Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About tb5821
tb5821
Communicator
Member since:
03-22-2012
01-09-2021
Community Statistics
| Posts | 144 |
| Solutions | 3 |
| Karma Given | 4 |
| Karma Received | 10 |
| Member Since | 03-22-2012 |
Activity Feed
- Posted Monitoring Windows - app/dashboards? on All Apps and Add-ons. 01-09-2021 10:26 AM
- Posted Re: Listing out dates and appending to search?? on Splunk Search. 09-29-2020 10:27 AM
- Posted Listing out dates and appending to search?? on Splunk Search. 09-29-2020 09:16 AM
- Posted db Connect Unable to write records on All Apps and Add-ons. 09-24-2020 11:44 AM
- Posted Re: Transaction to Streamstats on Splunk Search. 09-05-2020 09:09 AM
- Posted Re: Transaction to Streamstats on Splunk Search. 09-04-2020 09:34 AM
- Posted New 'splunk answers' bad on #Random. 09-02-2020 09:26 AM
- Posted Transaction to Streamstats on Splunk Search. 09-01-2020 07:45 AM
- Posted Website Monitoring Trace? on All Apps and Add-ons. 06-26-2020 11:27 AM
- Posted Visualize Single value format on Dashboards & Visualizations. 06-19-2020 12:29 PM
- Got Karma for Re: How can I have one query for both a dashboard and an alert?. 06-05-2020 12:50 AM
- Got Karma for streamstats and delta. 06-05-2020 12:49 AM
- Got Karma for Re: Rexgex Non-capturing group - still capturing. 06-05-2020 12:49 AM
- Got Karma for Why do I get a 400 stanza error when using a join command in searches?. 06-05-2020 12:49 AM
- Karma Why is there a delay in applying field extraction updates? for phemmer. 06-05-2020 12:48 AM
- Karma Re: Move Splunk's VAR folder ($SPLUNK_HOME/var or /opt/splunk/var) for woodcock. 06-05-2020 12:47 AM
- Karma Re: Proper REX command for amit_saxena. 06-05-2020 12:46 AM
- Got Karma for Mutiple subsearches. 06-05-2020 12:46 AM
- Got Karma for Mutiple subsearches. 06-05-2020 12:46 AM
- Got Karma for Mutiple subsearches. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-26-2018
10:36 AM
1 Karma
My search brings back data in a table like so:
_time|product|count
8/15/15 08:00:00|apples|500
8/15/15 08:00:00|oranges|800
8/15/15 08:00:00|plums|200
8/15/15 08:00:00|peaches|275
What I want is to have splunk compute the diff between the latest value above and the one just before it per product. So it ends up like:
8/15/15 08:00:00|apples|500|+50
8/15/15 08:00:00|oranges|800|+200
8/15/15 08:00:00|plums|200|-2
8/15/15 08:00:00|peaches|275|+80
Pretty sure I need to use streamstats and delta but can't get the combo right.
... View more
02-22-2018
06:45 AM
There doesn't appear to be an easy way at least within splunk web to clone extractions?
... View more
02-22-2018
05:49 AM
I can't for the life of me get one of the search app field extractions to also pick up the same regex (field extraction) on another sourcetype - I've made sure all the permissions are set to global for the extraction, and restarted splunk.
Can anyone offer any help?
... View more
02-10-2018
10:27 AM
OK I tried but can't seem to get the formatting to work
_time comes out as
2/6/18 9:27:42.000 AM
where as the time in the file is
2/06/18 04:27:42 PM EST
... View more
02-10-2018
07:15 AM
Thanks , do I need to re-index the data too?
... View more
02-09-2018
07:18 PM
Sample data has mixed time zones
... View more
02-09-2018
03:13 PM
Thanks - its really a very basic file 🙂 - added sample to the post
... View more
02-09-2018
03:13 PM
Data sample
02/07/18 03:55:00 PM EST String=2
02/07/18 03:55:04 PM EST String=3
02/07/18 03:55:08 PM EST String=0
02/09/18 11:10:01 PM UTC String=1
02/09/18 11:10:04 PM UTC String=0
02/09/18 11:10:07 PM UTC String=0
... View more
02-09-2018
02:20 PM
Oh also I thought I read somewhere that Splunk should automatically be able to pick that up from the file? Meaning that the props file does not need to be changed?
... View more
02-09-2018
02:20 PM
Thanks I do have time zone UTC/EST Time zone designators...Guidance on the best way to modify the props file?
... View more
02-09-2018
01:17 PM
Hi - I had splunk import a fairly simple two column file - column 1 was a date/time column2 is some info... the problem seems to be that some of the values in column 1 are in EST and some are in UTC.
I don't think splunk is interpreting these correctly - is there a way I can verify this?
... View more
08-01-2017
06:42 AM
I downvoted this post because doesn't work
... View more
08-01-2017
06:41 AM
agree - doesn't seem to work.
... View more
07-31-2017
01:47 PM
1 Karma
Figured this out - by changing where the new field name paranthesie was...
rex field=title "(?<titleNEW>(.*?))(?:-)"
... View more
07-31-2017
01:42 PM
rex field=title "(?titleNEW(.*?)(?:-))"
I have this rex command above but it still outputs the dash at the end which is in a non-capturing group- any help?
... View more
- Tags:
- rex
- splunk-enterprise
Labels
- Labels:
-
regex
11-22-2013
12:14 PM
How do I use the IFA or even better erex and specify mutiple values that contain a comma? I've tried putting them in quotes etc but doesn't seem to work.
I really just trying to extract a date from our logs which starts with the year and ends in 00
... View more
10-10-2013
02:47 PM
I currently have my dashboard setup so that it runs every time its loaded but I'd like for it to be live dashboard and not need a refresh when I want more up-to-date data. I'm running 5.0.4, what are the steps I need to take to convert my current dash?
... View more
- Tags:
- dashboard
09-17-2013
06:17 AM
How does one go about setting this up as a search macro? Looking for some step by step directions.
... View more
09-13-2013
09:19 AM
The concept seems simply yet there doesn't seem to be a straightforward way of doing it. I have URL which I want splunk to hit and index all the data off the page ever X seconds. Thats it. I don't want to only have it grab certain field just all the data on the page.
I initially tried the add-on feedparser but I'm not having any luck with it.
... View more
08-09-2013
06:06 AM
I'm doing something wrong here.. . I have the following search
...| eval SuccessRatio = (round(((succeeded_count)/(task_count)) * 100)). "%" | search SuccessRatio < 98 | sort SuccessRatio
I'm trying to filter out anything that has a SuccessRatio of greater than 98% but its not working I'm still getting results that have 100% success.
... View more
07-26-2013
07:18 AM
In our splunk instance I believe the props.config file is set to UTC as that is what most of our logs are in but we do have some that are in the local time zone. Since I do not have access to edit the props file is there a way to specify in search that all these logs should be considered EST?
... View more
- Tags:
- search
- time-format
07-25-2013
09:58 AM
Found the issue, the definition needs to be:
eval kilobytes=($fs$/1024) | eval megabytes=kilobytes/1024 |eval gigabytes=megabytes/1024
... View more
07-25-2013
09:23 AM
now getting:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-09-2021
06:32 PM
|
Karma from
