All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Here is my xml code so far: <form version="1.1" theme="dark"> <init> <set token="none">None</set> <set token="tokTypeInputVisible">Yes</set> <unset token="user_tok"></unset> <unset token="descr... See more...
Here is my xml code so far: <form version="1.1" theme="dark"> <init> <set token="none">None</set> <set token="tokTypeInputVisible">Yes</set> <unset token="user_tok"></unset> <unset token="description_tok"></unset> <unset token="revisit_tok"></unset> <unset token="dropdown_tok"></unset> <unset token="add"></unset> <unset token="remove"></unset> <unset token="reauthorize"></unset> </init> <label>USB</label> <fieldset submitButton="false" autoRun="false"> <input type="text" token="user_tok" searchWhenChanged="false"> <label>User</label> <default></default> </input> <input type="text" token="description_tok" searchWhenChanged="false"> <label>Description</label> <default></default> </input> <input type="dropdown" token="revisit_tok" searchWhenChanged="false"> <label>Revisit</label> <choice value="select Month">Select</choice> <choice value="1 month">1 Month</choice> <choice value="2 month">2 Month</choice> <choice value="3 month">3 Month</choice> <choice value="4 month">4 Month</choice> <choice value="5 month">5 Month</choice> <choice value="6 month">6 Month</choice> <change> <condition value="1 month"> <set token="1 month"></set> <unset token="2 month"></unset> <unset token="3 month"></unset> <unset token="4 month"></unset> <unset token="5 month"></unset> <unset token="6 month"></unset> </condition> <condition value="2 month"> <unset token="1 month"></unset> <set token="2 month"></set> <unset token="3 month"></unset> <unset token="4 month"></unset> <unset token="5 month"></unset> <unset token="6 month"></unset> </condition> <condition value="3 month"> <unset token="1 month"></unset> <unset token="2 month"></unset> <set token="3 month"></set> <unset token="4 month"></unset> <unset token="5 month"></unset> <unset token="6 month"></unset> </condition> <condition value="4 month"> <unset token="1 month"></unset> <unset token="2 month"></unset> <unset token="3 month"></unset> <set token="4 month"></set> <unset token="5 month"></unset> <unset token="6 month"></unset> </condition> <condition value="5 month"> <unset token="1 month"></unset> <unset token="2 month"></unset> <unset token="3 month"></unset> <unset token="4 month"></unset> <set token="5 month"></set> <unset token="6 month"></unset> </condition> <condition value="6 month"> <unset token="1 month"></unset> <unset token="2 month"></unset> <unset token="3 month"></unset> <unset token="4 month"></unset> <unset token="5 month"></unset> <set token="6 month"></set> </condition> </change> </input> <input type="dropdown" token="dropdown_tok" depends="$tokTypeInputVisible$"> <label>Action</label> <choice value="none">None</choice> <choice value="add">Add</choice> <choice value="remove">Remove</choice> <choice value="reauthorize">Reauthorize</choice> <change> <condition value="none"> <set token="none"></set> <unset token="add"></unset> <unset token="remove"></unset> <unset token="reauthorize"></unset> </condition> <condition value="add"> <set token="add"></set> <unset token="remove"></unset> <unset token="reauthorize"></unset> <unset token="none"></unset> </condition> <condition value="remove"> <unset token="add"></unset> <set token="remove"></set> <unset token="reauthorize"></unset> <unset token="none"></unset> </condition> <condition value="reauthorize"> <unset token="add"></unset> <unset token="none"></unset> <unset token="remove"></unset> </condition> </change> <default>none</default> </input> </fieldset> <row> <panel depends="$none"> <title>USb_BAU</title> <table> <search> <query> | inputlookup USB.csv | table _time, user, category, department, description, revisit, status | lookup lookup user as user OUTPUT category department </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$add$"> <title>Add User</title> <table> <search> <query> | inputlookup USB.csv | append [ | makeresults | eval user="$user_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$"] | table _time, user, category, department, description, revisit, status | lookup lookup user as user OUTPUT category department | outputlookup USB.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="add"></unset> <unset token="remove"></unset> <unset token="reauthorize"></unset> </done> </search> <option name="drilldown">cell</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$remove$"> <title>Remove User</title> <table> <search> <query>| inputlookup USB.csv | where user != "$user_tok$" | table _time, user, category, department, description, revisit, status | outputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> <done> <unset token="remove"></unset> </done> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$revisit_tok$"> <title>Revisit User</title> <table> <search> <query> | inputlookup USB.csv | eval 1 month="$1 month$", 2 month="$2 month$", 3 month="$3 month$", 4 month="$4 month$", 5 month="$5 month$", 6 month="$6 month$" | eval status = IF((now() &lt; 1 month), "Expired","Valid") | table _time, user, category, department, description, revisit, status | outputlookup USB.csv </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> basically I am trying to figure out when a user is being added to the lookup table and you click on add, I need to check the date they were added to the month selection and if it is past the month they selected then that user is inactive and there is a reauthorize option to reactivate them on the lookup table.
