Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About stephanefotso
stephanefotso
Motivator
Member since:
12-11-2014
01-13-2024
Community Statistics
| Posts | 395 |
| Solutions | 56 |
| Karma Given | 0 |
| Karma Received | 148 |
| Member Since | 12-11-2014 |
Activity Feed
- Got Karma for Re: "bucket _time span=..." has no affect on search results. 09-27-2023 08:57 AM
- Got Karma for Re: Why am I getting this error? - "Error in 'outputlookup' command: The lookup table 'Permission denied for collection 'mycollection'' is invalid.". 09-21-2023 01:07 AM
- Got Karma for Re: How do I access my local Splunk enterprise instance from another local computer on my network?. 02-04-2023 10:55 PM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 01-19-2022 02:53 PM
- Got Karma for Re: how to sort() version values.. 12-17-2020 06:03 AM
- Posted Re: How do I access my local Splunk enterprise instance from another local computer on my network? on Security. 12-13-2020 12:42 PM
- Posted Re: how to sort() version values. on Splunk Search. 12-13-2020 11:55 AM
- Got Karma for Re: Is it possible to create an alert that depends on another alert to be triggered?. 09-18-2020 08:16 AM
- Got Karma for Re: How to combine two values from separate searches to get an average?. 06-05-2020 12:47 AM
- Got Karma for Re: Starting Splunk Enterprise. 06-05-2020 12:47 AM
- Got Karma for Re: I have created an alert and setup email for it but its not working. 06-05-2020 12:47 AM
- Got Karma for Re: No Visualisation although enough values. 06-05-2020 12:47 AM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 06-05-2020 12:47 AM
- Got Karma for Re: Making a chart and I want to change columns header names from Windows eventlog EventCodes to something readable. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to display the average of the week as a straight line overlay in a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to calculate percentage and display this on a timechart?. 06-05-2020 12:47 AM
- Got Karma for Re: How to edit my search to output results to separate rows based on multiple values?. 06-05-2020 12:47 AM
- Got Karma for Re: how to generate error count report. 06-05-2020 12:47 AM
Topics I've Started
No posts to display.
12-04-2015
07:24 AM
Hello. I thing this will interest you:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/HowSplunkextractstimestamps
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Configuretimestamprecognition
Thanks
... View more
12-04-2015
06:20 AM
1 Karma
Hello. You can do it through configuration files (props.conf and transforms.conf). Read this:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Data/Configureeventlinebreaking
Thanks
... View more
12-04-2015
04:56 AM
1 Karma
Hello. Here you go: http://docs.splunk.com/Documentation/Splunk/6.3.1511/DMC/DMCoverview
Thanks
... View more
12-04-2015
04:54 AM
1 Karma
Hello. Start reading here:
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Aboutindexesandindexers
http://docs.splunk.com/Documentation/Splunk/6.3.1511/Indexer/Howindexingworks
Thanks
... View more
12-04-2015
02:37 AM
Hello! Here is all what you must know about the join command: http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Join
Thanks
... View more
12-03-2015
01:16 PM
Hello. Try this:
index=....... dir="up"|stats sum(time) as sum_time_up sum(speed) as sum_speed_up sum(weight) as sum_weight_up|eval average_time_up=time/sum_time_up|eval average_speed_up=speed/sum_speed_up|eval average_weight_up=weight/sum_weight_up|join [search index=... dir="down"|stats sum(time) as sum_time_down sum(speed) as sum_speed_down sum(weight) as sum_weight_down|eval average_time_down=time/sum_time_down|eval average_speed_down=speed/sum_speed_down|eval average_weight_down=weight/sum_weight_down]|table average_time_up average_time_down average_speed_up average_speed_down average_weight_up average_weight_down
Thanks
... View more
11-25-2015
09:09 AM
Hello! Can you be more specific? please?
... View more
11-25-2015
05:18 AM
Yes of course.Start here to learn how to configure the application
http://docs.splunk.com/Documentation/StreamApp/6.4.1/DeployStreamApp/AboutSplunkAppforStream
http://docs.splunk.com/Documentation/StreamApp/6.4.1/User/ConfigureStreams
... View more
11-25-2015
04:05 AM
1 Karma
Here you go : https://splunkbase.splunk.com/app/1809/#/documentation
Thanks
... View more
11-25-2015
03:26 AM
Hello try this: auditSource=tamc auditType=OutboundCall | rex field=_raw "\"Surname\":\"(?[^\"]+)\""
... View more
11-11-2015
02:43 PM
True. Since the timechart command uses the _time field in your event data, that search query will not work, unless you have an _time field in your csv file.
Thanks
... View more
11-04-2015
02:07 AM
Here you go:
<your base search> |were Data!=" "|stats values(Name) as Name, values(Data) as Data by Number|table Number Data Name
... View more
11-03-2015
02:43 PM
Hello. The Contextual Drilldown(Inpage) dashboard, of the splunk 6.x dashboard example app can help you. Here is the code:
<form>
<label>In-Page Drilldown with Perma-linking</label>
<fieldset submitButton="false">
<!--
Create an input to store the drilldown value. It will be hidden using custom javascript when
the dashboard is loaded.
