Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About robertlynch2020
robertlynch2020
Influencer
Member since:
11-05-2015
02-11-2026
Community Statistics
| Posts | 656 |
| Solutions | 34 |
| Karma Given | 100 |
| Karma Received | 66 |
| Member Since | 11-05-2015 |
Activity Feed
- Posted Re: How to Graph white space before and after my data in a stats graph on Splunk Enterprise. 11-18-2025 02:00 AM
- Karma Re: How to Graph white space before and after my data in a stats graph for bowesmana. 11-18-2025 01:31 AM
- Karma Re: How to Graph white space before and after my data in a stats graph for ITWhisperer. 11-18-2025 01:31 AM
- Posted How to Graph white space before and after my data in a stats graph on Splunk Enterprise. 11-14-2025 07:57 AM
- Got Karma for Re: Can i create trellis with overlays, when the overlap can be dynamic.. 11-05-2025 10:53 AM
- Posted Re: Can i create trellis with overlays, when the overlap can be dynamic. on Dashboards & Visualizations. 11-05-2025 08:57 AM
- Karma Re: Can i create trellis with overlays, when the overlap can be dynamic. for tscroggins. 11-05-2025 08:56 AM
- Karma Re: Can i create trellis with overlays, when the overlap can be dynamic. for tscroggins. 11-05-2025 08:26 AM
- Got Karma for Re: Is it possible to Monitor Splunk User activity?. 11-05-2025 02:56 AM
- Posted Re: Can i create trellies wiht overlays, when the overlap can by dynamic. on Dashboards & Visualizations. 11-04-2025 02:46 AM
- Karma Re: Can i create trellies wiht overlays, when the overlap can by dynamic. for livehybrid. 11-03-2025 02:30 AM
- Posted Can i create trellis with overlays, when the overlap can be dynamic. on Dashboards & Visualizations. 10-31-2025 05:53 AM
- Karma Re: Can i have overlap on a Multi-series graph for livehybrid. 10-09-2025 06:52 AM
- Posted Re: Can i have overlap on a Multi-series graph on Splunk Enterprise. 10-08-2025 09:40 AM
- Posted Can i have overlap on a Multi-series graph on Splunk Enterprise. 10-08-2025 09:02 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-28-2025 01:39 AM
- Karma Re: Search for a path the might not exist for livehybrid. 05-28-2025 01:39 AM
- Karma Re: Search for a path the might not exist for yuanliu. 05-28-2025 01:38 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-22-2025 08:46 AM
- Posted Re: Search for a path the might not exist on Splunk Search. 05-22-2025 08:39 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-06-2018
03:40 AM
Thanks again
In fact $time_selection.earliest$ jumps starts at 1518502650, the undefined then back to 1518502650 => search reruns. Even if the two values are the same!
Is there anyway to say don't change the token to undefined. In fact dont do anything stay 100% the same
... View more
03-04-2018
09:20 AM
Thanks so much for looking at this for me.
In fact i think we are close to an answer here. Yes i did have a typo in my initial question sorry about that.
So this is what i am trying to do. I have a query that takes time from $time_token.earliest$. This is also a timeline chart, this also sets time for a different time token that drives multiple other pannels
However i have noticed when $time_token.earliest$=time_selection.earliest. It will still re-set the same value and this will re-drive all my other panels. This is bad for performance etc..
Original Query
<query></query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<selection>
<unset token="execute_tps_save_test"></unset>
<set token="time_selection.earliest">$start$</set>
<set token="time_selection.latest">$end$</set>
</selection>
Updated, however not 100% working. I think the issues, is it gets unset if not true and this is NULL to my other pannels.
<query></query>
<earliest>$time_token.earliest$</earliest>
<latest>$time_token.latest$</latest>
</search>
<selection>
<unset token="execute_tps_save_test"></unset>
<!--set token="time_selection.earliest">$start$</set>
<set token="time_selection.latest">$end$</set-->
<eval token="time_selection.earliest">case("$time_selection.earliest$"!="$time_token.earliest$",$start$)</eval>
<eval token="time_selection.latest">case("$time_selection.latest$"!="$time_token.latest$",$end$)</eval>
</selection>
So is there a way to check to see if you are the same as original and do nothing else update.