Hi. I have two panel dashboard. One is general status of cluster and another one details for selected cluster.  --------- Panel 1 -------- `myapp_get_index` sourcetype="myapp:pce:metadata" mya... See more...
Hi. I have two panel dashboard. One is general status of cluster and another one details for selected cluster.  --------- Panel 1 -------- `myapp_get_index` sourcetype="myapp:pce:metadata" myapp_type="myapp:pce:health" |stats values(status) as status by fqdn |rename fqdn as FQDN | eval "Cluster Status" = upper(substr(status,0,1)) + lower(substr(status,2)) |fields - status ----------------------- Panel 2 -------------- `myapp_get_index` sourcetype="myapp:pce:metadata" myapp_type="myapp:pce:health" fqdn=$fqdn$ | head 1 |spath path="nodes{}" output=nodes | mvexpand nodes |table nodes |spath input=nodes |eval "Uptime Day"=round(uptime_seconds/60/60,0) |table hostname, ip_address, type, cpu.percent, disk{}.location, disk{}.value.percent,memory.percent,services.running{},services.status, "Uptime Day" ----- This code works. I added transpose command to panel 1 -------------- `myapp_get_index` sourcetype="myapp:pce:metadata" myapp_type="myapp:pce:health" |stats values(status) as status by fqdn |rename fqdn as FQDN |eval "Cluster Status" = upper(substr(status,0,1)) + lower(substr(status,2)) |fields - status |transpose 5 |fields - column | rename column as FQDN,"row 1" as "FQDN 1", "row 2" as "FQDN 2", "row 3" as "FQDN 3", "row 4" as "FQDN 4", "row 5" as "FQDN 5" ------------------ It shows data as I wanted in panel1, but in panel 2 it shows details only for first FQDN regardless what I click on. ----------------------- I could not pinpoint what is missing. Thank you in advance.
How to create a custom command to delete a particular default entity type  from environment? Also how we clone the object to customize?
A search query in Dashobard Classic when split by Trellis in Visualization tab i  gives 4 pie charts  index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction la... See more...
A search query in Dashobard Classic when split by Trellis in Visualization tab i  gives 4 pie charts  index=log-13120-nonprod-c laas_appId=qbmp.prediction* "jobPredictionAnalysis" prediction lastEndDelta | eval accuracy_category = case( abs(lastEndDelta) <= 600, 10, (abs(lastEndDelta) > 600 and abs(lastEndDelta) <= 1200), 20, (abs(lastEndDelta) > 1200 and abs(lastEndDelta) <= 1800), 30, 1==1,40) | eval timeDistance_category = case(timeDistance < 3600, 1, (timeDistance>3600 and timeDistance<7200),2,(timeDistance>7200 and timeDistance<10800),3,1==1,4) | chart count by accuracy_category   But if the same is embedded in Dashboard Studio I have to add a where clause to create the query result in 4 parts to get 4 pie charts becuase I cannot find Trellis option. How to get 4 piecharts ( split by ... Trellis ) in Dashboard Studio ? | where timeDistance_category=1
Hi all , I got this search query which checks the time difference between two events and it works great but I would like also to see the milliseconds of that calculation but at the moment it just ... See more...
