Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About robertlynch2020
robertlynch2020
Influencer
Member since:
11-05-2015
02-11-2026
Community Statistics
| Posts | 656 |
| Solutions | 34 |
| Karma Given | 100 |
| Karma Received | 66 |
| Member Since | 11-05-2015 |
Activity Feed
- Posted Re: How to Graph white space before and after my data in a stats graph on Splunk Enterprise. 11-18-2025 02:00 AM
- Karma Re: How to Graph white space before and after my data in a stats graph for bowesmana. 11-18-2025 01:31 AM
- Karma Re: How to Graph white space before and after my data in a stats graph for ITWhisperer. 11-18-2025 01:31 AM
- Posted How to Graph white space before and after my data in a stats graph on Splunk Enterprise. 11-14-2025 07:57 AM
- Got Karma for Re: Can i create trellis with overlays, when the overlap can be dynamic.. 11-05-2025 10:53 AM
- Posted Re: Can i create trellis with overlays, when the overlap can be dynamic. on Dashboards & Visualizations. 11-05-2025 08:57 AM
- Karma Re: Can i create trellis with overlays, when the overlap can be dynamic. for tscroggins. 11-05-2025 08:56 AM
- Karma Re: Can i create trellis with overlays, when the overlap can be dynamic. for tscroggins. 11-05-2025 08:26 AM
- Got Karma for Re: Is it possible to Monitor Splunk User activity?. 11-05-2025 02:56 AM
- Posted Re: Can i create trellies wiht overlays, when the overlap can by dynamic. on Dashboards & Visualizations. 11-04-2025 02:46 AM
- Karma Re: Can i create trellies wiht overlays, when the overlap can by dynamic. for livehybrid. 11-03-2025 02:30 AM
- Posted Can i create trellis with overlays, when the overlap can be dynamic. on Dashboards & Visualizations. 10-31-2025 05:53 AM
- Karma Re: Can i have overlap on a Multi-series graph for livehybrid. 10-09-2025 06:52 AM
- Posted Re: Can i have overlap on a Multi-series graph on Splunk Enterprise. 10-08-2025 09:40 AM
- Posted Can i have overlap on a Multi-series graph on Splunk Enterprise. 10-08-2025 09:02 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-28-2025 01:39 AM
- Karma Re: Search for a path the might not exist for livehybrid. 05-28-2025 01:39 AM
- Karma Re: Search for a path the might not exist for yuanliu. 05-28-2025 01:38 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-22-2025 08:46 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-22-2025 08:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-21-2018
07:56 AM
Hi
I have one search head and 2 search nodes(non clustered).
I have an app installed on the search head, but i had to manually install the app to the 2 search nodes, but i get the feeling this should have happened by default with "knowledge bundle".
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Limittheknowledgebundlesize
Or do i have to specify my app specifically, if so how and where?
When i check my "search peers" i can see "Replication Status" = Successfull
Thanks in advance
Robert Lynch
... View more
11-21-2018
05:53 AM
Hi
I have configured the below
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Parallelreduceoverview
Am i right to say i have to use the command Redistribute in my search to use this or is this something extra for high-cardinality searches?
But i am not seeing an performance decrease, so how can i check it is working?
I have one search head and 2 indexers (non-Clustered)
I have set the following on the indexers
server.conf
[parallelreduce]
pass4SymmKey = $7$qkfkqE35XUbVp9oAqD2M+bBQVTufnczdRnyIcnuQrbXhAV/u+7QyBaXR
limits.conf
[parallelreduce]
reducers=10.25.5.169:5089, 10.25.53.57:5089
I have added in both indexers here, i am assuming i need to add in it self?
My user can run the command
run_multi_phased_searches
http://docs.splunk.com/Documentation/Splunk/7.2.1/DistSearch/Setupparallelreduce
Then i run the command and add redistribute to the command (If i understand correctly this is what we are to do!!) - But below does not work.
| tstats summariesonly=true chunk_size=1000000000 max(MXTIMING.Elapsed) AS Elapsed FROM datamodel=MXTIMING_V9 WHERE
host=Luas_TestCampaign_PI9_2
GROUPBY _time MXTIMING.Machine_Name MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Date MXTIMING.Time MXTIMING.MXTIMING_TYPE_DM source MXTIMING.UserName2 MXTIMING.source_path MXTIMING.Command3 MXTIMING.Context3 span=1s | redistribute by _time
So the errors i am getting is below - But i don't understand i have tried to put redistribute in multiple parts of the search
Redistribute Processor: Cannot redistribute events that have been aggregated at the search head. Place the redistribute command before transforming commands that do not have a 'by' clause.
