Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About HiroshiSatoh
HiroshiSatoh
Champion
Member since:
05-29-2013
02-29-2024
Community Statistics
| Posts | 941 |
| Solutions | 207 |
| Karma Given | 15 |
| Karma Received | 217 |
| Member Since | 05-29-2013 |
Activity Feed
- Got Karma for Re: Dedup within a time range. 07-05-2024 02:40 PM
- Got Karma for Re: How to add search timeframe to a report results?. 12-18-2023 01:10 AM
- Got Karma for Re: How to use "where" and "not in" and "like" in one query. 10-24-2023 01:44 PM
- Got Karma for Re: Remove rows with NULL from final search output. 05-04-2023 08:27 AM
- Got Karma for Re: How to convert decimal numbers to percentage?. 09-21-2022 01:37 PM
- Got Karma for Re: i seen a lot time "wc-field" on the splunk tutorial, what's the "wc" mean?. 09-06-2022 12:38 PM
- Got Karma for Re: Dedup within a time range. 03-02-2022 08:05 AM
- Got Karma for Re: Search auto-finalized after time limit (30 seconds) reached on running SubSearch. 02-04-2022 10:26 AM
- Got Karma for Re: Set zero value if there is nothing found in the search. 02-03-2022 07:47 PM
- Got Karma for Re: Inputlookup subsearch and join. 09-23-2021 06:11 AM
- Got Karma for Re: What is the best way to ingest 300gb csv to splunk?. 11-26-2020 05:59 AM
- Got Karma for Re: Time-Modifiers Search depending on the day. 10-03-2020 09:51 PM
- Got Karma for Re: Change splunkd management port on Universal forwarder. 09-03-2020 06:45 AM
- Got Karma for Re: Dedup Command information. 06-05-2020 12:51 AM
- Got Karma for Re: How to rex field to a field. 06-05-2020 12:51 AM
- Karma For the Indexer Capacity Planning phase of upgrading our Splunk instance, where can I find what impact running searches will have on indexer performance? for marrette. 06-05-2020 12:50 AM
- Karma Palo Alto and Heavy Forwarder for mikesangray. 06-05-2020 12:50 AM
- Got Karma for Re: How to dynamically add results / correlate in a search with a sub-search. 06-05-2020 12:50 AM
- Got Karma for Re: Can you help us build a query to check the time of the earliest event in an index?. 06-05-2020 12:50 AM
- Got Karma for Re: Error in Splunk Security Essentials with macro `ut_parse_extended (url, list)`. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
08-05-2013
07:37 AM
Did you check the log? I think error and are on the log settings if wrong.
... View more
08-05-2013
01:10 AM
The results of example, but where is the problem?
example:
search sentence
sourcetype="csv-6" wfap_priority > $wfap_priority$ ・・・・・
dropdown
0 :[wfap_priority > 0]
1 :[wfap_priority > '1']
2 :[wfap_priority > "1"]
... View more
08-04-2013
08:40 PM
Can the whole of the view be presented wanting see the search sentence assembled?
... View more
08-04-2013
04:37 AM
Please give me a check at the top left of the answer you have resolved.
... View more
08-03-2013
03:33 AM
1 Karma
This is a sample of the dashboard. Please correct the search statement.
<?xml version='1.0' encoding='utf-8'?>
<label>Myselect</label>
<searchTemplate>
source="Process.csv" |sort _time asec| myselect filename=$Filename$
</searchTemplate>
<fieldset>
<input type="dropdown" token="Filename">
<label>Target Filename</label>
<populatingSearch fieldForValue="Filename" fieldForLabel="Filename">
<![CDATA[source="Process.csv" |table Filename|dedup Filename|sort Filename|where Filename!="Filename"]]>
</populatingSearch>
</input>
</fieldset>
Time Recorder
50
true
... View more
08-02-2013
12:01 PM
2 Karma
I tried to make a custom command because it could not be resolved in the search command.
It is a simple command that only support data of the sample.
Date,Process,Filename,NewFilename
"2013/8/2 10:59",Process1,Filename0,
"2013/8/2 11:01",Process2,Filename1,
"2013/8/2 11:02",Process3,Filename1,Filename2
"2013/8/2 11:03",Process4,Filename2,
"2013/8/2 11:04",Process5,Filename2,Filename3
"2013/8/2 11:05",Process6,Filename3,
"2013/8/2 11:06",Process7,Filename4,
"2013/8/2 11:07",Process8,Filename5,
"2013/8/2 11:08",Process9,Filename6,
・・・・・・・|sort _time asec| myselect filename="Filename1"
[myselect]
filename = myselect.py
import sys,splunk.Intersplunk
from splunk.Intersplunk import getOrganizedResults, outputResults, getKeywordsAndOptions
results,dummyresults,settings = getOrganizedResults()
args, keyValues = getKeywordsAndOptions()
if keyValues.has_key('filename') == False:
print "Usage: | myselect filename=[filename]"
outputResults(results)
sys.exit(0)
saveFilename = keyValues['filename']
newresults = []
for result in results:
if result['Filename'] == saveFilename:
newresults.append(result)
if len(result['NewFilename']) > 0:
saveFilename = result['NewFilename']
splunk.Intersplunk.outputResults(newresults)
... View more
08-01-2013
06:04 PM
Excuse me, sir. It was that the wrong answer and not converted time. And what if you only extract multiple data sub-search?