Hi all , I got this search query which checks the time difference between two events and it works great but I would like also to see the milliseconds of that calculation but at the moment it just shows H:MM:SS "Duration" is which shows me the output from a toString eval but I would like it to show also milliseconds , anyone could help me out on this one ?       index="0200-pio_numb3r5_support-app" "HumanResourceImportJob" AND "transitioning from state 'Processing' to 'Succeeded'. Reason:" OR "transitioning from state 'Enqueued' to 'Processing'. Reason:" AND NOT OnStateUnapplied | where host="AUDIINSA4919" OR host="AUDIINSA4304" | stats earliest(_time) AS Start_time latest(_time) AS Finished_time by host | eval Latency=tostring(Finished_time-Start_time, "duration")<----- here | table Start_time , Finished_time , Latency , host | fieldformat Finished_time=strftime(Finished_time,"%d/%m/%y %H:%M:%S.%3N") | fieldformat Start_time=strftime(Start_time,"%d/%m/%y %H:%M:%S.%3N")       Output is (latency should be H:MM:SS:milliseconds) :   Start_time                                   Finished_time                            Latency           host 1 19/05/22 03:30:03.000 19/05/22 03:42:02.000 00:11:59 AUDIINSA4919
How to find the duration in minutes between two events from _time ?   index=log-13120-nonprod-c laas_appId=qbmp.prediction* "pushed to greenplum for predictionId" 2022-05-19 03:37:30,108 jobRu... See more...
How to find the duration in minutes between two events from _time ?   index=log-13120-nonprod-c laas_appId=qbmp.prediction* "pushed to greenplum for predictionId" 2022-05-19 03:37:30,108 jobRunStats INFO Current Predictions, total=1659262 pushed to greenplum for predictionId = fe387967-2f11-4358-8b27-c51a45042e79 2022-05-19 03:26:29,085 jobRunStats INFO Current Predictions, total=1659262 pushed to greenplum for predictionId = 473866d5-c7b1-4156-90a0-de978b260e8d   I simply want diff between the above two and then show a line graph of cycle time length in minutes. So then output will be  11mins 14mins 7 mins  And then I want to plot a line graph that will tell me length of my cycle time    I do not want to use transation
i would like to setup email alert which should run on Mon , Tue , wed , thur, and Friday  everyweek @ 04:00 AM IST
Hello Splunkers, Can somebody here tell me what the easiest way is to get MuleSoft data into Splunk if the MuleSoft data is on-prem? For example, would I be able to use a forwarder and monitor the ... See more...
Hello Splunkers, Can somebody here tell me what the easiest way is to get MuleSoft data into Splunk if the MuleSoft data is on-prem? For example, would I be able to use a forwarder and monitor the directory, or is an integration via HEC or API possible? I also found an add-on and an app, but it doesn't say whether they're intended for MuleSoft running on-prem or in the cloud. Any help would be greatly appreciated!!
Hi everyone, Please help me with this problem. After doing some search by Splunk, I have results in a table below: Id Average 1231 130 1234 540 1568 220 75... See more...
Hi everyone, Please help me with this problem. After doing some search by Splunk, I have results in a table below: Id Average 1231 130 1234 540 1568 220 7564 116 7894 273   No I need to calculate some values that based on the average in the table. For ex: result1= average of id 1231 / average of id 7894 result 2 = average of 1568 / average of 1234 How can I do it please? Thanks in advanced!
Hi, This is splunk query and it returns nested JSON object  Query: sourcetype=_json_fluentd source="***" | search message="SQS Result Data" "FAIL" Response: { [-]    additional: { [-]    ... See more...
Hi, This is splunk query and it returns nested JSON object  Query: sourcetype=_json_fluentd source="***" | search message="SQS Result Data" "FAIL" Response: { [-]    additional: { [-]      Messages: [ [-]        { [-]          Body: { "clientName" : "mpc", "tenantId" : "assd", "mid" : "asd-bhn", "userId" : "112778", "transactionReferenceId" : "trans1223", "verificationResult" : "FAIL", "verificationResultTimestamp" : "2022-05-19T05:44:24.090Z", "statusReason" : "NO_ID_UPLOADED" }      ]    }    level: info    message: SQS Result Data } I want to display a table with status reason and count of different status reasons like "NO_ID_UPLOADED", "FRAUD_ID". Please share your answers.
Hi,   I am using below query in my Dashboard index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".... See more...