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Redistribute
Any help would be great - or how can i check what log
... View more
11-10-2018
05:00 AM
Hi
Thanks for this, i have gotten this working for index=mlc_live and i can see dispatch.remote working on the search head 🙂
But when i try to access the datamodels on the searchhead i am getting cant find datamodel!
So just for the record, i created them on the search head and then un-accelerated them - this seemed to work.
0.04 dispatch.stream.remote.dell425srv_5000 25 - 149,257
0.04 dispatch.stream.remote.hp4000_5000 39 - 227,330
0.13 command.tstats 149 99 99
0.04 command.tstats.execute_input 76 99 -
0.03 command.tstats.query_tsidx 16 - -
0.00 command.tstats.execute_output 1 - -
0.00 dispatch.check_disk_usage 1 - -
0.01 dispatch.createdSearchResultInfrastructure 1 - -
0.01 dispatch.evaluate 3 - -
0.00 dispatch.evaluate.noop 3 - -
0.00 dispatch.evaluate.tstats 3 - -
0.16 dispatch.fetch 76 - -
0.00 dispatch.localSearch 1 - -
0.01 dispatch.optimize.FinalEval 3 - -
0.07 dispatch.optimize.matchReportAcceleration 3 - -
0.02 dispatch.optimize.optimization 3 - -
0.00 dispatch.optimize.reparse 3 - -
0.01 dispatch.optimize.toJson 3 - -
0.00 dispatch.optimize.toSpl 3 - -
0.07 dispatch.parserThread 66 - -
0.01 dispatch.stream.local 8 - -
0.09 dispatch.stream.remote 64 - 376,587
0.04 dispatch.stream.remote.dell425srv_5000 25 - 149,257
0.04 dispatch.stream.remote.hp4000_5000 39 - 227,330
0.06 dispatch.writeStatus 14 - -
0.10 startup.configuration 7 - -
0.81 startup.handoff 7 - -
... View more
11-09-2018
11:05 AM
Thanks again (I think this is the last question on this 🙂
For options 1
Do you mean the the forwarder will send parts of the data to each indexer or each forwarder will send all data to each indexer?
As i initially understood that sections of the data will go to each indexer and then on search time it will be retried.
Below i can see my forwarder switching between each indexer in the log. in this case i have 2 indexers so they are getting 50% each. Then i was hoping in search time they would return 50% each to the search head , thus getting the speed up i am looking for.
[tcpout:my_LB_indexers]
server=10.25.5.169:5997,10.25.53.57:5997
maxQueueSize=500MB
autoLBVolume=1048
[inputproc]
max_fd = 10000
11-09-2018 19:53:50.861 +0100 INFO TcpOutputProc - Connected to idx=10.25.5.169:5997
11-09-2018 19:54:20.838 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997
11-09-2018 19:55:21.300 +0100 INFO TcpOutputProc - Connected to idx=10.25.5.169:5997
11-09-2018 19:55:51.271 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997
11-09-2018 19:56:20.968 +0100 INFO TcpOutputProc - Connected to idx=10.25.5.169:5997
11-09-2018 19:57:51.031 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997
11-09-2018 19:58:50.753 +0100 INFO TcpOutputProc - Connected to idx=10.25.5.169:5997
11-09-2018 19:59:21.301 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997
... View more
11-09-2018
10:55 AM
Hi
For the first time i am trying to configure a distributed search (Non Clustered).
http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Overviewofconfiguration
I have created 2 new Indexers and i have taken my main install (I used to have a search head and an indexer on it), i have disabled the indexer on it. So now i have one search head and 2 new indexers.
The output.conf looks like this
# Turn off indexing on the search head
[indexAndForward]
index = false
[tcpout]
defaultGroup = my_search_peers
forwardedindex.filter.disable = true
indexAndForward = false
[tcpout:my_search_peers]
server=10.25.5.169:5997,10.25.53.57:5997
I can see that the search head is connected from the logs
11-09-2018 19:12:40.260 +0100 INFO TcpOutputProc - Connected to idx=10.25.5.169:5997, pset=0, reuse=0.
11-09-2018 19:12:42.543 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997, pset=1, reuse=0.
inputs.conf (On the forwarder)
[default]
host = hp400srv_5000
[splunktcp://5997]
connection_host = ip
I have added the indexers to the search head, i think they are ok, but not sure how to check?
