Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199) However, when my code is used in a classic dashboard the results ...
See more...
Hello, This is the result from one of my rows in Search & Reporting (Web). Job Code 039081934400000 (4) 082441325900000 (199) However, when my code is used in a classic dashboard the results are this. Job Code 039081934400000 (4) 082441325900000 (199) How do I control my dashboard output to display like my search output? | inputlookup job_codes_2024.csv
```all fields in the lookup above begin with the letter j, except for the field cntrl```
| foreach j*
```add line feed at the end of all fields beginning with the letter j```
[| rex field=<<FIELD>> mode=sed "s/$/\n/g"]
```group all fields by the cntrl value```
| stats values(*) as * by cntrl Thanks and God bless, Genesius
Hi The solution was the next on Windows: 1. go to path : x:\<db_agent_home>\bin 2. Edit the file called DataBaseAgentService add the next line to the end of the file: -Ddbagent.name=(your collect...
See more...
Hi The solution was the next on Windows: 1. go to path : x:\<db_agent_home>\bin 2. Edit the file called DataBaseAgentService add the next line to the end of the file: -Ddbagent.name=(your collector name) 3. Go to service and restart the appdynamics database agent Attached print like an example
HI @ITWhisperer I've an input which i want to use in 2 different panels. Example : There are 3 panels in my dashboard :
<label>Mode Selection</label>
<choice value="panelA">panelA</choice...
See more...
HI @ITWhisperer I've an input which i want to use in 2 different panels. Example : There are 3 panels in my dashboard :
<label>Mode Selection</label>
<choice value="panelA">panelA</choice>
<choice value="panelB">panelB</choice>
<choice value="panelC">panelC</choice>
I want to show the Input in panelb and panelC and not in panel A . I have used below code to solve it. I want to know if it is possible to write the input type code only once and use it with multiple panels (panelb and panelC).
<row>
<panel depends= "$tokShowPanelB$">
<input type="radio" token="Devib" searchWhenChanged="true">
<label>Deviation</label>
<choice value="">ALL</choice>
<choice value="| where Dev = 0">Dev = 0</choice>
<choice value="| where Dev > 150" > Dev > 150 </choice>
<default></default>
</input>
</panel>
</row>
<row>
<panel depends= "$tokShowPanelC$">
<input type="radio" token="Devib" searchWhenChanged="true">
<label>Deviation</label>
<choice value="">ALL</choice>
<choice value="| where Dev = 0">Dev = 0</choice>
<choice value="| where Dev > 150" > Dev > 150 </choice>
<default></default>
</input>
</panel>
</row>
So we don't waste too much of your time repeated what you've already tried, please share your queries, some sample events, the desired results, and the current results.
Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk...
See more...
Hi @Raj_Splunk_Ing No need to apologize - we all start somewhere, and asking questions is how we learn! Let's break down your question about using AND ... IN (...) versus WHERE ... IN (...) in Splunk searches. Both of your examples will work, but there are some slight differences: AND ... IN (...):
index=ADFS_AWS AND clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc") This is part of the main search string and is evaluated early in the search process. Using WHERE: index=ADFS_AWS | WHERE clientId IN ("Abc123","ABC123","ABC_ABC","abc_abc") The WHERE command is a separate search command that filters results after the initial search. In terms of efficiency: For most cases, they'll perform similarly. The AND version might be slightly faster as it's applied earlier in the search process. The WHERE version is more flexible if you need to do more complex filtering. Remember, the best approach often depends on your specific data and use case. Don't hesitate to test both and see which works better for you! Splunk Search Manual: https://docs.splunk.com/Documentation/Splunk/latest/Search/Aboutsearch Search Processing Language (SPL) Reference: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/WhatsInThisManual WHERE command documentation: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where Comparison of search commands (including AND and WHERE): https://docs.splunk.com/Documentation/Splunk/latest/Search/Comparesearchcommands Best practices for searching: https://docs.splunk.com/Documentation/Splunk/latest/Search/Bestpracticesforsearching Using the IN operator: https://docs.splunk.com/Documentation/Splunk/latest/Search/Usetheinoperator Splunk Search Tutorials: https://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial Hope this helps.
Hi All,
Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below
index=ADFS_AWS
AND clientId IN ("Abc12...
See more...
Hi All,
Thanks for your time. I am sorry in advance as this is very basic question. just started exploring the search query.. If i have something like below
index=ADFS_AWS
AND clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc")
This is searching only for these clientIds - option1
or with Where
Where clientID IN (clientId IN ("Abc123","ABC123",ABC_ABC","abc_abc") which one should we be using and more efficient
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains multilineConfigs:...