-->
<input type="text" token="sourcetype" searchWhenChanged="true" />
</fieldset>
<row>
<table id="master">
<title>Master</title>
<searchString>index=_internal | stats count by sourcetype</searchString>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
<!-- Set the type of of drilldown, since we will always consume the same field, use row-->
<option name="drilldown">row</option>
<drilldown>
<!-- Use set to specify the new token to be created.
Use any token from the page or from the click event to produce the value needed. -->
<set token="sourcetype">$row.sourcetype$</set>
<!-- If we also set the form.sourcetype the input will get updated too -->
<set token="form.sourcetype">$row.sourcetype$</set>
</drilldown>
</table>
</row>
<row>
<!-- depends is the way we tell the content to only show when the token has a value.
Hint: use comma separated values if the element requires more than one token. -->
<chart id="detail" depends="$sourcetype$">
<title>Detail: $sourcetype$</title>
<searchTemplate>index=_internal sourcetype=$sourcetype$ | timechart count</searchTemplate>
<earliestTime>-60m@m</earliestTime>
<latestTime>now</latestTime>
</chart>
</row>
</form>
... View more
11-03-2015
07:22 AM
Hello! Just try some thing like this
<your base search> |were Data!=" "|table Name Number Data
Thanks
... View more
06-30-2015
02:58 PM
Hello! Try this: ... earliest=-30d| bucket _time span=1h| stats max(data_used_mb) by host _time
... View more
06-30-2015
09:06 AM
Hello! Try somethink like this:
index=... source=... sourcetype=...| stats values(ip_source ) as ip_source values(ip_destination ) as ip_destination|join [search index=... source=... sourcetype=... ip_source =* ip_destination =*|where ip_source =ip_destination |eval sumip=ip_source + ip_destination |table sumip]|table ip_source ip_destination sumip
or this
index=... source=... sourcetype=...ip_source =* ip_destination | eval sumip=case(ip_source =ip_destination ,ip_source +ip_destination )|stats values(ip_source ) as ip_source values(ip_destination ) as ip_dest values(sumip) as sumip
Thanks
... View more
06-30-2015
08:15 AM
Thanks. And i was thinking that you was only look at the count value 233322 . Isn't it? Because i think that the top command will give the count and also the percent fields!
... View more
06-30-2015
07:46 AM
1 Karma
Hello! Try this:
index="ABC" sourcetype=* Customers=ABCD | top limit=1 Customers |table count
Thanks
... View more
06-30-2015
07:26 AM
Hello! Did you use the join like this?
...... host="intern-Studio-1737" | rare limit=20 ip_destination|join [search host="intern-Studio-1737" | rare limit=20 ip_source ]|table ip_destination ip_source
... View more
06-30-2015
06:44 AM
Yes! Because i have used the max() command, means, 2015-06-30T15:00:40.940 is the max time.
But you can also use a subsearch to get the top time, something like this:
index=pcindex sourcetype=parlayx [search index=pcindex sourcetype=parlayx|top 1 time|table time]|transaction corr | search "lvl=ERROR"|table SMS_MSISDN corr time
... View more
06-30-2015
06:00 AM
2 Karma
Hello! you don't need to modify the .js in Single Value Trend from "Splunk 6.x Dashboard Examples. What you need to modify is your xml code. Try this, with the same Single value Trend js and css code if you likem
<dashboard script="single_trend.js" stylesheet="single_trend.css">
<label>Single Value Trend</label>
<row >
<single>
<searchString>index=_internal | timechart span=24h count| reverse| eval value = count | eval change=_time</searchString>
<earliestTime>-48h</earliestTime>
<option name="field">value</option>
<option name="changeField">change</option>
<option name="changeFieldType">percent</option>
</single>
</row>
</dashboard>
Thanks
... View more
06-30-2015
05:05 AM
True. try this
index=pcindex sourcetype=parlayx|eventstats max(time) as time| transaction corr | search "lvl=ERROR"|table SMS_MSISDN corr time
Hope, it may help
... View more
06-30-2015
04:16 AM
Hello! try this to get the last time value :
index=pcindex sourcetype=parlayx| transaction corr | search "lvl=ERROR"|stats values(SMS_MSISDN) values(corr) first(time)
You can also try other functions, last(), max(), ...
Thanks
... View more
06-30-2015
03:06 AM
Hello! Are you sure you read the adequate document . Read here: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/CreateworkflowactionsinSplunkWeb
Thanks
... View more
06-30-2015
02:43 AM
3 Karma
ok. I understand.
The acceptFrom = < parameter> in your inputs.conf, let you list a set of networks or addresses to accept connections from.
Each rule can be in the following forms:
1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
3. A DNS name, possibly with a '' used as a wildcard (examples:"myhost.example.com", ".splunk.com")
Means, if you exactly know which machine is sending cisco ASA syslog, you could be able to do something like this:
[udp://<remote server>:<port>]
acceptFrom =10.1.2.3
sourcetype = cisco:asa
index = cisco_asa
source=udp1026
.......
Do the same for your Cisco ISE logs
Thanks
... View more