I can see data on one of my indexers by logging in via web (I will disable web when i have this all working)
But the issue is when i log into my search head (That is now connected to my 2 new Indexers).
I can't see any data for the same command "index=mlc_live" for a 5 minute real time search. So i have the 2 windows side by side, i can see data coming into one of the Indexers, but i cant see the same on the the search head.
Am i missing something? Is it a user right issue, on the index or something.
The data is coming into an app that i have created, i manually copied it over to the indexers(for now) to make sure they had an index and data-models for the forwarded data to go.
I am getting some errors in the logs but i don't think they are related to this?
11-09-2018 19:40:35.516 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:36.190 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:36.963 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='protocol version'.
11-09-2018 19:40:36.963 +0100 WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
11-09-2018 19:40:37.042 +0100 WARN IConfCache - Stanza has an expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/TA-sos/bin/lsof_sos.sh], ignoring alternate expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/sos/bin/lsof_sos.sh] in inputs.conf
11-09-2018 19:40:37.042 +0100 WARN IConfCache - Stanza has an expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/TA-sos/bin/nfs-iostat_sos.py], ignoring alternate expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/sos/bin/nfs-iostat_sos.py] in inputs.conf
11-09-2018 19:40:37.042 +0100 WARN IConfCache - Stanza has an expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/TA-sos/bin/ps_sos.sh], ignoring alternate expansion [script:///hp737srv1/apps/SPLUNK_WEEKLY_BACKUP/04-11-2018_00-30/splunk/etc/apps/sos/bin/ps_sos.sh] in inputs.conf
11-09-2018 19:40:37.044 +0100 INFO TcpOutputProc - Connected to idx=10.25.53.57:5997, pset=1, reuse=0.
11-09-2018 19:40:37.197 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:38.194 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:39.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:39.770 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='protocol version'.
11-09-2018 19:40:39.770 +0100 WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
11-09-2018 19:40:40.196 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:41.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:42.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:42.503 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='protocol version'.
11-09-2018 19:40:42.503 +0100 WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
11-09-2018 19:40:43.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:44.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:45.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:45.281 +0100 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client hello C', alert_description='protocol version'.
11-09-2018 19:40:45.281 +0100 WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
11-09-2018 19:40:46.185 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
11-09-2018 19:40:47.286 +0100 WARN MongoModificationsTracker - Could not load configuration for collection 'MXTIMING_MONITORING' in application 'murex_mlc'. Collection will be ignored.
Any help would be so so cool - cheers 🙂
... View more
11-09-2018
08:19 AM
Hi
Thanks again for the great answer 🙂
So can i do what i want without a cluster? [I have set up my forwarder to send data to 3 indexers, 2 new 1 original]
I am looking at this "how to deploy a non-clustered distributed search topology"
http://docs.splunk.com/Documentation/Splunk/7.2.0/DistSearch/Overviewofconfiguration
In my case i have an app with an index (MLC_LIVE) and a Datamodel (MXTIMING).
I am assuming in order for my new indexers to do anything they have to have to copy the app files? so each indexer knows what MLC_LIVE is and it then has to create MXTIMING datamodel?
When i run my search do i have to tell my search head i have other indexers or it i set it up right this will be "under the hood" for me?
Thanks again
Rob
... View more
11-07-2018
06:11 AM
Thanks for the great answer :).
I will try and report back
... View more
11-07-2018
06:05 AM
Thanks for the replay, but yes it is accelerated
... View more
11-06-2018
06:39 AM
Hi
In fact I think i am missing a step.
I had one search head, one indexer on one machine (Inside the same install) = Main Install.
I have exploded 2 more full Splunk installs on 2 new machines, I have added them them in the main install via Distributed search - > Search peers. [Please note the forwarders are only forwarding to the main install - I am not sure if I have to change this?]
So, I am unsure what to do, I was hoping the main install would see the 2 new indexers as extra resource and be able to use them, however i think my understanding is not good enough!!!
When you say "Do the new indexers have buckets" - I am what you mean.
This is why i was asking about Replication
http://docs.splunk.com/Documentation/Splunk/7.2.0/Indexer/Bucketsandclusters
Cheers
Robert
... View more
11-06-2018
05:44 AM
Thanks for you help.
So i have set up 2 new indexers on 2 different machine and added them in the Distributed search - > Search peers. Replication status, Health status, Health check failures all good 🙂 . Then a restart.
