One thing you can do if your SPL needs to stay confidential is keep your "secret SPL" queries as private (or in another app) and schedule them to write the results to a new summary index. Then for your reports and dashboards give the users access only to the summary index and use "non-secret SPL" to pull data out of the SI. Data would be delayed based on your schedule above, but maybe that approach could work for you. ... View more

Add below after your stats command. | appendpipe [| stats count as Total| where Total=0 ] ... View more

Today this is not possible. Splunk mobile relies on cx gateway, and will not work without it. At .conf there was some informal chat about customer hosted gateways, but no commitments or timeframes. You can of course use a vpn client on mobile devices, but you are constrained to the normal desktop ui on a small screen. ... View more

Appendcols, append, subsearches... I don't think they work like I think you think they work. (Lol, what a sentence). Here's a simple run anywhere example: | makeresults | eval outside_appendcols=time() |appendcols [| makeresults | eval inside_appendcols=time()] | eval inside_appendcols_ran_first_by = outside_appendcols - inside_appendcols Depending on how fast your system is, you'll see that the appendcols actually runs first. In any case, I think - both from the question and from the code you wrote - that you are approaching SPL as if it's a regular, procedural language. It's fairly step-by-step if you don't use subsearches or anything else in [] brackets , but once you do then it's all backwards. Subsearches and [] bracketed things run first, not last. And in the best event, I'd never try to rely on the order of them. They're not linear. I could probably construct a run-anywhere example that checks in what order half a dozen subsearches in different places in some SPL would run, and you'd see what a mess it would be, but I think you get the idea. So where does that leave us? In my opinion, I think maybe too much is being done in one big fell swoop there. This has the feel of being 3 or 4 different discrete steps - maybe a summary index, maybe another lookup or two, I'm not really sure at this time, but certainly the feeling that it's trying to do too much in one piece of SPL. I think we'd be happy to help, but would need more information about what you are trying to actually accomplish and from what data you are starting from? (Also, the search itself is pretty impressive, I don't think I've seen such an amount of programmatic work done inside SPL ever!) ... View more

Hi @damucka, a report is static so you cannot have drilldown from it. If you want to drilldown, you have to create a dashboard panel using the same search of the report. Then you can drilldown in another dashboard or in the same dashboard passing tokens $row.fieldname$ . For more details see the Splunk Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ). Ciao. Giuseppe ... View more

Hi @damucka, I never experienced this field, but if you want to have the list of the values in your email, you can use this search: | makeresults | eval _raw=" Below workload classes were created after the last anomaly: I306668 D041875 I355581 I327556 I027931 C5279166 I330801 I506540 I829697 I842940 I843132 I865403 I001314 I309296 I520545 D066638 I506897 I340509 I829186 D040915 D057879 I007374 D054254 D048889 I802644 C5243636 I041661 D020525 I500011 I310846 I307944 I511708 I318767 I317172 I019343 I310161 I335757 I345544 I519010 I520636" | rex field=_raw "Below workload classes were created after the last anomaly: (?<codes>.*)" | makemv codes then you can use in email body $result.codes$ . Ciao. Giuseppe ... View more

Also, @damucka make sure you accept the answer. ... View more

Hi damucka, the easiest way is to use a regex that's case sensitive: index=mlbso sourcetype=isp_abaptraces (( mtx OR mmx OR mm_diagmode OR sigigenaction OR thierrhandle OR mutex OR "ca blocks" ) Error) ) earliest=-1h@h latest=@h | regex _raw!="error" | eval SID=substr(sourcetype,1,3) | stats count AS Total count(eval(searchmatch("ERROR"))) AS err_cnt count(eval(searchmatch("*MTX*"))) AS mtx_cnt count(eval(searchmatch("*MMX*"))) AS mmx_cnt by SID host Ciao. Giuseppe ... View more

HI damucka try earliest=-h@h latest=@h , anyway you can also use the time picker to find the correct time intervals. Ciao. Giuseppe ... View more