... View more
03-02-2018
07:45 AM
Hi
Normally have code like this
<selection>
<set token="time_selection.earliest">$start$</set>
<set token="time_selection.latest">$end$</set>
</selection>
I now have to add a condition to the selection, however its not working inside selection.
<selection>
<condition match="$save_test_time_token.earliest$ == $save_test_time_token.earliest$">
<set token="time_selection.earliest">$start$</set>
<set token="time_selection.latest">$end$</set>
</condition>
</selection>
... View more
03-02-2018
03:12 AM
So in the end what i did to scan over 200 Million lines is i created different data-model pending on there values.
So for example i am after greater then 5 seconds as a value in the datamodel - so i set up a "CONSTRAINTS".
So data model 1 is less then 5 seconds and data-model 2 is greater then 5 seconds.
When the users opens the dashboard it default to greater then 5 seconds.
This cuts down the no of results to 200K, it is much quicker now.
... View more
02-26-2018
12:50 PM
Just to add i have a 58 core high powered box ready to be used for this. So i have the cpu power, just not sure what can be increased?
... View more
02-26-2018
12:48 PM
So. I am trying to scan infor over 200 Million lines in a datamodel. I have one search head and one indexer. Not sure if increase these will improve my performance for my search.
I have taken you good advice and removed fields that are not needed. However it is still slow so not sure if there is anything else i can do here?
... View more
02-26-2018
10:32 AM
HI
Thanks for your help, i go some great ideas form what you said. I have improved the search and re-run.
Just uploaded image of job inspector. I will write a full answer in the next hour or so
... View more
02-22-2018
11:29 PM
Hi
Thanks for this. I will give it a go next week to see if it works. God moved onto something else this week.
Cheers
... View more
02-22-2018
02:01 PM
Hi
I have the following queary using Tstats .. The issues is it take 22 seconds and i need 10.
In general i am looking for do and don't in the query and how do i improve the performance of it.
Any pointer would be great thanks. 🙂
| tstats summariesonly=true values(MXTIMING.Elapsed) AS Elapsed values(MXTIMING.CPU) AS CPU values(MXTIMING.CPU_PER) AS CPU_PER values(MXTIMING.Memory) AS Memory values(MXTIMING.Elapsed_C) AS Elapsed_C dc(source) AS source_file FROM datamodel=MXTIMING_V3 WHERE
host=UBS-RC_QCST_MASTER
AND MXTIMING.Elapsed > 5
AND MXTIMING.source_path IN (*)
AND MXTIMING.UserName2 IN (*)
AND MXTIMING.NPID IN (*)
AND MXTIMING.MXTIMING_TYPE_DM IN (LIVEBOOK)
AND MXTIMING.Context+Command IN (*#*)
AND MXTIMING.Context+Command IN (*#*)
AND MXTIMING.Time = *
GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time MXTIMING.MXTIMING_TYPE_DM
... View more
02-15-2018
04:19 AM
hi
Did you get an answer to this, i have something the same
... View more
02-15-2018
04:18 AM
I reinstall the full alert manager again after delete it to get it to work, not sure if it was something i did or the add on.
... View more
02-15-2018
04:11 AM
Hi
In a MultiSelect is there any way to us a wild character?
My Data
XYC_123
EOD_1234
EOD_23232
EOD_343434
aassss_34343
So, i would like to pick all the EOD so (Star)EOD(Star).
I can put this in manually, however, I want to do it dynamically from the search box.
I want to put in (Star)ANYTHING(Star)
... View more
02-15-2018
02:01 AM
Hi
I have the following data
column_A column_B
10 20
15 5
16 100
I want to add logic, if column B > column A the cell goes red if not go green.
I have tried $result.column_B$ > $result.column_B$ in the but no luck
any ideas?
Cheers in advance 🙂
... View more
02-08-2018
08:37 AM
Hi
I had Alert manager working great, alerts coming in daily, then I saw there was an add-on. So I took it. Now, no alerts will come up in the alerts manager screen.
