Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About chadman
chadman
Path Finder
Member since:
12-16-2014
06-05-2020
Community Statistics
| Posts | 118 |
| Solutions | 2 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 12-16-2014 |
Activity Feed
- Got Karma for Show the time range of a search in HH:MM in a table. 03-01-2021 12:56 PM
- Got Karma for how can I re-order my table with the join command?. 06-05-2020 12:47 AM
- Got Karma for How can I configure Splunk to read a csv file from a universal forwarder?. 06-05-2020 12:47 AM
- Posted Re: How to use the last import for my source? on Getting Data In. 06-15-2018 06:28 AM
- Posted How to use the last import for my source? on Getting Data In. 06-14-2018 09:51 AM
- Posted Re: help with a sub search and pie chart on Splunk Search. 06-09-2018 06:59 AM
- Posted help with a sub search and pie chart on Splunk Search. 06-08-2018 08:15 AM
- Tagged help with a sub search and pie chart on Splunk Search. 06-08-2018 08:15 AM
- Posted Re: How to use ldap search to get computers from multiple groups? on Splunk Search. 04-03-2018 06:04 AM
- Posted Re: How to use ldap search to get computers from multiple groups? on Splunk Search. 03-29-2018 05:57 AM
- Posted Re: How to use ldap search to get computers from multiple groups? on Splunk Search. 03-28-2018 12:47 PM
- Posted How to use ldap search to get computers from multiple groups? on Splunk Search. 03-28-2018 11:10 AM
- Tagged How to use ldap search to get computers from multiple groups? on Splunk Search. 03-28-2018 11:10 AM
- Tagged How to use ldap search to get computers from multiple groups? on Splunk Search. 03-28-2018 11:10 AM
- Posted Re: ldap seach with a wildcard on Splunk Search. 03-28-2018 11:05 AM
- Posted Re: ldap seach with a wildcard on Splunk Search. 03-28-2018 08:15 AM
- Posted Re: ldap seach with a wildcard on Splunk Search. 03-28-2018 07:39 AM
- Posted ldap seach with a wildcard on Splunk Search. 03-28-2018 05:45 AM
- Posted Re: User a token with where and like on Dashboards & Visualizations. 03-21-2018 08:32 AM
- Posted User a token with where and like on Dashboards & Visualizations. 03-21-2018 08:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-23-2016
11:48 AM
I think that is close! The chart is showing the FBS value and not the "Bytes Sent" Sorry, I don't use Splunk very often. I'm sure I'm missing something simple.
... View more
06-23-2016
11:40 AM
Think I'm doing something wrong. I get this
Error in 'eval' command: Typechecking failed. '-' only takes numbers.
... View more
06-23-2016
10:45 AM
I have a chart that shows total bytes sent on a computer. The chart seems to work, but it's hard to read. Since this number keeps increasing it's hard to read in a chart form because it's such a high number. Can I subtract the first result from all the number in my chart? That way the first plot would be 0 and the user can see the increase over time. Here is what I have now. What would I change to do that?
<chart>
<searchTemplate>sourcetype="mylog" host=$desktop$ | timechart avg(bytes_sent) as "Bytes Sent"</searchTemplate>
<title>Bytes Sent</title>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleY.text">Bytes Sent)</option>
<option name="charting.chart">area</option>
<option name="charting.primaryAxisTitle.text"/>
<option name="displayRowNumbers">true</option>
</chart>
... View more
04-05-2016
07:43 AM
I have a search that gives me a bunch of fields that look like:
REBOOT=4/5/2016 9:17:19 AM
REBOOT=4/5/2016 9:12:02 AM
REBOOT=4/5/2016 8:58:28 AM
How can I remove the REBOOT= and keep the date/time with my search
... View more
09-02-2015
06:36 AM
Myself and other users do run this dashboard as a non-admin. I'm not a Splunk admin, but can have one check. How would one check disk quota issues? Myself and the Splunk admins are kind of new to Splunk.
... View more
09-02-2015
06:33 AM
Oh, and this it is running on a Linux server.
... View more
09-02-2015
06:32 AM
Splunk has had me run a bunch of diag logs and they don't see it crashing. Recently I had started Splunk in debug mode and captured another log for them. I'm still waiting to hear back from them about what they found. I'm just puzzled that it works almost all the time. When I try to crash it to get a log it normally takes me about 20-30 min of almost running it continually until it crashes.
... View more
09-02-2015
05:51 AM
I have a search that works most of the time, but sometimes just causes Splunk to crash and requires a restart. I have a ticket opened with Splunk, but they are still not able to figure out what's going on so I thought I would post this. This is the search I use in my dashboard.
<![CDATA[| metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400 | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration") |rename field_in_ddhhmmss as "Time Offline" lastTime as "Last Update Time" | join host [search sourcetype=systemInfo | rename serial as "Serial Number" isp as "ISP" state as "State" city as "City"] |sort "Time Offline" a | table "Serial Number","Time Offline","Last Update Time","ISP","City","State"]]>
I use it to find computers that were checking in at least 24 hours ago, but have not checked in for the last 5 min. I then use "join" to match to a sourcetype to the host to get some specific data about those hosts. This search is fairly fast and runs in a couple seconds. I was using the same search for months, but this started to happen a couple weeks ago. The only thing that's changed is we have added more hosts. CPU/memory on the Splunk server is low when it crashes, and we're not seeing any spikes when this happens.