Best thing is not to monitor the file itself. As per my understanding there is no interval control over file monitoring, it is only there for modular and scripted inputs. ... View more

hi @damucka - I understand what you mean. Which algo are you using? The thing to understand here is when you say 'predict next 5 values' that is possible only with time series models. You are probably using a regression algo (random forest?) , using this you can not (and it is not intended as well) predict the next set of values. To give an example and from a working model that I use in my project currently. I have a good cpu prediction model, the fields used to predict cpu are time(in 24 hour clock) and the day of the week (1-7), now how do I perform a prediction with it? Ther are 2 ways to do so. Have the user input the time of the day and the day of the week, apply your model and the result will be the predicted cpu for that specific day at the hour of the day. Another way to do this is ti give a user a default view with all the days and hours (like what you are currently receiving from the table with all predicted values) and then ask the user to choose the day /time in a dashboard dropdown. What I have done is to give this default table(in a area viz) and enable only the day of the week drop down as a user input. Now, when the user chooses a day(say, Monday) , I output the predicted cpu values for all 24 hours in Monday.This gives the users a choice on when to perfrom activities that can lead to system load. We have been using this model to plan business campaigns , which generally stresses out the cpu. Capaign managers can now go and select a sepcific day and see the predicted cpu values across a 24 hour time format for the day and plan their campaigns at a time where predicted cpu is less and which also gives the business sufficient time to adjust to the functional campaign demands. If you are using time series forecasting (using the splunk 'predict' command) you can use the future_span entity to predict the enxt 5 values. So, the model algorithm you are using defines your prediction outcomes... ... View more

Yes, but actually I want the sleep60 python script to be executed on decision=1. Anyway, I found the following way to sleep 60 seconds in splunk eventually: | table host_to_trigger decision ANOMALY_ID triggertime RTEstatus | where isnotnull(host_to_trigger) and isnotnull(decision) and isnotnull(ANOMALY_ID) and isnull(RTEstatus) | map maxsearches=20 search="dbxquery query=\"call itoa_admin.Z_PLEASE_SLEEP(60,?,?)\" connection=\"HANA_MLBSO\" |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" | eval ANOMALY_ID = \"$ANOMALY_ID$\" | eval host_to_trigger=\"$host_to_trigger$\" | eval RTEstatus=\"$RTEstatus$\" ] " where the Z_PLEASE_SLEEP is the DB procedure called from the dbxquery, called out of the map, controlled by the where .... Kind Regards, Kamil ... View more

Splunk SDK for python is a good solution for this. ... View more

Hello @somesoni2 Unfortunately it is not that easy. The point is that with the "NA" values the map will still be executed, in my case (original, not the simplified above) going to the database and trying to trigger dumps there, taking 120 sec. And I execute it in the alert each minute. The question would be also why the "where" does not prevent it. I tried/errored a bit and came up with the below, which kind of works, but still I do not know why: | outputtext usexml=false | fields decision host_to_trigger triggertime| fields - _raw | outputcsv rtetriggering_ICP_test.txt | table host_to_trigger decision triggertime | where isnotnull(host_to_trigger) and isnotnull(decision) | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/ICP/HDB02/$host_to_trigger$/trace/DB_ICP/indexserver_$host_to_trigger$.30240.rtedump.iAlerting_ANOMALY_$triggertime$.trc','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_ICP\" |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" | eval host_to_trigger=\"$host_to_trigger$\"] " |appendcols [ | inputcsv rtetriggering_ICP_test.txt | eval decision=decision | eval host_to_trigger=host_to_trigger ] | table host_to_trigger decision triggertime | where isnotnull(host_to_trigger) and isnotnull(decision) | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('profiler clear','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_ICP\" |appendcols[|makeresults| eval decision=\"$decision$\" | eval triggertime=\"$triggertime$\" | eval host_to_trigger=\"$host_to_trigger$\"] " Kind Regards, Kamil ... View more

PS: Please accept the answer to close this post. ... View more

Hi @niketnilay i would still need help with this. I have following map command to test: | eval host_to_trigger = "ls5979" | eval decision = 1 | where isnotnull(host_to_trigger) and isnotnull(decision) | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/ICP/HDB02/$host_to_trigger$/trace/DB_ICP/iAlerting_rtedump_ANOMALY_$triggertime$.trc','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_ICP\" | eval decision=$decision$ " and the decision variable is not visible afterwards. Could you please advise? Kind Regards, Kamil ... View more