Is there some setting that needs to go on?
Thanks
Rob
... View more
01-29-2018
09:05 AM
Hi
I am trying to define a new transform.conf in SPLUNK 7 so that a lookup can take a wild character.
The initial MXTIMING_lookup_Base is working, so i copied it and added a 1 to the end.
I then ran the refresh, to reload the transform.conf, however they wont reload.
http://dell425srv:8000/en-GB/debug/refresh?entity=admin/transforms-lookup
http://dell425srv:8000/en-GB/debug/refresh?entity=admin/transforms-extract
http://dell425srv:8000/en-GB/debug/refresh
[MXTIMING_lookup_Base]
filename = MXTIMING_BASE.csv
match_type = WILDCARD(Context_Command)
[MXTIMING_lookup_Base1]
filename = MXTIMING_BASE1.csv
match_type = WILDCARD(Context_Command)
Perhaps i am missing something, but this used to refresh in SPLUNK 6
Any help is great thanks
Robert Lynch
... View more
01-23-2018
03:36 AM
Hi
I have created the following way to turn on events Splunk 7 easly, however can turn them off.
I use a eval foo="$EVENT_ON_OFF$" and a check box, however i cant get them off when i want them to.
<row>
<panel>
<input type="checkbox" token="EVENT_ON_OFF" searchWhenChanged="true">
<label>EVENT_ON_OFF</label>
<choice value="ON">ON</choice>
<delimiter> </delimiter>
</input>
<chart>
<title>CPU by source - Events Overlay</title>
<search type="annotation">
<query>| tstats values("AMBER_EVENTS.evt.lvl") as "Count" from datamodel="AMBER_EVENTS" where "nodename"="AMBER_EVENTS" host=mx7654vm_ROB_AMBER_2 groupby _time, source ,AMBER_EVENTS.evt.lvl,AMBER_EVENTS.evt.dsc span=5s | eval foo="$EVENT_ON_OFF$" | rename AMBER_EVENTS.evt.lvl as INFO | rename AMBER_EVENTS.evt.dsc as MESSAGE
| eval annotation_label = MESSAGE
| eval annotation_category = INFO | table _time annotation_label annotation_category</query>
<earliest>$global_time_tok.earliest$</earliest>
<latest>$global_time_tok.latest$</latest>
</search>
<search>
<query>| tstats avg("AMBER_METRIC.mtr.gauges.process.cpu.percentage") as "Avg" from datamodel="AMBER_METRIC" where "nodename"="AMBER_METRIC" host=mx7654vm_ROB_AMBER_2 groupby _time, source span=100s
| timechart first("Avg") as "Avg" agg=max limit=5 useother=false span=100s by source</query>
<earliest>$global_time_tok.earliest$</earliest>
<latest>$global_time_tok.latest$</latest>
</search>
<option name="charting.axisY.abbreviation">auto</option>
<option name="charting.axisY.includeZero">1</option>
<option name="charting.chart">line</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.drilldown">all</option>
<option name="charting.fieldColors">{"/net/mx7654vm/data/apps/MX_ROB/logsrob7/authn/authn-app-0.1/5691a977-9a7c-4865-ba6a-aa0e9071d9b6.log_METRIC.log":"#1e93c6","/net/mx7654vm/data/apps/MX_ROB/logsrob7/counterpart/counterpart-app-0.1/e11a1aca-aed9-447c-8d51-bde79213dea9.log_METRIC.log":"#f2b827","/net/mx7654vm/data/apps/MX_ROB/logsrob7/counterpart/counterpart-0.1/4736d9d6-8224-4975-9e39-889eb346be90.log_METRIC.log":"#d6563c","/net/mx7654vm/data/apps/MX_ROB/logsrob7/counterpart/counterpart-0.1/ce142cf0-2cdb-47eb-8d08-13ef20690585.log_METRIC.log":"#6a5c9e","/net/mx7654vm/data/apps/MX_ROB/logsrob7/counterpart/counterpart-0.1/dca63eb4-ee82-4c96-92cf-c6f55ba0cc3d.log_METRIC.log":"#31a35f"}</option>
<option name="charting.gridLinesX.showMajorLines">1</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.mode">standard</option>
<drilldown>
<link target="_blank">/app/murex_mlc/amber_events</link>
</drilldown>
</chart>
</panel>
</row>
... View more
01-10-2018
08:47 AM
Did you get n answer to this? I have the same situation.
