Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
08-29-2023
11:40 PM
@bowesmana , nope.. let me share the exact example values field a = AAAAA\ABCDE-SS410009$ field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET Now I want to match field a= AAAAA\ABCDE-...
See more...
@bowesmana , nope.. let me share the exact example values field a = AAAAA\ABCDE-SS410009$ field b = A=AAAAA\ABCDE-SS410009,B=Domain,C=AB,D=XXX,E=NET Now I want to match field a= AAAAA\ABCDE-SS410009 field b= AAAAA\ABCDE-SS410009 like this
08-29-2023
10:59 PM
Are you looking for any length partial match of field a with b? i.e. if field a is AA\ABC$ and field B is 123456789A987654321 do you want a match because it contains A? which is a partial match?
08-29-2023
10:59 PM
Thank u so much for your advice, I´ll try it
08-29-2023
10:32 PM
Hi @gcusello Thank You for the advice. I've already tried something similar, but I always get the error: "Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expre...
See more...
Hi @gcusello Thank You for the advice. I've already tried something similar, but I always get the error: "Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression. " Maybe I'm creating a new column wrong? I go to Add New -> Eval Expression, then Field name "OS" and expression - search text
08-29-2023
10:26 PM
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=...
See more...
Hi, I want to match partial values of field a with partial values of field b.. I tried with match/like but no luck.. field a AA\ABC$ BB\DCE$ field b A=ABC,B=Domain,C=AB,D=XXX,E=NET A=DCE,B=Domain,C=AB,D=XXX,E=NET Now my results should return field a = field b ABC = ABC DCE = DCE Could someone pls help me on this?
08-29-2023
10:18 PM
Hi Everyone,
Is it possible to create a button similar to edit button and place it near edit button using html and css?
I was able to create a button, but it is big and also i was not able to pla...
See more...
Hi Everyone,
Is it possible to create a button similar to edit button and place it near edit button using html and css?
I was able to create a button, but it is big and also i was not able to place it near edit button.
can anyone help me?
08-29-2023
09:14 PM
Assuming you have this data in Splunk and the field names are A_ X Y Z W, this examples shows how using your data, which you can copy/paste into a search | makeresults
| eval _raw="A X Y Z W
A8 2 ...
See more...
Assuming you have this data in Splunk and the field names are A_ X Y Z W, this examples shows how using your data, which you can copy/paste into a search | makeresults
| eval _raw="A X Y Z W
A8 2
B12 7 5
C14 5
D24 2 3"
| multikv forceheader=1
| table A_ X Y Z W
``` Above reproduces your table ```
``` Get the multiplier from the first field ```
| rex field=A_ "[A-Z](?<mul>\d+)"
``` Now Multiuply the field value by the multiplier ```
| foreach X Y Z W [ eval <<FIELD>>=<<FIELD>>*mul ]
| fields - mul
``` and create the column totals ```
| addcoltotals I am assuming your final column total for col W is not correct, but should read 5 * 12?
08-29-2023
09:08 PM
Will give it a go. thanks for the feedback!
08-29-2023
09:05 PM
This statement | eval down=$down$ is not a search statement - it is just creating a field called down with the value held by the token $down$ Maybe you mean you want to search for an existing fiel...
See more...
This statement | eval down=$down$ is not a search statement - it is just creating a field called down with the value held by the token $down$ Maybe you mean you want to search for an existing field called down that has a value of the token, i.ei | search down=$down$ or one of these two statements depending if your token value is numeric (first option) or string (second) | where down=$down$
OR
| where down=$down|s$
08-29-2023
08:09 PM
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I se...
See more...
Hey guys, new to splunk and trying to figure some things out and hit a wall. I created a dropdown called 'down'. I used this field in the search criteria and its not filtering based on the value I set in the drop down. Data is being pulled/returned but does not seem to be using the eval correctly. Any help would be greatly appreciated. Thanks!
Code is search:
source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")` | eval down=$down$
I also cannot get it to restrict based on down in a search:
source="plays.csv" host="DESKTOP-CU54MC0" sourcetype="csv" | apply "_exp_draft_275e108c50cd4522ac0479ad79873849" | `confusionmatrix("playType","predicted(playType)")`| eval down=1
Labels
- Labels:
-
subsearch
08-29-2023
07:26 PM
Hi Ryan, and what about setting up a .net app that accesses AS400 DB. Is there an AppD agent for AS400?
08-29-2023
06:58 PM
here is an example of the table.
X
Y
Z
W
A8
2
B12
7
5
C14
5
D24
2
3
Total
2*8+5*14
7*12+...
See more...
here is an example of the table.
X
Y
Z
W
A8
2
B12
7
5
C14
5
D24
2
3
Total
2*8+5*14
7*12+2*24
3*24
5*24
What is the SPL (formula or command) for calculating the total number as listed in the table?
Thanks,
- Tags:
- splunk search
Labels
- Labels:
-
table
08-29-2023
06:50 PM
What do you mean 'download a csv for each row'? Where is this CSV coming from? Is this data in Splunk already?
08-29-2023
05:23 PM
1 Karma
The stats command will not return results for a groupBy field that is empty or null. Use the fillnull command or enhance the eval statement to ensure the joiner field always has a value.
08-29-2023
05:21 PM
1 Karma
I assume you're referring to your splunk.com account. I went through the same thing a few years ago. You have to create a new account and ask the certification (certification@splunk.com) and educat...
See more...
I assume you're referring to your splunk.com account. I went through the same thing a few years ago. You have to create a new account and ask the certification (certification@splunk.com) and education (education_amer@splunk.com) teams to transfer your records to the new account.
08-29-2023
05:13 PM
1 Karma
I would enable KVStore on search heads and disable it everywhere else. HFs are not search heads and don't need KVStore unless you have an app that specifically calls for it.
08-29-2023
05:12 PM
This was me with a typo - see that dash? It should be an underscore (and the lookup was kvstore, not csv)!
08-29-2023
04:58 PM
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials an...
See more...
Hi Everyone, When i am trying to update "Splunk App for Windows Infrastructure" the login screen where it asks to provide splunk.com credentials does not proceed further, i checked my credentials and they seem to be correct. any idea why i am unable to update the app? i am able to update other apps fine
Labels
08-29-2023
04:51 PM
It’s just an example. I have like 60 rows of a different data set and I need to download csv for each row. just like here, one for each country. I need a way to do all of these in one go. USA. ...
See more...
It’s just an example. I have like 60 rows of a different data set and I need to download csv for each row. just like here, one for each country. I need a way to do all of these in one go. USA. DC, NY 4.8
08-29-2023
04:46 PM
There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement | eval (FailurePercentage = Failure/Sucess)*100 i...
See more...
There are lots of errors in that query if cut/pasted to a Splunk search, but if you are not getting FailurePercentage, that's because the statement | eval (FailurePercentage = Failure/Sucess)*100 is not a valid Splunk eval statement and Sucess is also spelt incorrectly compared to the calculation in your stats command Note that your approach to appendcols if not a good way to approach this problem and can be done more efficiently like this index=dl* ("Error_MongoDB") OR ("inserted Record")
| eval Status=if(match(_raw, "Error_MongoDB"), "Failure", "Success")
| timechart span=1d count as Total by Status
| eval FailurePercentage = (Failure/Success)*100
| fillnull FailurePercentage so you don't need a subsearch and can do it in one timechart and the fillnull will take care if the value of Success is 0 Note that the eval Status line may be improved if you have a field that can indicate success/failure better than by matching _raw
