Hi Is there a way yo get the timeline to graphs over the default amount of points. From the image below we can see the row 3 to 10 have a lot of data-points, i think i must have hit the Max, as it should keep going until it hits the end. Is there a way to increase from the default? ![alt text][1] <viz type="timeline_app.timeline"> <search> <query>eventtype=mlc host=$host_token$ sourcetype=tps | dedup _time _raw | where Parent_ID$Parent+Child_or_Outside$$Token_Parent_ID$ $AND_OR$ Child_ID$Parent+Child_or_Outside$$Token_Parent_ID$ | eval duration = endTime-startTime | eval Method = operationIdentity | eval fullyQualifiedMethod = name."#".operationIdentity | sort 0 _time | table _time Method fullyQualifiedMethod duration</query> <earliest>$tps_selection.earliest$</earliest> <latest>$tps_selection.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="height">400</option> <option name="timeline_app.timeline.axisTimeFormat">SUBSECONDS</option> <option name="timeline_app.timeline.colorMode">categorical</option> <option name="timeline_app.timeline.maxColor">#DA5C5C</option> <option name="timeline_app.timeline.minColor">#FFE8E8</option> <option name="timeline_app.timeline.numOfBins">6</option> <option name="timeline_app.timeline.tooltipTimeFormat">SUBSECONDS</option> <option name="timeline_app.timeline.useColors">1</option> <drilldown> <set token="TEST_GANTT_VALUE">$row.Method$</set> <eval token="TEST_GANTT_start">$tps_selection.earliest$</eval> <eval token="TEST_GANTT_end">$tps_selection.latest$</eval> <!--eval token="TEST_GANTT_start">$earliest$ - 3600</eval> <eval token="TEST_GANTT_end">$latest$ - 3600</eval> <eval token="TEST_GANTT_start_ms_EPOC">$earliest$ * 1000 - 3600000</eval> <eval token="TEST_GANTT_end_ms_EPOC">$latest$ * 1000 - 3600000</eval> <eval token="TEST_GANTT_start_Display">strftime($tps_selection.earliest$,"%Y-%m-%d %H:%M:%S.%3N")</eval> <eval token="TEST_GANTT_end_Display">strftime($tps_selection.latest$,"%Y-%m-%d %H:%M:%S.%3N")</eval--> <set token="DRILL_DOWN">ON</set> </drilldown> </viz> ... View more

Hi I have a Maths problem that i am hoping Splunk has a function for. It is in relation to calculation the % of time code is running out of a Total. So Example one - The easy example The Parent method takes 10 seconds [From 0 -10] A Clild method takes 5 seconds. From 2-7 The child method is 50% of the Calculation Example 2 - a bit more difficult The Parent method takes 10 seconds [From 0 -10] A child method is called twice from 0-2 and 4-6 so in total 4 seconds => 40% Example 3 _ In Parallel The Parent method takes 10 seconds [From 0 -10] A child method is called 4 time in parallel overlapping can happen 0-5 2-5 6-7 6-9 So if i sum the time i get 0-5 =5, 2-5 =3, 6-7=1 6-9 =2 Total = 11 = > 110% [This is the issues, the real answer is 80%. As there is nothing running between 5-6 and 9-10]. So i have 2 vectors with start and stop of all these child method, and i would love if Splunk has a math function that would give me Total time the children was running i.e 8 and i will supplay 10 so i can get 80% All help on this is welcomed. Thanks Robert Lynch ... View more

