Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About shreyasathavale
shreyasathavale
Communicator
Member since:
03-26-2014
01-16-2025
Community Statistics
| Posts | 78 |
| Solutions | 2 |
| Karma Given | 4 |
| Karma Received | 6 |
| Member Since | 03-26-2014 |
Activity Feed
- Posted Single Value Viz Dashboard Studio on Splunk Dev. 01-13-2025 01:48 PM
- Karma Re: I want to find the difference in count of processes from last 2 months for tiagofbmm. 06-05-2020 12:49 AM
- Got Karma for Re: How to display all host names returned from my search as x-axis labels on a chart?. 06-05-2020 12:48 AM
- Karma Re: Why is my savedsearches.conf configuration not honoring the alert condition of number of events > 10? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: Why are users automatically getting logged out of Splunk the past few days and any running searches have to be re-run? for woodcock. 06-05-2020 12:47 AM
- Karma Re: How to use the result from an index of the 1st search as input to return results from another index in a 2nd search? for woodcock. 06-05-2020 12:47 AM
- Got Karma for Why are users automatically getting logged out of Splunk the past few days and any running searches have to be re-run?. 06-05-2020 12:47 AM
- Got Karma for Why is the Windows perfmon data in Splunk for percentage processor time different from the performance counter value on the server?. 06-05-2020 12:47 AM
- Got Karma for Why is the Windows perfmon data in Splunk for percentage processor time different from the performance counter value on the server?. 06-05-2020 12:47 AM
- Got Karma for Why is the Windows perfmon data in Splunk for percentage processor time different from the performance counter value on the server?. 06-05-2020 12:47 AM
- Got Karma for Unable to find solution for error in splunkd log file. 06-05-2020 12:46 AM
- Posted Re: Send data from file even if there is no change on Getting Data In. 02-24-2020 06:53 AM
- Posted Re: Send data from file even if there is no change on Getting Data In. 02-24-2020 05:51 AM
- Posted Re: Send data from file even if there is no change on Getting Data In. 02-24-2020 04:50 AM
- Posted Send data from file even if there is no change on Getting Data In. 02-24-2020 01:09 AM
- Posted Re: How to continuously monitor a file in splunk even though it is not updated on Getting Data In. 12-26-2019 05:14 AM
- Posted How to continuously monitor a file in splunk even though it is not updated on Getting Data In. 12-24-2019 04:18 AM
- Posted Re: How to add result of search to all rows in lookup? on Splunk Search. 04-22-2019 06:36 AM
- Posted Re: How to add result of search to all rows in lookup? on Splunk Search. 04-22-2019 06:35 AM
- Posted How to add result of search to all rows in lookup? on Splunk Search. 04-22-2019 06:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-21-2017
07:35 AM
Hi,
I have 2 searches, for 1st output is values (2GB) and other gives output as percent (2%) .
index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="Free Megabytes" instance!=_Total| eval Value=(Value/1024)|eval Value= round(Value,2)|chart values(Value) by host, instance
index=windows sourcetype="Perfmon:Free Disk Space" role=ABC counter="% Free Space" instance!=_Total|eval Value= round(Value,2)|chart values(Value) by host,instance
I want output to show values as well as percent for the host and instance (C/D)...
Any ideas will be appreciated 🙂
Thanks
... View more
03-07-2017
03:14 AM
,I am also looking for something like this? Did you get it working?
... View more
11-20-2016
10:06 PM
Thanks for the reply
... View more
11-18-2016
12:01 AM
If I have selected 1 option in multiselect box, then it should display 1 panel. If i have 2 values selected in multiselect box as input, then it should display 2 panels. Is there any way to achieve it ?
Queries remain the same
... View more
11-15-2016
02:46 AM
yes, thanks for your input.. I have already contacted splunk admins for lookup file to upload meanwhile this is a workaround
... View more
11-15-2016
02:20 AM
1 Karma
Well I found the answer , used useother=f limit=25
... View more
11-15-2016
02:19 AM
Well I found the answer , used useother=f limit=25
... View more
11-15-2016
01:58 AM
I have a search that returns 25 hosts, but on a chart at the bottom, the legend just shows 10 hosts. I want to display all hosts.
My search is:
earliest=-1h host=0 OR host=1 OR host=2 OR host=3 OR host=4 OR host=5 OR host=6 OR host=7 OR host=8 OR host=9 OR host=10 OR host=11 OR host=12 OR host=13 OR host=14 OR host=15 OR host=16 OR host=17 OR host=18 OR host=19 OR host=20 OR host=21 OR host=22 OR host=23 sourcetype=cpu| timechart span="1m" avg(pctSystem) as CPU by host
... View more
10-06-2016
01:00 AM
Done, but still unable to find them.. If they are not in events will they not show up?? How to add them in events?
... View more
10-06-2016
12:36 AM
Thanks for reply..Using 1st I am getting results but I am not able to see env and role in my fields.. Any thoughts?
... View more
10-05-2016
11:49 PM
I am doing it using GUI as i dont have server access.
I have lookup file serverrole.csv
host,role,environment
A,X,prod
Lookup file is located :/splunk/etc/apps/mysearch /lookups/serverroles.csv
Lookup definition is created : serverrole_lookup in supported fields it shows : host,role,environment
Automatic lookup : serverrole_lookup host AS host OUTPUT environment AS env host AS host role AS role for sourcetype: perfmon:processor
When I do search as : |inputllookup serverrole.csv it shows lookup file contents.