But when i run a search any search, the CPU on the new boxes stay at 0.0% and the time is the same, so is there something i have to do?
Cheers in advance
... View more
11-06-2018
04:27 AM
I have multiple indexers, but do i have to make them a cluster with 100% replication as well for a search to work like this?
... View more
11-06-2018
04:25 AM
Thanks for this good information.
So you are right , i have made 3 new indexers, but its not faster. I am using tstats off datamodels in my search.
So if i set up multiple Indexers can i add on Index clustering with 100% replication so all new indexers will have a copy of the data?
Cheers
Rob
... View more
11-06-2018
03:57 AM
Thanks for the answer - I will try this out
... View more
11-06-2018
02:23 AM
Hi
Thanks for your replay 🙂
In fact i have gotten system team to monitor the machine and it looks like the machine is not working hard at all. IO = 14% - Disk Access = 10% and CPU = 30%.
I posed a question on it
https://answers.splunk.com/answers/696751/tstat-search-taking-a-long-time-io-cpu-and-disk-ac.html
So how can i tell that the one Indexer i have if FULL and i need more indexers, before i go and make more etc..?
Is that possible
Cheers
Rob
... View more
11-06-2018
02:16 AM
HI
I am running a BIG TSTAT search off a Datamodel - The bottle neck is dispatch.stream.local + dispatch.fetch (I have been told this is IO). However when i look at the IO[15%], CPU[30%] and disk[10%] Access its all low, so what can i change to make it faster?
I cant really change the search.
I have one machine running one indexer and one search head.
IF the answer is to add more indexers, then how does that work, will the Datamodel not be over 2 Indexers if so what configuration do i need to the indexers, Cluster , replication etc..
Cheers in advance
Rob
Screen reader users, click here to skip the navigation bar
Search job inspector
This search is still running and is approximately 100% complete.
(SID: admin_admin_bXVyZXhfbWxj_baseSearch_1541497799.72679) search.log
Execution costs
Duration (seconds) Component Invocations Input count Output count
32.84 .execute_input.flush_prestats 42 6,071,708 6,071,708
266.90 command.tstats 320 6,463,345 6,463,345
194.78 command.tstats.query_tsidx 120 - -
72.07 command.tstats.execute_input 160 6,463,345 -
0.02 dispatch.check_disk_usage 16 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate 1 - -
0.01 dispatch.evaluate.rename 8 - -
0.00 dispatch.evaluate.eval 1 - -
0.00 dispatch.evaluate.tstats 1 - -
0.00 dispatch.evaluate.noop 1 - -
118.87 dispatch.fetch 160 - -
0.00 dispatch.optimize.FinalEval 1 - -
0.02 dispatch.optimize.matchReportAcceleration 1 - -
0.00 dispatch.optimize.optimization 1 - -
0.00 dispatch.optimize.reparse 1 - -
0.00 dispatch.optimize.toJson 1 - -
0.00 dispatch.optimize.toSpl 1 - -
59.01 dispatch.preview 1 - -
29.54 dispatch.preview.tstats.execute_output 1 - -
22.71 dispatch.preview.command.rename 8 3,089,376 3,089,376
3.70 dispatch.preview.command.eval 1 386,172 386,172
2.95 dispatch.preview.write_results_to_disk 1 - -
194.83 dispatch.stream.local 160 - -
0.10 dispatch.writeStatus 67 - -
0.14 startup.configuration 1 - -
0.00 startup.handoff 1 - -
Search job properties
Server info: Splunk 7.0.3, splunk:8000, Tue Nov 06 10:00:56 2018 User: admin
... View more
11-02-2018
11:00 AM
HI
I have the following tstat command that takes ~30 seconds (dispatch.localSearch) is the main slowness .
I have been told to add more indexers to help with this, as the accelerated Datamodel is held on the search head(I think) and more indexers will help to split the dispatch.localSearch - This is the theory??
What i dont know is do i need to set up a cluster index or a non cluster index do i need with full replication for this to help?
So at the moment, i have one Splunk install on one machine.
I can get more machines if needed. I need some advice on what is the best way forward. - Thanks in advance.
