All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I want to alert if a result changes. There are probably dozens of ways to do this, but I think I'm missing the really simple obvious solution. I've been looking at diff, and I can get this to work in... See more...
I want to alert if a result changes. There are probably dozens of ways to do this, but I think I'm missing the really simple obvious solution. I've been looking at diff, and I can get this to work in search results - providing a single "event" result containing either "Results are the same" or some stats if a difference is found. The expression looks like this: index=testapp ErrorlogTotalCount |diff I could add an attribute, but it's not really needed because the result is static except for the log count. The default position values of 1 and 2, comparing the newest result to the prior one, is also perfect because we want to catch when the number changes. My difficulty is setting up an alert to catch this. Since I always get 1 event back, I can't alert on a count of events. Maybe I can use a custom trigger condition, but I'm not finding a document that explains how to use that field. This is probably possible with other search commands such as delta or streamstats but to me those appear to be overkill. Let me know what I am missing please. Thanks for the help.
麻烦提供下,数据规格说明
想了解下,SPlunk 单台服务器,最多可以接入多大的数据量 ,可以给工
Hello, I have a below values in lookup and trying to achieve below bar chart view.  Country     old_limit        old_spend_limit      new_limit          new_spend_limit    USA            84000    ... See more...
Hello, I have a below values in lookup and trying to achieve below bar chart view.  Country     old_limit        old_spend_limit      new_limit          new_spend_limit    USA            84000             37000                       121000                   43000   Canada     149000           103000                     214000                 128000 old_limit = PRE new_limit = POST    
I assume that my-index is a metrics index.  But still unclear what is being asked.  Generally only you will know what data you get back from AWS/EBS and which metrics are of interest to your use case... See more...
I assume that my-index is a metrics index.  But still unclear what is being asked.  Generally only you will know what data you get back from AWS/EBS and which metrics are of interest to your use case.   Once you know which metrics you are interested in and what kind of stats (e.g., avg) you want to perform, mstats is your friend. If you have difficulty figure out which metrics are available, mstats is also your friend: | mstats count(*) as * where index=my-index ``` my-index must be a metric index ``` | transpose column_name=metric_name Hope this helps.
I'm not aware of any such option.  Perhaps one of the DEBUG log settings will help. Failure to apply a regex is not an error - it just means the data doesn't match the regex, which is perfectly norm... See more...
I'm not aware of any such option.  Perhaps one of the DEBUG log settings will help. Failure to apply a regex is not an error - it just means the data doesn't match the regex, which is perfectly normal.
Hi @richgalloway @gcusello , Is there any option where we can see the errors for the blacklisted regex  if it's not getting applied? Thanks..
@_JP is correct that single quotes have special meaning in SPL.  Have you tested   index=_internal status=* | rename status AS HTTPStatus | stats count(eval(HTTPStatus >= 400 AND HTTPStatus < 500))... See more...
@_JP is correct that single quotes have special meaning in SPL.  Have you tested   index=_internal status=* | rename status AS HTTPStatus | stats count(eval(HTTPStatus >= 400 AND HTTPStatus < 500)) AS fourxxErrors, count(eval(HTTPStatus >= 500 AND HTTPStatus < 600)) AS fivexxErrors, count AS TotalRequests Can you share sample output from this?  
Yes, I also had that idea: So, calculate log(analog_value)  and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log). ... See more...
Yes, I also had that idea: So, calculate log(analog_value)  and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log). But the illegibility of the true values still bothers me, which is why I was hoping for an even more perfect solution, somehow... Maybe there is none.
You can avoid the empty panel warnings by just adding a dummy html panel, i.e. <panel> <html/> </panel>  
If the urls are consistent, that is a great idea.  Unfortunately, the urls have between 1 and 8 parts  This is rather confusing.  @ITWhisperer's command concatenates from the end, and it shouldn't... See more...
If the urls are consistent, that is a great idea.  Unfortunately, the urls have between 1 and 8 parts  This is rather confusing.  @ITWhisperer's command concatenates from the end, and it shouldn't matter whether there is 1 part in between or 8.  Have you tested in full search?   index=my_index sourcetype=my_sourcetype (rule=policy_1 OR rule=policy_2 OR rule=policy_3) [ | inputlookup my_list_of_urls.csv ] | eval my_url = mvjoin(mvindex(split(url, "."), -2,-1), ".") | stats count by my_url   between . and I don't know where to start.  Alternatively, if there is a way of adding what is in the csv to the results, that would work. Another piece of confusing comes from the original search:   index=my_index sourcetype=my_sourcetype (rule=policy_1 OR rule=policy_2 OR rule=policy_3) [ | inputlookup my_list_of_urls.csv ] | rename url AS my_url | stats count by my_url | table my_url If you table my_url in the end, the result is no different from using inputlookup alone.  Why bother with index search?  If you only want mircrosoft.com and office.com from the CSV, you could do | inputlookup my_list_of_urls.csv | eval my_url = mvjoin(mvindex(split(url, "."), -2,-1), ".") | stats values(my_url) as my_url | mvexpand my_url   Maybe you can describe more variety of data (anonymize as needed) and print output from proposed searches, then illustrate what desired outcome is and explain why the actual output is not desired (in case it is not obvious enough)?  