But when I do search as : sourcetype=perfmon:processor | lookup serverroles.csv host,role OUTPUT host,role I am not getting role, environment fields in "Intresting fields" or "Selected fields" or in "Events"..
I want search to work if i search : sourcetype=perfmon:processor| where role=X
... View more
08-23-2015
08:51 PM
I am getting this error"Error in 'search' command: Unable to parse the search: Invalid search: AND AND." I entered |format "(" "(" "" ")" "AND" ")" in between [search....] but it does not displays any result.. So just to check i fired this query
index=perfmon host=ms10176 (counter="% Processor Time" OR counter="Get Requests/Sec" OR counter="Current Connections") [search earliest="08/16/2015:00:00:00" latest="08/23/2015:23:59:59" index=iis_api | bucket _time span=1h | stats count BY _time | sort 1 - count | eval earliest=_time | eval latest=relative_time(earliest, "+1h") | fields earliest latest count | format "" "" "" "" "" "" ] | stats first(date_hour) AS PeakHour first(date_mday) AS PeakDay avg(Value) BY host, counter| format "" "" "" "" "" ""
i got result in search as NOT()
Any idea?
... View more
06-26-2015
06:04 PM
3 Karma
I have this Splunk stanza below:
[perfmon://CPUTime]
interval = 30
object = Processor
counters = % Processor Time
instances = _Total
disabled = 0
index = perfmon
When I run this search, I get a result of around 50+%
index = perfmon ( datacenter="iad" ) ( environment="prod" ) ( host="ms10191" ) ( counter="% Processor Time" ) ( instance="_Total" ) | eval name=host+"-"+counter+"-"+instance | timechart avg(Value) by name
But when I check through the Performance Counter on the server, I am getting a value around 15-20%
Is splunk showing wrong data?
... View more
06-23-2015
03:50 PM
no result 😞
... View more
06-23-2015
03:10 PM
Hi woodcock, I found the issue is with latest time because if i ran without latest time it is giving the result.. How to figure out latest time based on earliest+1hr in the query
... View more
06-22-2015
02:03 PM
Yeah , but i am still getting "Unable to run query ' search index=perfmon earliest>=1433772000 latest<=(1433772000 + 60*60) "
... View more
06-22-2015
11:39 AM
Hey woodcock i tried the query you had posted and did not get any result... After query executed i could see following message "The search result count (168) exceeds maximum (10), using max. To override it, set maxsearches appropriately.
Unable to run query ' search index=perfmon earliest>=1433772000 latest<=(1433772000 + 60*60) "
I tried adding maxsearches=168 , but still no result. It is unable to run 2nd query
... View more
06-21-2015
03:11 PM
I made slight change in stats count BY _time | sort - 1 count | eval time=_time | map search="search index=perfmon earliest>=$time$ latest<=($time$ + 60*60) by stats count as hit BY _time | sort hit desc| top limit=1 hit,_time| map search="search index=perfmon host=web1 earliest=$_time$ latest=($_time$ + 60*60)
When ran 1st query got the result but when we map it with other I am not getting any result
... View more
06-21-2015
03:06 PM
Thanks for the comment MuS.. I can understand Monday morning blues 🙂
I gave it a try what you suggested and got an error which i deduced by running query 1 by 1 and found that earliest and latest does not get filled up in 1st query.
... View more
06-21-2015
02:33 PM
Thanks woodcock for the comment ..but when i run this query I am not getting any result 😞 .. i am trying to make few changes running query 1 by 1 and finding out
Usually when I am using map it is not giving any output. Do you have any idea?
... View more
06-21-2015
12:21 PM
My 1st search will be like this to get Peak Day and Peak Hour according to hits:
earliest="06/08/2015:00:00" latest="06/14/2015:23:59" index=iis | stats count as hit by date_hour, date_mday
| eventstats max(hit) as maxhit by date_mday
| where hit=maxhit| sort hit desc|top limit=1 hit,date_mday,date_hour|fields date_hour,date_mday,hit
Now after getting peak day and peak hour from the 1st result, using this peak day and peak hour, I want to run the search below:
(earliest="result from above" latest="result of peak hour+1hr") index=perfmon host=web1 (counter="% Processor Time" OR counter="Get Requests/Sec" OR counter="Current Connections") |stats avg(Value) by host, counter
Result should show Peak Hour, Peak Day, avg(Value), counter
I have spent almost 2 days on this.
Is it possible?
... View more
06-18-2015
06:43 AM
I am trying this..Meanwhile could you please tell if it is possible:
1st query output:
date_hour date_mday
4 15
2nd query output using hour and day of 1st query ouput
host counter avg(Value)
1552 % Processor Time 20.611920
I want
date_hour date_mday host counter avg(Value)
4 15 ms.. .... ...
... View more
06-18-2015
05:51 AM
I am getting output for max hits at particular date and hour for a 1st search having index=iis . Now i want the date and hour from the 1st search to be input for 2nd search to find result for index=perfmon and show output fields of both searches.
Is it possible?
... View more
06-11-2015
11:13 PM
We have 4 indexers in our environment and on each indexer there are different number of splunkd.exe processes. 1 Indexer has 3 while other Indexer has 5..
What is the reason for that?
... View more
05-27-2015
10:43 PM
Thanks for reply..but its not working.. "main" is already added
... View more
