rjthibod's Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

rjthibod's Topics

My app includes the definition of a summary index in indexes.conf. When I am providing a copy of the app for clustered/distributed Splunk Enterprise environments, I like to split the app into two ve... See more...
My app includes the definition of a summary index in indexes.conf. When I am providing a copy of the app for clustered/distributed Splunk Enterprise environments, I like to split the app into two versions: one for the search heads and one for the indexers. Regarding the summary index definition in indexes.conf, should I include the definition in the search head version of the app or the indexer version of the app? Does it matter either way? Should I only include it in the indexer version if the environment is configured to index the summary data on the indexers (i.e., the outputs.conf is configured to forward summary data to the indexers)?
This is more of a question about the "right" way of doing things versus what is possible. I want to know if there is anything I am forgetting or not considering that will make the following soluti... See more...
This is more of a question about the "right" way of doing things versus what is possible. I want to know if there is anything I am forgetting or not considering that will make the following solution problematic. I have never seen this documented or discussed in any Splunk documentation, apps, or forums, so I wanted to make sure there is a reason for its absence that I did not know about. The scenario I have is the need to handle a large set of sensor data (> 15 fields) from thousands of endpoints (i.e., GB of data per day). The sensor data is periodically sampled, and I typically always look at averages, minimums, maximums, and weighted averages in 5-minute intervals. This seems like a good place to use summary indexing instead of data models/pivot, so that is the path I went down. The issue I have is there is a lot of disk space wasted due to how summary aggregation fields (psrv*) from sistats are written to a summary index in the format "Field=Value". In some cases, I actually see errors because the _raw field is too big (if I compute avg, min, and max on all sensor fields). The solution I devised to get around this (and to be more efficient) is writing the summary data from sistats out in | delimited raw events that look like the following (the numbers represent sistats output for my sensor data). Timestamp|Search_Time|Endpoint_Name|Sensor_Location|5|5|5|5|5|5|5|5|5|5|5|5|5|423|13|150966|0|1782.1|426|14|1514905|0|0|0|2123|... I then defined a new source type for my summary index that specifies the appropriate field names for the | delimited summary statistics fields (prsvd_*, etc.). This seems to work fine in terms of retrieving and processing the summary index data, and it saves around 25% of disc space. So, is this OK to do for a large-scale deployment? Is there other things I need to consider? Is there a better solution that is more maintainable?
Splunk Enterprise 6.3.x has added lots of features that greatly extend the Simple XML framework. One capability enables saving the job SID for a completed search (see example XML below). That saved ... See more...
Splunk Enterprise 6.3.x has added lots of features that greatly extend the Simple XML framework. One capability enables saving the job SID for a completed search (see example XML below). That saved SID can then be accessed elsewhere in the dashboard to load the results from the SID (i.e. using the loadjob command). There are many ways that this method of accessing search results in a single dashboard is more flexible than using a global search and post-processing. Are there any downsides to using the saved SID approach? Is one more efficient than the other terms of memory, dispatching, etc.? <search> <query> <INSERT_SPL_SEARCH> </query> <earliest>-1h</earliest> <latest>now</latest> <progress> <condition match="'job.resultCount' > 0"> <set token="search_ds_1_sid">$job.sid$</set> </condition> <condition> <unset token="search_ds_1_sid"/> </condition> </progress> </search>
I am trying to do some editing to table fields and chart legends after the page and or specific chart/table elements are redrawn. I am having a hard time getting my HTML and JS dashboard to trap cer... See more...
I am trying to do some editing to table fields and chart legends after the page and or specific chart/table elements are redrawn. I am having a hard time getting my HTML and JS dashboard to trap certain events (e.g., load and resize), and I can't find any documentation on what events are going to be passed in the HTML and JS web framework. Is there any documentation that describes what events are passed to specific elements, say Chart elements, or are supported in the SplunkJS Web Framework. Ones I know of are: click and click:* rendered valuechange data change valueChange search and search:* Thank you
The objective is take events that indicate user activity, breakdown the data into segments of time, and then figure out what segments/bins should be marked to indicate that user activity took place d... See more...