In this case if you just care about the max TotalScore, you can just reverse-sort your data by TotalScore and use head to grab to first (aka the max) one:   | makeresults format=csv data="Class,Nam... See more...
In this case if you just care about the max TotalScore, you can just reverse-sort your data by TotalScore and use head to grab to first (aka the max) one:   | makeresults format=csv data="Class,Name,Subject,TotalScore,Score1,Score2,Score3 ClassA,Name1, Math, 170, 60 ,40 ,70 ClassA,Name1, English ,195, 85, 60, 50 ClassA,Name2, Math, 175, 50, 60, 65 ClassA,Name2, English ,240, 80, 90, 70 ClassA,Name3, Math, 170, 40, 60 ,70 ClassA,Name3, English ,230, 55, 95, 80" | sort -TotalScore | head 1 | table Class Name, Subject, TotalScore, Score1, Score2, Score3   Here's a screenshot:        
Hello, I only need 1 row displaying all fields that has the Max TotalScore of 240     Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name2 English 240 80 90 70 ... See more...
Hello, I only need 1 row displaying all fields that has the Max TotalScore of 240     Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name2 English 240 80 90 70 Thank you
if only it was supported in dashboard studio!  will use classic for the time being - thank you!
I am understanding that for your results you want to see who (Names) has the highest TotalScore for all classes. If my understanding is correct, here is one way you could structure that SPL.  I us... See more...
I am understanding that for your results you want to see who (Names) has the highest TotalScore for all classes. If my understanding is correct, here is one way you could structure that SPL.  I used makeresults to recreate your example table of data (thanks - that table helped me see what you're looking at):     | makeresults format=csv data="Class,Name,Subject,TotalScore,Score1,Score2,Score3 ClassA,Name1, Math, 170, 60 ,40 ,70 ClassA,Name1, English ,195, 85, 60, 50 ClassA,Name2, Math, 175, 50, 60, 65 ClassA,Name2, English ,240, 80, 90, 70 ClassA,Name3, Math, 170, 40, 60 ,70 ClassA,Name3, English ,230, 55, 95, 80" | eventstats max(TotalScore) as max_TotalScore by Class, Subject | where TotalScore=max_TotalScore | table Class Name, Subject, TotalScore, Score1, Score2, Score3       I used the eventstats command to determine the highest scores by Class and Subject.  Essentially this will add a new field on each row called max_TotalScore.  I then use where to only keep the rows (i.e. Names) for the ones where the TotalScore equals this max_TotalScore - that means this person is the one with the highest score. Results:
You can fudge it by editing the XML and creating your own row with empty panel tags.  You will get a warning icon in the edit mode, but it saves and displays fine.  For example:       <row> ... See more...
You can fudge it by editing the XML and creating your own row with empty panel tags.  You will get a warning icon in the edit mode, but it saves and displays fine.  For example:       <row> <panel> </panel> <panel> <input type="dropdown" token="field1" searchWhenChanged="true"> <label>Component</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>component</fieldForLabel> <fieldForValue>component</fieldForValue> <search> <query>index=_internal | dedup component | table component | sort component</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </panel> <panel> </panel> <panel> </panel> </row>       Here's a mock-up I did:     See the attached XML pdf to see the full SimpleXML for my mockup.
Ahh.. When you are stacking a bar chart, you cannot use log scale on the left hand Y-axis and it gives an error, but when setting Log on the Chart Overlay right hand axis, it does not give an error b... See more...
Ahh.. When you are stacking a bar chart, you cannot use log scale on the left hand Y-axis and it gives an error, but when setting Log on the Chart Overlay right hand axis, it does not give an error but ignores log. I did't realise it restricted the RH axis. What if you added | eval analog_value=log(analog_value,10) it would have the same effect, although not with the right numbers ...
How to display other fields on the same row when aggregating using stats max(field)? Thank you for your help.  For example: I am trying to display the same row that has the highest TotalScore=240 ... See more...
How to display other fields on the same row when aggregating using stats max(field)? Thank you for your help.  For example: I am trying to display the same row that has the highest TotalScore=240 Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name2 English 240 80 90 70 My Splunk Search | index=scoreindex    | stats values(Name) as Name, values(Subject) as Subject,  max(TotalScore) as TotalScore, max(Score1) as Score1, max(Score2) as Score2, max(Score3) as Score3 by Class | table Class Name, Subject, Total Score, Score1, Score2, Score3 I think my search below is going to display the following. Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name1 Name2 Name3 Math English 240 85 95 80 This is the whole data in table format from scoreindex Class Name Subject TotalScore Score1 Score2   Score3 ClassA Name1 Math 170 60 40 70 ClassA Name1 English 195 85 60 50 ClassA Name2 Math 175 50 60 65 ClassA Name2 English 240 80 90 70 ClassA Name3 Math 170 40 60 70 ClassA Name3 English 230 55 95 80
Holy Cow, great stuff -- thanks! why, oh why, could Splunk not have had something like this...?
Without knowing more about your javascript, is there something happening where you are doing a require of a module that should be included with an import?  Or, you might need to load abcxyz.js in a d... See more...
Without knowing more about your javascript, is there something happening where you are doing a require of a module that should be included with an import?  Or, you might need to load abcxyz.js in a different way because of the contents. This answer over on StackOverflow addresses the more generic javascript quirkiness you could be running into.