See more...
I'm using the splunk-otel-collector, and attempting to get multi-line java exceptions into a standardly formatted event. Using the example, my values file contains multilineConfigs:
- namespaceName:
value: example
useRegexp: true
firstEntryRegex: ^[^\s].*
combineWith: "" The rendered configMap contains - combine_field: attributes.log
combine_with: ""
id: example
is_first_entry: (attributes.log) matches "^[^\\s].*"
max_log_size: 1048576
output: clean-up-log-record
source_identifier: resource["com.splunk.source"]
type: recombine With that config, the logs continue to split . Then I change the value to combineWith: "\t" the following happens with the logs: Has anyone experienced this and worked around it?
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these e...
See more...
Hello, I am looking to calculate how long it takes to refresh the view using the time of the events "End View Refresh" and "Start View Refresh" i.e. find the difference in time for each of these events whenever these 2 events occur. Tried number of things using streamstat and range, but it does provide me the desired result. Any assistance would be appreciated. Regards
The queries can be combined like this. index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersi...
See more...
The queries can be combined like this. index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion" host That will give you lists of OSVersions and hosts separately, but in a single table. Then you should compare the time values to see if OSVersion and host are in events with the timestamp so they can be merged. If so, then this query will do it. index=test1 sourcetype=teams ("osversion=" OR "host=12*")
| rex field=_raw "\s+(?<osVersion>.*?)$"
| rex field=_raw "\w+(?<host>*)$"
| stats values(*) as * by "Time(utc)"
| table "Time(utc)" "OSVersion" host
I have two rex queries and want know how to combine
Query : 1
index=test1 sourcetype=teams
| search "osversion="
| rex field=_raw "\s+(?<osVersion>.*?)$"
| table Time(utc) "OSVersion"
output ...
See more...
I have two rex queries and want know how to combine
Query : 1
index=test1 sourcetype=teams
| search "osversion="
| rex field=_raw "\s+(?<osVersion>.*?)$"
| table Time(utc) "OSVersion"
output :
time osversion 1.1 123 1.2 1234 1.3 12345 1.4 123456
Query : 2
index=test1 sourcetype=teams
| search "host=12*
| rex field=_raw "\w+(?<host>*)$"
| table Time(utc) "OSVersion"
output :
time host 1.1 abc 1.2 abcd 1.3 abcde
Pls help me how to combine above queries and should show table like below
time osversion host 1.1 123 abc 1.2 1234 abcd 1.3 12345 abcde
Question with regards to "Default value change for the 'max_documents_per_batch_save' setting causes restore from KV store backups made using versions earlier than Splunk Enterprise 9.3.0 to fail". ...
See more...
Question with regards to "Default value change for the 'max_documents_per_batch_save' setting causes restore from KV store backups made using versions earlier than Splunk Enterprise 9.3.0 to fail". The "9.3 READ THIS FIRST" documentation says that I must restore KV backups made using Splunk Enterprise 9.2.2 and earlier versions before upgrading to Splunk Enterprise version 9.3.0. I am new to Splunk administration and would appreciate steps (with detailed explanation) for hot to accomplish this task and get to the point of upgrading Splunk from 9.2.2 to 9.3.1. This is a single-instance (one server) environment, no distributed components, no clusters . Not running ES, ITSI, or ITE Work Thanks
"doesnot works" (sic) is not very informative. What exactly have you tried, what are you trying to achieve, and what are you getting that does not match your expectations?
Hi all,
New to splunk, running out of ideas, please help!
I have created a search to show:
| bin span=10m _time
| stat count by _time
This gives me two columns - the time interval in 10 minu...
See more...
Hi all,
New to splunk, running out of ideas, please help!
I have created a search to show:
| bin span=10m _time
| stat count by _time
This gives me two columns - the time interval in 10 minutes bins, and the number of results within that bin.
What I would like to do is expand on this search and show the % of bins over a time range that have > =10 results
cheers
Hi Is it possible to use same input with the 2 different panels : It works fine with the 1 panel as below :
<panel depends= "$tokShowPanelB$ ">
But i want to use the same input with the...
See more...
Hi Is it possible to use same input with the 2 different panels : It works fine with the 1 panel as below :
<panel depends= "$tokShowPanelB$ ">
But i want to use the same input with the panelC too. But below command doesnot works:
<panel depends= "$tokShowPanelB$ , $tokShowPanelC$">
Can someone please help.