Hi,   I am using below query in my Dashboard index="deng03-cis-dev-audit" | spath PATH=data.labels.verbose_message output=verbose_message | eval serviceName = mvindex(split(index, "-"), 1)."-".mvindex(split(host, "-"), 2) |search "data.labels.activity_type_name"="ViolationOpenEventv1" | where (verbose_message like "%Oldest unacked message age%evt%" or verbose_message like "%Oldest unacked message age%rec%") | eval error=case(like(verbose_message,"%above the threshold of 1800.000%"), "warning", like(verbose_message,"%above the threshold of 300.000%"), "failure") | stats values(serviceName) as serviceName count(eval(error=="failure")) as failureCount count(eval(error=="warning")) as warningCounttimechart I want to show to line chart for failureCount, warningCounttimechart by time, I tried appending  timechart span=1d count by failureCount, warningCounttimechart, but of no use
I need to create a simple dropdown and populate it using search query in Dashboard Studio.  We can do this in Dashboard classic but how to do it in Dashboard Studio. Then once the user selects an... See more...
I need to create a simple dropdown and populate it using search query in Dashboard Studio.  We can do this in Dashboard classic but how to do it in Dashboard Studio. Then once the user selects any option, how to pass the option to another search query. Like a token
This dell isilon addon setup page is not working. I am using version 2.6 of Dell EMC Isilon Addon below is the error getting while configuring setup page. Any help on setup page is really a... See more...
This dell isilon addon setup page is not working. I am using version 2.6 of Dell EMC Isilon Addon below is the error getting while configuring setup page. Any help on setup page is really appreciated  what changes we need to make on 
Here is the example of the search looks like : index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?... See more...
Here is the example of the search looks like : index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index | top xyzApi test_filed_1test_filed_1 index limit=20 | appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index | top xyzApi test_filed_1test_filed_1 index limit=20 ] Ideally i want to run the search for 9th and 16 of this monday and get the count of each day and compare , I'm not able to divide the count for each day 
hi , i did some modifications to the time token earliest and latest as per my requirement as shown below. <input type="time" token="time_picker" searchWhenChanged="true"> <label>Time Picker</lab... See more...
hi , i did some modifications to the time token earliest and latest as per my requirement as shown below. <input type="time" token="time_picker" searchWhenChanged="true"> <label>Time Picker</label> <change> <eval token="my_earliest">if(isnum($time_picker.earliest$),$time_picker.earliest$,relative_time(now(),$time_picker.earliest$))</eval> <eval token="my_latest">if(isnum($time_picker.latest$),$time_picker.latest$,relative_time(now(),$time_picker.latest$))</eval> <eval token="my_now">now()</eval> <eval token="final_earliest">strftime($my_earliest$,"%m/%d/%Y:%H:%M:%S")</eval> <eval token="modified_axs">if($my_latest$==$my_now$,$my_latest$-60,$my_latest$)</eval> <eval token="modified_prex">if($my_latest$==$my_now$,$my_latest$,$my_latest$+60)</eval> <eval token="final_latest_axs">strftime(modified_axs,"%m/%d/%Y:%H:%M:%S")</eval> <eval token="final_latest_prex">strftime(modified_prex,"%m/%d/%Y:%H:%M:%S")</eval> </change> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> Now, when i refresh the dashboard i am getting  the error , it is not picking the default earliest. it is taking time_picker.earliest as now(). i want to set it for -15m during dashboard refresh  Error in 'search' command: Unable to parse the search: Invalid time bounds in search: start=1652905253 > end=1652905193. how can i solve this issue ? @niketn 
Hi All, I am ingesting some logs from Heavy Forwarder and then sending them to indexers. *Snippet from inputs.conf on the Universal Forwarder [monitor:///opt/splunk/etc/apps/nonprod_apicalls/lo... See more...
Hi All, I am ingesting some logs from Heavy Forwarder and then sending them to indexers. *Snippet from inputs.conf on the Universal Forwarder [monitor:///opt/splunk/etc/apps/nonprod_apicalls/local/ce_p2_srv_data2_env_getstats_port.txt] disabled = false sourcetype = my:api:ce2 index = internet I would like to extract "data2" text from the filename.  I did a rex field extraction on search head and it works giving me "instance" field name under interesting fields on Search UI. Below is the regex I used | rex field=source "\/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+)"   So next step I did is created props.conf with below configuration [my:api:ce2] EXTRACT-instance = \/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+) in source   Restarted the splunk service on Heavy Forwarder, but it doesn't work. Can someone advise me if I am doing something wrong here or what is the issue. Thankyou Harry
Hello, I have 3 base queries in my splunk dashboard. But when the dashboard loads, only 1 or 2 base queries run displaying the data and visualization. Request you to please help me on this. PFB the... See more...