... View more
06-26-2015
10:50 AM
That works great!
... View more
06-26-2015
08:22 AM
Got it. When I used the values it just looked how I wanted it to. I think setting the span to a lower time would also help. My data is normally updated every min. My goal is to have the chart really indicate that it's 0 when that occurs and not an average. I think the span was being auto-scaled and that might be why my charts did not look right when I looked at data over a longer period of time.
... View more
06-25-2015
12:35 PM
I'm trying to show a chart and need to show the actual values. At the same time I would like to display a linear timeline at the bottom of the chart. Using this search, my chart looks good.
sourcetype="log_sort" host=myhost* | chart values(idle) by _time
This works, but it does not display anything in the timechart at the bottom. I tried another search like this:
| timechart values(idle) as "Idle Time"
this shows the timechart at the bottom, but is trying to average my values. Many times my line will drop to 0 and I need to show that on the chart. Currently the avg might prevent this from happening. Any ideas?
... View more
06-25-2015
12:05 PM
2 field sets does not work. I'm using version 5 and don't see that option and not sure how to do your first option. Maybe that does not work in my version.
I did find a post with this
Example
This looks close, but it has the 2 searches in the first row. I was hoping to do something similar, but have row one do the first search and the last rows do the second. Any ideas how to make that work?
... View more
06-23-2015
06:22 AM
I'm trying to get 2 separate searches to work on a simple xml dashboard. I would like to have 2 input boxes and 2 search buttons. I tried this and get 2 input boxes, but only have one search button.
<form>
<label>Workstation NEW Search</label>
<fieldset>
<input type="text" token="desktop">
<label>Serial Number</label>
<suffix>*</suffix>
</input>
<input type="time">
<default>Last 24 hours</default>
</input>
<input type="text" token="userid">
<label>User Name</label>
<suffix>*</suffix>
</input>
<input type="time">
<default>Last 24 hours</default>
</input>
</fieldset>
How can I get 2 search buttons? So if I click one, it should only run search in my first row. If I enter text in the second textbox, it should run a search in the second row.
... View more
06-22-2015
06:07 AM
Did you ever resolve this issue? In my case I can fix it with the sfc command, but we had a 20% failure rate for this software on 60 machines. I have worked with Splunk support, but have not gotten any help besides to run the sfc command. I need to install this on over a 1000 and would like to know why it's failing so much.
... View more
06-05-2015
08:06 AM
Here is what I have.
<chart>
<searchTemplate>sourcetype="_sort" host=$desktop$ | timechart avg(idle) as "Idle Time"</searchTemplate>
<title>Idle Time</title>
<option name="charting.axisTitleX.text">Date</option>
<option name="charting.axisTitleY.text">Idle Time</option>
<option name="charting.axisY.maxiumNumber">60</option>
<option name="charting.chart">line</option>
<option name="charting.primaryAxisTitle.text"/>
<option name="displayRowNumbers">true</option>
</chart>
When I do this the Y axis still goes up to 700+ depending on the data
... View more
06-05-2015
07:56 AM
I use this, but still see the y axis scale going to 750. Something I'm missing? I do have number higher than 60, but I want the top of the scale to still be 60.
... View more
06-05-2015
06:05 AM
I would like the max number of my Y axis to be 60. I so have some numbers that are higher than 60 in my data, but I don't want them to scale the chart. Instead I prefer the line just go off the chart. I tried to do
<option name="charting.axisY2.maxiumNumber">60</option>
but this did not seem to work.
I have also tried
<option name="charting.axisY.scale">log</option>
This help with the scaling, but would prefer something like option 1.
... View more
06-04-2015
11:10 AM
I have a search that finds computers that have not checked in for the last couple min. It seems to give the results I need, but I need some more specific information from each host that this command finds.
metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400
| sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration")
|rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline
So I would like to then add some columns to my table that are specific to each host that it finds. So the search below would show me the extra data I need. How can I combine these to work together.
sourcetype=_sort=PUT HOST FROM OTHER SEARCH HERE earliest=1
| head 1 | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State"
host as "Serial Number" os_install_date as "Build Date" model as "Model" city as "City"
|table host,"Total Disk GB","Model","Total Memory","Serial Number","ISP","City","State"
"Build Date"
... View more
06-04-2015
06:31 AM
perfect! That worked great.
... View more
06-04-2015
06:07 AM
I have a search that looks like:
sourcetype="_sort" earliest=-30d
| dedup host
| where encrypt_c =2
| eval encrypt_c=if(encrypt_c != "2","False",encrypt_c)
| eval encrypt_c=if(encrypt_c = "2","True",encrypt_c)
| rename host as "Serial Number" encrypt_c as "Encryption Complete"
| table "Serial Number" "Encryption Complete"
What I really want now is a pie chart that would show the counts of where encrypt_c=2 and where encrypt_c!=2 in a pie chart
... View more
05-28-2015
09:38 AM
I would like to create a pie chart for the following search.
sourcetype="my_sort" earliest=-30d| dedup host | table encrypt_c
This should show a long column of 2's with maybe a hand full of 1's.. I would like to show in a pie chart the percent of each number that is displayed in the column.
... View more
- Tags:
- chart
- percentage
- pie
04-15-2015
08:40 AM
great, let me know if you come up with something
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