earliest=-2h latest=now()| dedup punct,_time|eval TimeInHour=_time%3600|join [search earliest=-2h latest=now()| dedup punct,_time|eval TimeInHour=_time%3600| stats count by TimeInHour,punct|where count>1] | rex mode=sed "s/ \d{1,2}:\d{1,2}:\d{1,2}//g" | table _raw,_time,TimeInHour,punct | sort TimeInHour,_raw
... View more
07-31-2013
05:19 PM
Do you no good in this?
TimeInHour=_time%3600 -> TimeInHour=date_hour
sort TimeInHour,_raw -> sort TimeInHour,punct,_time
... View more
07-30-2013
04:16 PM
1 Karma
Please set the time range in the search statement.
・・・・・・ earliest=-12mon@mon latest=@mon ・・・・・・|timechart ・・・・・・
However, I do not erase the warning.Sorry
... View more
07-30-2013
06:22 AM
Could it be there is a bug on a combination of time chart and extension XML. What happens if you would embed a time range in the search statement?
... View more
07-29-2013
05:15 PM
I answered that I think that you have specified a time range direct time range picker if funny.
It was not a answer. Please forget.
... View more
07-29-2013
08:29 AM
And what you do?
・・・・・・ earliest=-1d@h latest=@h ・・・・・・|timechart count
... View more
07-28-2013
04:58 PM
It is the Apps you want to view the results by selecting the month. Do not use this?
http://splunk-base.splunk.com/apps/95667/timerecorderforwindows
... View more
07-26-2013
09:27 AM
2 Karma
How is the search statement like this?
・・・・・| stats count(eval(message_id="VALUE1")) as VALUE1,count(eval(message_id="VALUE2")) as VALUE2,count(eval(message_id="VALUE3")) as VALUE3 | transpose |rename column as message_id,"row 1" as count
... View more
07-26-2013
01:59 AM
I am glad if there is no problem as the answer, and enjoy it by clicking the check to the left of the answer.
... View more
07-26-2013
12:32 AM
I tried various ways but it could not be realized. There is no way to pass the SQL string to "dbquery".
I like the example to give up.
|dbquery db1 "select id from sometable where type = 1"| search NOT[dbquery db2 "select id from sometable where type = 1"|format]
... View more
07-25-2013
11:16 PM
Do not be resolved by "appendcols"?
search *|stats sum(a)・・・・・・|appendcols [search *|stats sum(x) by month]
... View more
07-25-2013
09:39 AM
It is inferred from the result of sampling.
NO col1 col2 col3
1 A X Y
2 B
3 C X
4 D
5 E
col1 col2 col3
col1 100%(5/5) 40%(2/5) 20%(1/5)
col2 40%(2/5) 100%(2/2) 50%(1/2)
col3 20%(1/5) 50%(1/2) 100%(1/1)
... View more
07-25-2013
01:27 AM
If you just add a total row
…|addcoltotals labelfield=name label=ALL
name count
Error 10
OK 100
ALL 110
... View more
07-24-2013
12:44 AM
20,002件の入力に対して、UNIQコマンドで検証してみたところ入力カウントは20,002件でした。パラメータの設定が違っていたので、パラメータのstreamingをtrueからfalseに変更して実行したら35万件とカウントされました。この動きはカスタムコマンドを実行した場合も同様でした。
この質問はPYTHONで作ったカスタムコマンドがあまりに遅かったので入力カウントの35万を実際の入力の20,002件にすれば早くなるのではと考えて質問しましたが、検索スピードはstreaming=falseのほうが早い結果となりました。
PYTHONで作ったカスタムコマンドは、1万件の処理に1秒あたりが限界で、少し複雑な処理を加えればどんどん遅くなるという結論に達しました。文字列が長くなっても標準のサーチコマンドを駆使したほうが断然高速でした。
... View more
07-23-2013
10:16 PM
"classField"でchartの色を変えることは私もできなかった。スタック棒グラフで"range"毎に集計した結果を表示する方法ではダメか?
I was not able to change the color of the chart in "classField". Do not do it in a way that displays the results aggregated to each "range" in the stack bar chart?
|eval green=if(range=="green",count,0) | eval gray=if(range!="green",count,0) | fields - count,range
... View more
07-22-2013
06:17 PM
Are you sure you want to exist "site.py"? Or, do you not broken?
A similar message is displayed if you remove the "site.py" from "\LIB".
... View more
07-22-2013
04:49 PM
"ROUND" is okay. Do you want to be a display what results? Value Is it a numeric type?Error Is the output to "search.log"?
round((tonumber(Value)/1024),2)
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-29-2024
03:06 AM
|
Karma from
Karma given to