Hello, I have 3 base queries in my splunk dashboard. But when the dashboard loads, only 1 or 2 base queries run displaying the data and visualization. Request you to please help me on this. PFB the xml data:   <form> <label>All Errors</label> <description>Errors</description> <fieldset submitButton="false"> <input type="time" token="Time" searchWhenChanged="true"> <label>Time</label> <default> <earliest>-24h</earliest> <latest>now</latest> </default> </input> </fieldset> <search id="search_urls"> <query> index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* | rex field=_raw "POST\s|GET\s(?&lt;URL&gt;[a-zA-Z0-9\W].+)\?|\s\HTTP" | rex field=_raw "x_b3_traceid\:\"(?&lt;TRACE_ID&gt;[a-zA-Z0-9]+)\"" | rex field=_raw "(?&lt;METHOD&gt;POST|GET)" | rex field=_raw "HTTP\/1.1\"\s+(?&lt;STATUS&gt;\d\d\d)\s" | join TRACE_ID [search index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* cf_instance_index="*APP/PROC/WEB*" (severity!=INFO OR tag=error) | rex field=_raw "(?&lt;ERROR_MESSAGE&gt;com.tmobile[a-zA-Z0-9\W].+)$" | rex field=_raw "\,(?&lt;TRACE_ID&gt;[0-9a-zA-Z]+)\,"] </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <search id="performance_urls"> <query> index=abc sourcetype=abc cf_org_name=abc cf_space_name=PROD cf_app_name=* | rex field=_raw "POST\s|GET\s(?&lt;URL&gt;[a-zA-Z0-9\W].+)\?|\s\HTTP" | rex field=_raw "x_b3_traceid\:\"(?&lt;TRACE_ID&gt;[a-zA-Z0-9]+)\"" | rex field=_raw "(?&lt;METHOD&gt;POST|GET)" | rex field=_raw "response_time\:(?&lt;RESPONSE_TIME&gt;[\d\.\d]+)" | rex field=_raw "HTTP\/1.1\"\s+(?&lt;STATUS&gt;\d\d\d)\s" </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <search id="errors"> <query>index=abc sourcetype=abc cf_org_name=abc cf_instance_index="*APP/PROC/WEB*" cf_app_name=* | rex field=_raw "(?&lt;ORA_ERROR&gt;ORA\-.+)$" | rex field=_raw "(?&lt;KAFKA_ERROR&gt;org.apache.kafka[a-zA-Z0-9\W].+)$" | rex field=_raw "(?&lt;ERROR_MESSAGE&gt;com.tmobile[0-9a-zA-Z\W].+)$" | rex field=_raw "message\:\s+(?&lt;errorMessage&gt;[0-9a-zA-Z\W].+)$" </query> <earliest>$Time.earliest$</earliest> <latest>$Time.latest$</latest> </search> <row> <panel> <title>Timechart based on URLs (only 4xx/5xx)</title> <chart> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Timechart based on URLs (only 4xx/5xx - Unique Trace IDs)</title> <chart> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | dedup TRACE_ID | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics based on URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE (Sorted by maximum counts)</title> <table> <search base="search_urls"> <query> search STATUS&gt;=400 AND URL!="/" | stats count by URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="percentagesRow">false</option> <option name="totalsRow">false</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart based on URLs (including 2xx/3xx)</title> <chart> <search base="search_urls"> <query> | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Timechart based on URLs (including 2xx/3xx - Unique Trace IDs)</title> <chart> <search base="search_urls"> <query> | dedup TRACE_ID | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics based on URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE (including 2xx/3xx)</title> <table> <search base="search_urls"> <query> | stats count by URL, STATUS, METHOD, cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="totalsRow">false</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Database Errors (Timechart)</title> <chart> <search base="errors"> <query> search tag=error | timechart span=1h count by ORA_ERROR usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Database Errors by cf_app_name, Error Message (sorted by maximum counts)</title> <table> <search base="errors"> <query> search tag=error | stats count by cf_app_name, ORA_ERROR | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart of generic messages</title> <chart> <search base="errors"> <query> search errorMessage!="null" | timechart span=1h count by errorMessage useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of generic messages based on cf_app_name</title> <table> <search base="errors"> <query> search errorMessage!="null" | stats count by cf_app_name, errorMessage | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Timechart of Kafka Errors</title> <chart> <search base="errors"> <query> search severity!=INFO OR tag=error | timechart span=1h count by KAFKA_ERROR usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics of Kafka Errors based on cf_app_name</title> <table> <search base="errors"> <query> search severity!