Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About gnovak
gnovak
Builder
Member since:
10-07-2010
06-05-2020
Community Statistics
| Posts | 373 |
| Solutions | 6 |
| Karma Given | 6 |
| Karma Received | 45 |
| Member Since | 10-07-2010 |
Activity Feed
- Karma Re: Splunk Disaster Recovery for chris. 06-05-2020 12:46 AM
- Karma Re: Splunk Disaster Recovery for bmacias84. 06-05-2020 12:46 AM
- Karma Re: Regex not pulling out all values for Ayn. 06-05-2020 12:46 AM
- Karma Re: Regex not pulling out all values for Ayn. 06-05-2020 12:46 AM
- Karma Re: Transforms, Regex and wrong source names OH MY! for martin_mueller. 06-05-2020 12:46 AM
- Got Karma for Re: Regex not pulling out all values. 06-05-2020 12:46 AM
- Got Karma for LDAP User Base Filter. 06-05-2020 12:46 AM
- Got Karma for LDAP User Base Filter. 06-05-2020 12:46 AM
- Got Karma for Re: Schedule search every 12 hours. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk Disaster Recovery. 06-05-2020 12:46 AM
- Got Karma for Splunk 4.3 upgrade question - disable?. 06-05-2020 12:46 AM
- Got Karma for Timechart values not working. 06-05-2020 12:46 AM
- Got Karma for Splunk URL redirect. 06-05-2020 12:46 AM
- Got Karma for Re: props.conf extractions. 06-05-2020 12:46 AM
- Got Karma for single value won't turn green. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-21-2012
10:58 AM
If you're just in normal Search app for splunk and not the sideviewutils app will it still work? probably stupid question, i'm going to get newer version and see
... View more
08-21-2012
10:02 AM
I actually added that to the second search that populates the Filename drop down menu. The result is it just sits there and results display. I will take a second look. And yes, been using UI examples, trying to sort all this out.
... View more
08-21-2012
08:26 AM
One thing I did change was the hiddensearch I took out the regex for filename since I already classified that earlier in the code. No need for the regex in the search again. I used $filename$ instead.
... View more
08-21-2012
08:09 AM
well I tried source="/opt/log/$registry$/web_server/info.log". That didn't work, the menu showed up blank. I also tried adding | search $registry$ to the search. It also made it show up blank. If I keep it the way it was, I do get filenames show up. This is strange. I would think source="/opt/log/$registry$/web_server/info.log". would do the trick. I'm going to look again.
... View more
08-21-2012
07:30 AM
if i change searchWhenChanged to True it will run the main search whenever i change an option. It isn't making the filename menu do a "search" in the background to populate itself when the first menu selection is changed. hmmmm
... View more
08-21-2012
07:08 AM
I wanted what you just described where the second menu changes when you pick something from the first. I must have missed something but I wasn't sure where to add it.
... View more
08-20-2012
02:56 PM
1 Karma
I created a form with 2 drop down menus. However it appears they aren't talking. The second drop down should change it's values every time I select something from the first drop down menu. However this isn't happening for some reason. I don't see any indication that it's populating again with new search results. Both the menus populate based on separate searches
How do I get these menus to talk to one another? I've looked at a lot of examples and I can't seem to find what the issue is.
Update: I have tried 3 times to paste my code in here and the formatting is horrible. Because of this, I put it on pastebin:
http://pastebin.com/SsT5HcdP
... View more
- Tags:
- dynamic
08-14-2012
11:39 AM
I've changed to using stats and I'm going to see if I can get percent this way.
... View more
08-14-2012
11:02 AM
I'm starting to think Stats might be a better command to use at this point
... View more
08-14-2012
09:10 AM
I like the way contingency breaks it down...but I need to have a percentage instead of just a count. So far every command I used I haven't been successful to keep the same format of all the file names listed at the top, registrars on the left, and then the values of how many times each registrar accessed the file.