P,S I cant really change the search, what i would like to know is that will more indexers(search nodes)
| tstats summariesonly=true chunk_size=1000000 max(MXTIMING.Elapsed) AS Elapsed max(MXTIMING.CPU) AS CPU max(MXTIMING.CPU_PER) AS CPU_PER max(MXTIMING.Memory_V2) AS Memory FROM datamodel=MXTIMING_V9 WHERE
host=QCST_RSAT_V41
AND MXTIMING.Elapsed > 1 OR 1=1
GROUPBY _time MXTIMING.Machine_Name MXTIMING.Context+Command MXTIMING.NPID MXTIMING.MXTIMING_TYPE_DM source MXTIMING.UserName2 span=1s
The inspect is this
Execution costs
Duration (seconds) Component Invocations Input count Output count
0.14 .execute_output.flush_stats 1 - -
0.49 .execute_output.merge_stats 1 - -
37.05 command.tstats 328 62,772 62,772
34.70 command.tstats.query_tsidx 120 - -
1.29 command.tstats.execute_input 164 62,772 -
0.99 command.tstats.execute_output 1 - -
0.00 dispatch.check_disk_usage 4 - -
0.00 dispatch.createdSearchResultInfrastructure 1 - -
0.00 dispatch.evaluate 1 - -
0.00 dispatch.evaluate.tstats 1 - -
0.00 dispatch.evaluate.noop 1 - -
27.40 dispatch.fetch 164 - -
34.64 dispatch.localSearch 1 - -
0.00 dispatch.optimize.FinalEval 1 - -
0.02 dispatch.optimize.matchReportAcceleration 1 - -
0.04 dispatch.optimize.optimization 1 - -
0.00 dispatch.optimize.reparse 1 - -
0.00 dispatch.optimize.toJson 1 - -
0.00 dispatch.optimize.toSpl 1 - -
6.09 dispatch.preview 16 - -
5.24 dispatch.preview.tstats.execute_output 16 - -
0.70 dispatch.preview.write_results_to_disk 16 - -
34.77 dispatch.stream.local 163 - -
0.08 dispatch.writeStatus 41 - -
0.15 startup.configuration 1 - -
0.18 startup.handoff 1 - -
... View more
11-02-2018
07:42 AM
Did you get an answer to your question above as i am also have performance issues with | tstats
... View more
10-31-2018
04:56 AM
HI
Sorry for the delay on getting back to you.
The issue with the solution is, i can have a user looking for any time and it wont be on the hour. So if they can want any time not just data we store in a csv.
Thanks for your answer, i will try and install another indexer on another machine.
Rob
... View more
10-31-2018
01:53 AM
HI
I am marking this answers as accepted as it had the core of what i needed.
Thanks
Woodcock
... View more
10-25-2018
04:01 PM
Mr Woodcock - good to get your help 🙂
I had to update the main question as i cant post images in this replay correctly.
So i tried your solution, but i think the "MAP" command can't be real time (I did put it into a one Relative window and it works, but i loose the sparkline update, unless i get the window to refresh every X seconds - This could be an option).
In this case i was looking for a 1 minute real time window, with three columns.
Service_name Sparkline Status
I got it down to this, so is it possible to reconstruct the sparkline to be visual again?
If so, i might be able to use a 1 minute search and refresh ever 10 seconds, to give it the feeling of real time?
Output i have:
source health sparkdata_copy
LAUNCHER.MXMLC.COLLATERAL.ASSIGN # hp548srv.fr.murex.com-54039 ALIVE 0,1,0,0,1,0,0
LAUNCHERALL # hp548srv.fr.murex.com-58085 ALIVE 0,0,1,0,1,0,0
My search:
index=jmx sourcetype=jmx host="hp548srv.fr.murex.com:9080" jvmDescription="*" mbean_domain="murex"
| search source = *\=SubAgent*
| search source = *lid*
| rex field=source "^.*installationcode=(?.*),subagent-name=(?.*)"
| table _time source Launcher Machine_Name
| eval source = Launcher." # ".Machine_Name
| stats sparkline(count, 10s) AS sparkline by source
| map search="| makeresults | eval sparkdata=$sparkline$ | eval source=$source$"
| rex field=sparkdata mode=sed "s/^[^,]+,//" | eval sparkdata_copy=sparkdata
| eval sparkdata=split(sparkdata, ",")
| eval mvcount=mvcount(sparkdata)
| eval firstHalf=mvindex(sparkdata, 0, floor(mvcount/2))
| eval firstHalfCountNonZero = mvcount(mvfilter(firstHalf>0))
| eval lastHalf=mvindex(sparkdata, ceiling(mvcount/2), mvcount)
| eval lastHalfCountNonZero = mvcount(mvfilter(lastHalf>0))
| eval health=case((firstHalfCountNonZero==0 AND lastHalfCountNonZero==0), "DEAD",
(firstHalfCountNonZero==0 AND lastHalfCountNonZero>0), "Starting",
(firstHalfCountNonZero>0 AND lastHalfCountNonZero==0), "Stopping",
true(), "ALIVE")
| table source health sparkdata_copy
... View more
10-25-2018
08:04 AM
1 Karma
sure - i have pushed back and awaiting replay
... View more
10-24-2018
04:08 AM
Mr Woodcock - good to get your help 🙂
I had to update the main question as i cant post images in this replay correctly.