=INFO OR tag=error | stats count by cf_app_name, KAFKA_ERROR | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>RMQ Errors (Timechart)</title> <chart> <search base="errors"> <query> search ERROR_MESSAGE="*RMQ*" AND (severity!=INFO OR tag=error) | timechart span=1h count by ERROR_MESSAGE usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of RMQ Errors based on cf_app_name</title> <table> <search base="errors"> <query> search ERROR_MESSAGE="*RMQ*" AND (severity!=INFO OR tag=error) | stats count by cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Deep Errors (Timechart)</title> <chart> <search base="errors"> <query> search ERROR_MESSAGE="*deep*" AND (severity!=INFO OR tag=error) | timechart span=1h count by ERROR_MESSAGE usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of Deep Errors based on cf_app_name</title> <table> <search base="errors"> <query> search ERROR_MESSAGE="*deep*" AND (severity!=INFO OR tag=error) | stats count by cf_app_name, ERROR_MESSAGE | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Performance of 4xx/5xx URLs - Response &gt; 10 sec (Timechart)</title> <chart> <search base="performance_urls"> <query> search STATUS&gt;=400 AND URL!="/" AND RESPONSE_TIME&gt;10 | timechart span=1h count by URL usenull=f useother=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>Statistics of response time &gt; 10 sec for 4xx/5xx URLs</title> <table> <search base="performance_urls"> <query> search STATUS&gt;=400 AND URL!="/" AND RESPONSE_TIME&gt;10 | stats count by URL, cf_app_name, STATUS, METHOD | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="wrap">false</option> </table> </panel> </row> <row> <panel> <title>Performance of URLs 2xx/3xx/4xx/5xx - Response &gt; 10 sec (Timechart)</title> <chart> <search base="performance_urls"> <query> search URL!="/" AND RESPONSE_TIME&gt;10 | timechart span=1h count by URL useother=f usenull=f</query> </search> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="charting.legend.placement">bottom</option> </chart> </panel> <panel> <title>Statistics of response time &gt; 10 sec for 2xx/3xx/4xx/5xx URLs</title> <table> <search base="performance_urls"> <query> search URL!="/" AND RESPONSE_TIME&gt;10 | stats count by URL, cf_app_name, STATUS, METHOD | sort - count | head 6</query> </search> <option name="drilldown">row</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel> </row> </form>
Is there a way to use the time range set by the Preset Time Token as earliest and latest values in a string.  For example, if I my time token name is token_time and I set the range on a Dashboard to ... See more...
Is there a way to use the time range set by the Preset Time Token as earliest and latest values in a string.  For example, if I my time token name is token_time and I set the range on a Dashboard to "Year to date" is there some name or field name I can then use in the search earliest and latest option of token_time to reflect those dates so that I can use them in another search? earliest = the value for 1/01/2022 latest = now   Thanks in advance.
I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to ... See more...
I have this Query that produces two multi value fields, keys and values.  What i need to do is pair each entry in the keys multivalue field with it's matching value in the values multivalue field to create a json object that looks like this. { key1:val1, key2:val2, key3:val3 } index=test5 earliest=@s-24h apicall IN (aws_es_listDomainNames aws_es_listTags) NOT err | eval resourceid=coalesce(resourceid, DomainName) | eval uid=resourceid+accountid+region | rename "TagList{}.Key" AS keys | rename "TagList{}.Value" AS values | eval tags=mvzip('keys','values'," = ") | nomv tags.    //  this matches up the key and value pairs but isn't useful with json_object.   I've tried using json_object but json_object only accepts arguments and not a string of key value pairs.  Is there a way to produce a json object from the two multivalue fields above?   Thanks.    
Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k message... See more...
Hi everyone, I would like to extract a table. For instance: SOH is a special character Input id=1, message body= [35=DSOH45=CSOH] id= 2, message body= [35=FSOH53=ASOH45=CSOH] +10k messages as such Result 35  45 53 D    C     F     C   A   Create headers with all keys provided through all messages. If key is not provided on message then cell should be empty. As you can see 53 is not always present, when that is the case its cell is empty.   Thanks in advance.