60m _time
| stats count BY user _time
| where count>5 Ciao. Giuseppe
12-13-2023
10:13 AM
1 Karma
You may be better off formatting your search command to be like | search [ | inputlookup test.csv | fields + <filter_field> | rename <filter_field> as pp_user_action_name | format ] You can ...
See more...
You may be better off formatting your search command to be like | search [ | inputlookup test.csv | fields + <filter_field> | rename <filter_field> as pp_user_action_name | format ] You can see here that the format command formats the output of the subsearch as a valid search string that gets used in the parent search. Example of subsearch output: Example of this used on a local Splunk instance:
12-13-2023
09:58 AM
1 Karma
Should be able to do this ustilizing the mvmap() function example Eval: | eval
selective_json=case(
isnull(logs), null(),
mvcount(logs)==1, if(spat...
See more...
Should be able to do this ustilizing the mvmap() function example Eval: | eval
selective_json=case(
isnull(logs), null(),
mvcount(logs)==1, if(spath(logs, "test_name")=="Motor", 'logs', null()),
mvcount(logs)>1, mvmap(logs, if(spath(logs, "test_name")=="Motor", 'logs', null()))
) SPL used to replicate: | makeresults
| eval
_raw="{\"serial_number\": \"PLACEHOLDER1234\", \"type\": \"Test\", \"result\": \"Pass\", \"logs\": [{\"test_name\": \"UGC Connect\", \"result\": \"Pass\"}, {\"test_name\": \"Disable UGC USB Comm Watchdog\", \"result\": \"Pass\"},{\"test_name\": \"Hardware Rev\", \"result\": \"Pass\", \"received\": \"4\"}, {\"test_name\": \"Firmware Rev\", \"result\": \"Pass\", \"received\": \"1.8.3.99\", \"expected\": \"1.8.3.99\"},{\"test_name\": \"Set Serial Number\", \"result\": \"Pass\", \"received\": \"1 A S \n\", \"expected\": \"1 A S\"}, {\"test_name\": \"Verify serial number\", \"result\": \"Pass\", \"received\": \"JC0024EW1482300425\", \"expected\": \"JC0024EW1482300425\", \"reason\": \"Truncated full serial number: 30913JC0024EW1482300425 to JC0024EW1482300425\"}, {\"test_name\": \"Thermocouple\", \"pt1_ugc\": \"24969.0\", \"pt1\": \"25000\", \"pt2_ugc\": \"19954.333333333332\", \"pt2\": \"20000\", \"pt3_ugc\": \"14993.666666666666\", \"pt3\": \"15000\", \"result\": \"Pass\", \"tolerance\": \"1000 deci-mV\"}, {\"test_name\": \"Cold Junction\", \"result\": \"Pass\", \"ugc_cj\": \"278\", \"user_temp\": \"270\", \"tolerance\": \"+ or - 5 C\"}, {\"test_name\": \"Glow Plug Open and Short\", \"result\": \"Pass\", \"received\": \"GP Open, Short, and Load verified OK.\", \"expected\": \"GP Open, Short, and Load verified OK.\"}, {\"test_name\": \"Glow Plug Power On\", \"result\": \"Pass\", \"received\": \"User validated Glow Plug Power\"}, {\"test_name\": \"Glow Plug Measure\", \"pt1_ugc\": \"848\", \"pt1\": \"2070\", \"pt1_tolerance\": \"2070\", \"pt2_ugc\": \"5201\", \"pt2\": \"5450\", \"pt2_tolerance\": \"2800\", \"result\": \"Pass\"}, {\"test_name\": \"Motor Soft Start\", \"result\": \"Pass\", \"received\": \"Motor Soft Start verified\", \"expected\": \"Motor Soft Start verified by operator\"}, {\"test_name\": \"Motor\", \"R_rpm_ugc\": 1525.0, \"R_rpm\": 1475, \"R_v_ugc\": 160.0, \"R_v\": 155, \"R_rpm_t\": 150, \"R_v_t\": 160, \"R_name\": \"AUGER 320 R\", \"F_rpm_ugc\": 1533.3333333333333, \"F_rpm\": 1475, \"F_v_ugc\": 164.0, \"F_v\": 182, \"F_rpm_t\": 150, \"F_v_t\": 160, \"F_name\": \"AUGER 320 F\", \"result\": \"Pass\"}, {\"test_name\": \"Fan\", \"ugc_rpm\": 2436.0, \"rpm\": 2130, \"rpm_t\": 400, \"ugc_v\": 653.3333333333334, \"v\": 630, \"v_t\": 160, \"result\": \"Pass\"}, {\"test_name\": \"RS 485\", \"result\": \"Pass\", \"received\": \"All devices detected\", \"expected\": \"Devices detected: ['P']\"},{\"test_name\": \"Close UGC Port\", \"result\": \"Pass\"}, {\"test_name\": \"DFU Test\", \"result\": \"Pass\", \"received\": \"Found DFU device\"}, {\"test_name\": \"Power Cycle\", \"result\": \"Pass\", \"received\": \"User confirmed power cycle\"}, {\"test_name\": \"UGC Connect\", \"result\": \"Pass\"}, {\"test_name\": \"Close UGC Port\", \"result\": \"Pass\"},{\"test_name\": \"USB Power\", \"result\": \"Pass\", \"received\": \"USB Power manually verified\"}]}"
| spath logs{} output=logs
| fields - _raw, _time
| eval
selective_json=case(
isnull(logs), null(),
mvcount(logs)==1, if(spath(logs, "test_name")=="Motor", 'logs', null()),
mvcount(logs)>1, mvmap(logs, if(spath(logs, "test_name")=="Motor", 'logs', null()))
)
12-13-2023
09:58 AM
Yes i have tried with Search command as well, but no luck. index="dynatrace" sourcetype="dynatrace:usersession" | spath output=user_actions path="userActions{}" | stats count by user_actions | s...
See more...
Yes i have tried with Search command as well, but no luck. index="dynatrace" sourcetype="dynatrace:usersession" | spath output=user_actions path="userActions{}" | stats count by user_actions | spath output=pp_user_action_application input=user_actions path=application | where pp_user_action_application="test" | spath output=pp_user_action_name input=user_actions path=name | search pp_user_action_name in ([| inputlookup test.csv]) | spath output=pp_user_action_response input=user_actions path=visuallyCompleteTime | eval pp_user_action_name=substr(pp_user_action_name,0,150) | eventstats avg(pp_user_action_response) AS "Avg_today" by pp_user_action_name | stats count(pp_user_action_response) As "Today_Calls",perc90(pp_user_action_response) AS "Perc90_today" by pp_user_action_name Avg_today | eval Perc90_today=round(Perc90_today/1000,2)| eval Avg_today=round(Avg_today/1000,2) | table pp_user_action_name,Today_Calls,Avg_today,Perc90_today
12-13-2023
09:56 AM
Hi @tharun.santosh,
I see you posted your question again. The community is a peer-to-peer community. I suggest you try contacting AppD sales for further help. https://www.appdynamics.com/company...
See more...
Hi @tharun.santosh,
I see you posted your question again. The community is a peer-to-peer community. I suggest you try contacting AppD sales for further help. https://www.appdynamics.com/company/contact-us