... View more
08-14-2012
09:08 AM
It's strange but it does not break it down the way I want unless I use contingency. Contingency takes all the values of Actual and lists how many times they were accessed. They are basically filenames. It does a great job of doing this. However if I use a different command the format isn't the same at all.
... View more
08-14-2012
07:15 AM
I have a search where I am trying to take the totals and turn them into a percentage.
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$"
| rex field=source "^/opt/log/(?<registry>[^/]+)/web_server/.*$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf
| eval Actual=case(filename=="Statement.pdf","Billing Statement",filename=="Invoice.pdf","Billing Invoice", filename=="text.txt","Billing Text",match(filename,".*-.*\.pdf$"),"Scorecard",match(filename,".*-.*_invoice\.html$"),"Drilldown Invoice")
| contingency registrar Actual
I've looked at other commands such as eventtable, stats and even top but I can't seem to get the values to show a percentage instead of a count.
Can you make the numbers from contingency into percent? Is that possible using this command? It seems every time I try to pipe my results to something else the "Actual" field doesn't work and the percentage doesn't show up...
... View more
- Tags:
- percent
08-09-2012
02:25 PM
4 Karma
I have a search that uses some wildcards:
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT
| rex field=_raw "USER (?P<registrar>\[\d+-\w\w\]) downloading .*/(?<filename>.+?)$"
| search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=*-*.pdf OR filename=*-*_invoice.html NOT filename=*-*_*.pdf
| eval Actual=case(filename="Statement.pdf","Billing Statement",
filename="Invoice.pdf","Billing Invoice",
filename="text.txt","Billing Text",
filename="*-*.pdf","Scorecard",
filename="*-*_invoice.html","Drilldown Invoice")
You'll notice at the end of my eval command I used wildcards for the filenames. However, when I run this search the 2 filenames I identified in the eval command that are using wildcards will NOT show up in the Actual field. They show up as events and I can clearly see a line from the logs containing these filenames, but they aren't being assigned the filename I specified in the eval command.
Does eval not like wildcards???
... View more
- Tags:
- eval
08-09-2012
01:27 PM
and for some reason Comments like to remove my *'s from my searches. Will post what i mean as an answer...
... View more
08-09-2012
01:22 PM
For some reason Scorecard won't show up w/ this search. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P [\d+-\w\w]) downloading . /(? .+?)$" | search filename=Invoice.pdf OR filename=Statement.pdf OR filename=text.txt OR filename=-.pdf NOT filename=-_.pdf | stats count by registrar, filename | eval Actual=case(filename="Statement.pdf","Billing Statement",filename="Invoice.pdf","Billing Invoice",filename="text.txt","Billing Text",filename="-*.pdf","Scorecard")
... View more
08-09-2012
01:19 PM
filename="-.pdf","Scorecard" is what I have at the end. I'm wondering if it's because of how it's defined earlier in the search with the NOT command?
... View more
08-07-2012
01:58 PM
1 Karma
Can you rename values extracted into fields?
Example - Here is a field i have called "filename" and some examples of values that were extracted.
filename=statement.pdf
filename=invoice.pdf
filename=invoice.html
Can I rename (or trick) these values from the field filename to show up in a chart or table as:
statement.pdf ====> Billing Statement
invoice.pdf ===> Billing Invoice
invoice.html ===> Drilldown Invoice
I was looking at eval but so far haven't figured anything out yet.
... View more
08-07-2012
08:34 AM
This actually worked. I took some of your example and added it. sourcetype="EPPWEB" source="/opt/log//web_server/info.log" WAT | rex field=_raw "USER (?P [\d+-\w\w]). /(? .+?)$"
Thanks for the help
... View more
08-07-2012
08:09 AM
sourcetype="EPPWEB" source="/opt/log/*/web_server/info.log" WAT | rex field=_raw "USER (?P [\d+-\w\w]) downloading /[^/]+/[^/]+/(?P w+.w+).$" doesn't work. Even taking away the $ doesn't work either. 😞
... View more
08-07-2012
08:08 AM
When I take the ending + away the field "filename" isn't extracted any more.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