The objective is take events that indicate user activity, breakdown the data into segments of time, and then figure out what segments/bins should be marked to indicate that user activity took place during that time. Here is an example of the data I am looking at Start | End | Field_Name | Unique_Visitor_ID a1 | a1 | AAA | ZZZ a1 | a2 | AAA | YYY a2 | a2 | AAA | YYY a3 | a4 | AAA | ZZZ a4 | a4 | AAA | ZZZ a5 | a6 | AAA | YYY a6 | a6 | AAA | ZZZ In the table above, "Start" and "End" values indicate the start and end time segments that define a window of time where user "Unique_Visitor_ID" was using resource "Field_Name". Think of it kind of like the specification of a Gantt Chart, where "Start" and "End" define the range of time windows during which a user was accessing a resource. What we want to do is create a plot where we know how many users were using each resource during each time segment. The trick is that each event in the table can span multiple time segments, and each event is generated from a grouping of events into a transaction. I have been able to generate a query to populate the chart like I want, but it is extremely inefficient due to how a combination of 'map' and 'gentimes' are being used. Any help on simplifying this would be extremely appreciated. Here is the end of the query where I try to produce a chart-able result after forming the table above. Basically, put all start and end segments in increments of 15 minutes, and then run through a map/gentimes command that will break up all of the transaction events that span multiple segments into individual events that cover only a single segment. GENERATE_TRANSACTION_TABLE | fields start end FieldName UniqueID | bin start span=15m | bin end span=15m | stats max(end) as lasttime by UniqueID FieldName start | stats min(start) as starttime by UniqueID FieldName lasttime | stats values(UniqueID) as UniqueID by starttime lasttime FieldName (<-- filter and group like events) | eval starttime=strftime(starttime, "%m/%d/%Y:%H:%M:%S") | eval lasttime=lasttime+1 (<-- this is a workaround to make gentimes work for events with same start and end) | eval lasttime=strftime(lasttime, "%m/%d/%Y:%H:%M:%S") | map maxsearches=1000 search="gentimes start=$starttime$ end=$lasttime$ increment=15m | eval FieldName=$FieldName$ | eval UniqueID=$UniqueID$" | fields starttime FieldName UniqueID | dedup starttime FieldName UniqueID | makemv delim=" " UniqueID | mvexpand UniqueID | rename starttime as _time | timechart span=15m dc(UniqueID) as Count by FieldName Here is some example data to show the challenge. Assume this is what comes out of the transaction process. Start End Field_Name Unique_Visitor_ID 1434355312 1434355421 AAA ZZZ 1434355534 1434357109 AAA ZZZ 1434357201 1434358920 AAA ZZZ 1434362435 1434378784 BBB YYY This is what the same data looks like after assigning time buckets with a span of 30 minutes Start End Field_Name Unique_Visitor_ID 06/15/2015:09:00:00 06/15/2015:09:00:00 AAA ZZZ 06/15/2015:09:00:00 06/15/2015:09:30:00 AAA ZZZ 06/15/2015:09:30:00 06/15/2015:10:00:00 AAA ZZZ 06/15/2015:11:00:00 06/15/2015:15:30:00 BBB YYY This is what the end result would look like after calling timechart . _time AAA BBB 06/15/2015:09:00:00 1 0 06/15/2015:09:30:00 1 0 06/15/2015:10:00:00 1 0 06/15/2015:10:30:00 0 0 06/15/2015:11:00:00 0 1 06/15/2015:11:30:00 0 1 06/15/2015:12:00:00 0 1 06/15/2015:12:30:00 0 1 06/15/2015:13:00:00 0 1 06/15/2015:13:30:00 0 1 06/15/2015:14:00:00 0 1 06/15/2015:14:30:00 0 1 06/15/2015:15:00:00 0 1 06/15/2015:15:30:00 0 1 06/15/2015:16:00:00 0 0
I am working with time-series data, and I want to groups events based on the same values in three fields: field1, field2, and field3. All events are timestamped. I want to group the events into tr... See more...
I am working with time-series data, and I want to groups events based on the same values in three fields: field1, field2, and field3. All events are timestamped. I want to group the events into transactions where field1, field2, and field3 are the same and all of the events are in chronological order. I don't want events that occur out of chronoglogical order to be in the same transaction. Also, there is no way to know a maximum amount of time between any of the events. For example, imagine the event sequence looks like the following if you put it into a table. Time | field1 | field2 | field3 0 | a | b | c 1 | a | b | c 2 | a | b | c 3 | a | b | z 4 | a | b | y 5 | a | b | c 6 | a | b | c The desired transaction behavior I am trying to achieve would turn the events above into the following transactions Transaction | Duration | field1 | field2 | field3 1 | 2 - 0 | a | b | c 2 | 3 - 3 | a | b | z 3 | 4 - 4 | a | b | y 4 | 6 - 5 | a | b | c
In a Simple XML form (Splunk 6.2.2), I am trying to set tokens based on if a checkbox is unchecked/deselected. Can the change & condition elements of Simple XML do this? Basically, I want to have t... See more...
In a Simple XML form (Splunk 6.2.2), I am trying to set tokens based on if a checkbox is unchecked/deselected. Can the change & condition elements of Simple XML do this? Basically, I want to have three checkboxes, and each box controls what charts appear on the form. If a checkbox is deselected at any time, I want certain charts to disappear.
I have been using Objects and Pivot with much success. In the process of trying to play with the "Root Search" concept, I cannot find documentation on how to actually use the root search. Specifica... See more...
I have been using Objects and Pivot with much success. In the process of trying to play with the "Root Search" concept, I cannot find documentation on how to actually use the root search. Specifically, how does one include a root search in a Simple XML dashboard? For this example, assume my data model's object ID is "my_dm" and the root search's object id "summary_ids". Do I reference "summary_ids" in the search field? Do I specify "id='summary_ids'" in a "search" XML field? Please point me to any documentation or examples that you know of.