... View more
01-10-2018
08:46 AM
Hi.
Did you get an answer for this. I have the same issue.
Thanks
Robert Lynch
... View more
01-10-2018
08:26 AM
1 Karma
Hi
What is the best way to get data into Splunk from Elasticsearch, so i can put Datamodles on to it.
Thanks Robert Lynch
... View more
Labels
- Labels:
-
data model
01-10-2018
08:16 AM
Hi
Is this the best way to get data from Elasticsearch into SPLUNK?
Thanks
Robert Lynch
... View more
12-19-2017
02:05 AM
Got this by adding
[service]
BREAK_ONLY_BEFORE=ererererererer
TRANSFORMS-filter = NoInfo_100
... View more
12-18-2017
09:51 AM
This is really great guys, thanks.
Do you think it is possible to take in only one character per file, not per line?
In the perfect world i just want to look at the data in the filename, so the data inside the file is not usefull.
... View more
12-18-2017
04:02 AM
I have data coming into SPLUNK [service] , but i only need the file name not the data in the file.
The data is getting in, but i need to reduce it.
So i am trying to reduce the data with REGEX before it hits the INDEX. For example i think i would have to take one character from each file so it will register the file and i can use the file name. I have the below REGEX but its not working. Any ideas?
transforms.conf
[NoInfo_100]
REGEX = .$
DEST_KEY = queue
FORMAT = nullQueue
props.conf
[service]
TRANSFORMS-filter = NoInfo_100
Thanks in Advance
Robert Lynch
... View more
12-18-2017
01:57 AM
HI
Every Saturday we do a full stop of Splunk and we do a full back up + restart.
The issues is come Monday morning it take up to 10 minutes to some of the heavy tstat commands to run. Its like as if all the data is in cold buckets and not warm, the data span is only 1-2 weeks only so it should be warm and fast, but its very very slow.
I am thinking of running a saved search on the last months data after a restart to "wake it up" so to speak. Any other ideas would be great on this?
Below is the type of search that is taking a long time after the restart. There could be 100 Million line it is pulling from, normall this can take 10 seconds, when in cache. The Value host=CLIENT_X can change.
| tstats summariesonly=true max(All_TPS_Logs.duration) AS All_TPS_Logs.duration FROM datamodel=MLC_TPS_DEBUG4 WHERE (nodename=All_TPS_Logs host=CLIENT_X (All_TPS_Logs.user=* OR NOT All_TPS_Logs.user=*)) All_TPS_Logs.name =*** GROUPBY _time, All_TPS_Logs.fullyQualifiedMethod span=1s | rename All_TPS_Logs.fullyQualifiedMethod as series | rename All_TPS_Logs.duration as value | table _time series value | append [ search eventtype=mlc sourcetype=lts_timings host=TALANX-Logs-18-12-17-DIJON527_2017-12-18-100009_archive | where isnum(duration_seconds) | eval task_name = upper(task_name) | lookup lts_lookup task_name OUTPUT value | eval value = if(isnotnull(value),value,95) | rex field=start ".* (?<start_time>[^ ]+)$" | rex field=end ".* (?<end_time>[^ ]+)$" | eval series = task_name." (".duration_seconds."s)" | eval end_timestamp=_time+duration_seconds | eval end_event=mvappend("",end_timestamp.",".series.",".value,"") | mvexpand end_event | rex field=end_event "(?<_time>[^,]+),(?<series>[^,]+),(?<value>[^,]+)" | eval series = replace(series,":",".") | table _time series value | dedup _time, series ]| search (series=**murex** OR series=**TEST_**) | timechart bins=1000 max(value) by series limit=20
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-11-2026
08:22 AM
|
Karma given to