So i tried your solution, but i think the "MAP" command can't be real time (I did put it into a one Relative window and it works, but i loose the sparkline update, unless i get the window to refresh every X seconds - This could be an option).
In this case i was looking for a 1 minute real time window, with three columns.
Service_name Sparkline Status
I got it down to this, so is it possible to reconstruct the sparkline to be visual again?
If so, i might be able to use a 1 minute search and refresh ever 10 seconds, to give it the feeling of real time?
Output i have
source health sparkdata_copy
LAUNCHER.MXMLC.COLLATERAL.ASSIGN # hp548srv.fr.murex.com-54039 ALIVE 0,1,0,0,1,0,0
LAUNCHERALL # hp548srv.fr.murex.com-58085 ALIVE 0,0,1,0,1,0,0
index=jmx sourcetype=jmx host="hp548srv.fr.murex.com:9080" jvmDescription="*" mbean_domain="murex"
| search source = *\=SubAgent*
| search source = *lid*
| rex field=source "^.*installationcode=(?<Launcher>.*),subagent-name=(?<Machine_Name>.*)"
| table _time source Launcher Machine_Name
| eval source = Launcher." # ".Machine_Name
| stats sparkline(count, 10s) AS sparkline by source
| map search="| makeresults | eval sparkdata=$sparkline$ | eval source=$source$"
| rex field=sparkdata mode=sed "s/^[^,]+,//" | eval sparkdata_copy=sparkdata
| eval sparkdata=split(sparkdata, ",")
| eval mvcount=mvcount(sparkdata)
| eval firstHalf=mvindex(sparkdata, 0, floor(mvcount/2))
| eval firstHalfCountNonZero = mvcount(mvfilter(firstHalf>0))
| eval lastHalf=mvindex(sparkdata, ceiling(mvcount/2), mvcount)
| eval lastHalfCountNonZero = mvcount(mvfilter(lastHalf>0))
| eval health=case((firstHalfCountNonZero==0 AND lastHalfCountNonZero==0), "DEAD",
(firstHalfCountNonZero==0 AND lastHalfCountNonZero>0), "Starting",
(firstHalfCountNonZero>0 AND lastHalfCountNonZero==0), "Stopping",
true(), "ALIVE")
| table source health sparkdata_copy
... View more
10-22-2018
03:58 AM
Ha, that is funny 🙂
Thanks for the answer. I will try and get it in-today and i will get back with some replay.
... View more
10-21-2018
01:00 AM
Thanks, (I should have been more specific) i am looking for any value that the use will enter dynamically.
I don't want to have to update the dashboard each time
... View more
10-19-2018
02:55 AM
HI,
I have the following drop down. It returns a list of numbers
For example: 2, 6, 7, 45 etc... random.
I need to be able to set the number X even if X is not in the list returned. Or Y or Z the use picks the value.
<input type="dropdown" token="Token_Duration_MAX_Time" searchWhenChanged="true">
<label>Duration_MAX_Time</label>
<choice value="*">All</choice>
<search>
<query>| tstats summariesonly=true values(All_TPS_Logs.duration) AS Duration FROM datamodel=TPS_V4 WHERE nodename=All_TPS_Logs host=$host_token$ All_TPS_Logs.user=* OR NOT All_TPS_Logs.user=* All_TPS_Logs.operationIdentity="*" GROUPBY All_TPS_Logs.duration
| rename All_TPS_Logs.duration as Duration
| sort Duration
| table Duration</query>
<earliest>$tps_selection.earliest$</earliest>
<latest>$tps_selection.latest$</latest>
</search>
<fieldForLabel>Duration</fieldForLabel>
<fieldForValue>Duration</fieldForValue>
<default>NO_Value</default>
Thanks in advance
Rob
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-11-2026
08:22 AM
|
Karma given to