Hi I have Splunk installed in Paris and we are noticing a large amount of slowness in Splunk when users are logged in via WAN. We expect some slowness as we are a longer distance away, however it is nearly unusable. I have a lot of logic in my dashboards, so perhaps it is this that it is causing it. However is there any thing else i can do. For example if a use logs in from NY they would nearly have to use CITRIX to get a good connection. As SPlunk is web based and most of the heavy lifting is done on the server side i am surprised. Below is an exampe of some of the searches that one of my dashbards could be running. A could have this run 10 times in parallel in one dashboard, so on the LAN it is fast. But when we get to long distance it becomes very difficult to use. Would i need to install part of SPLUNK on servers locally to speed this up, if so what parts and how do i do this? <panel depends="$MXTIMING_ON_OFF$,$MXTIMING_ON_ALL_PANELLS$"> <title>Filters: Command=$MXTIMING_Command_token$ Context=$MXTIMING_Context_token$ PATH=$source_path_search_token$ User=$MXTIMING_UserName_token$ NPID=$MXTIMING_NPID_token$ TYPE=$MXTIMING_TYPE_TOKEN$ Sercives=$NICKNAME_TOKEN$ Tags=$TAG_TOKEN$</title> <single> <title>TAG's Over $MAX_TIME$ and Threshold : Sercives=$NICKNAME_TOKEN$</title> <search> <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average FROM datamodel=MXTIMING_V2 WHERE host=$host_token$ AND MXTIMING.Elapsed &gt; $MAX_TIME$ AND MXTIMING.source_path IN ($source_path_search_token$) AND MXTIMING.UserName2 IN ($MXTIMING_UserName_token$) AND MXTIMING.NPID IN ($MXTIMING_NPID_token$) AND MXTIMING.MXTIMING_TYPE_DM IN ($MXTIMING_TYPE_TOKEN$) AND MXTIMING.Context+Command IN ($MXTIMING_Context_token$) AND MXTIMING.Context+Command IN ($MXTIMING_Command_token$) AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time | rename MXTIMING.Context+Command as Context+Command |rename MXTIMING.NPID as NPID | join NPID [| tstats summariesonly=$summariesonly_token$ count(SERVICE.NPID) AS count2 FROM datamodel=SERVICE WHERE ( host=$host_token$ earliest=@w1) AND SERVICE.NICKNAME IN ($NICKNAME_TOKEN$) GROUPBY SERVICE.NICKNAME SERVICE.NPID | rename SERVICE.NPID AS NPID | rename SERVICE.NICKNAME AS NICKNAME ] | lookup MXTIMING_lookup_test Context_Command AS "Context+Command" OUTPUT Tags CC_Description Threshold Alert | search |where average > Threshold OR isnull('Threshold') | fillnull Tags | eval Tags=if(Tags=0,"NO_TAG",Tags) | eval Tags=split(Tags,",")|stats count(average) as count by Tags | sort Tags | append [| inputlookup stars.csv | table Column1 Column2 | rename Column1 as Tags | rename Column2 as count] | sort Tags</query> <earliest>$time_token.earliest$</earliest> <latest>$time_token.latest$</latest> </search> Cheers Robert Lynch ... View more

I have a lookup that end users can update. However they might make a mistake and put in the same data twice. The issues is, if this is done SPLUNK wont return ether results. So the data is lost as i am using this with a transform. Initial Search .....| lookup lookup Context_Command AS "Context+Command" OUTPUT Tags CC_Description Threshold So Example 1 - Working This is the look up table - I get 10 Row returned to me [As i should] It finds a match for NULL#Login and this is good Context_Command CC_Description Tags Alert Threshold NULL#Login TEST2 TEST2 y 5 Example 2 - Not Working This is the look up table - I get 8 Row returned to me and NULL#Login is excluded from this Context_Command CC_Description Tags Alert Threshold NULL#Login TEST2 TEST2 y 5 NULL#Login TEST2 TEST2 y 5 I know this is a human problem, however this file can have hundreds is not thousands of line and this will become difficult to manage. This is the transform i am using [Context_Command_lookup] filename = TEST_MXTIMING.csv match_type = WILDCARD(Context_Command) ... View more

Hi I have an issues where I am joining a Data-model with a lookup table and its working very well. We are looking to extend the usability to add a wild-character * into the lookup . So in the lookup we don't have to keep adding in the full string name, we can add in part of it then * [For Example XYZ*] One table is Datamodel Context_Command NULL#NULL cancel#Exit Dealinput#Eventslist SessionCreate#MXODR DictionaryManager#NULL Seconds Table Lookup is smaller a sub set Context_Command NULL#NULL cancel#Exit SessionCreate#MXODR Proposed Second Table (With Wilde characters) NULL* cancel#Ex* SessionC* Current code that i have | join Context+Command type=left [inputlookup TEST_MXTIMING.csv | rename Context_Command AS Context+Command ] Any help would be brill : ) ... View more

Hi I am trying to apply a Multiselect into a token. For example, I can change the value of MXTIMING.NPID to the PID 123 and it works - so that is one value. What I want to do is activate a Multiselect on this token so I can select 123 and 345 and 345, etc. ... I have tried to add in a prefix of OR but it's not working. INITIAL - Query <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average FROM datamodel=MXTIMING_TEST WHERE host=$host_token$ AND MXTIMING.source_path = *$source_path_search_token$ AND MXTIMING.UserName2=$MXTIMING_UserName_token$ AND MXTIMING.NPID=*$MXTIMING_NPID_token$* AND MXTIMING.MXTIMING_TYPE_DM=$MXTIMING_TYPE_TOKEN$ AND MXTIMING.Context+Command = *$MXTIMING_Context_token$#* AND MXTIMING.Context+Command = *#$MXTIMING_Command_token$* AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time I tried to add in a way to use OR, but i cant seem to find a way - to me this would be the best way <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average FROM datamodel=MXTIMING_TEST WHERE host=$host_token$ AND MXTIMING.source_path = *$source_path_search_token$ AND MXTIMING.UserName2=$MXTIMING_UserName_token$ AND MXTIMING.NPID="1123" OR "11232" AND MXTIMING.MXTIMING_TYPE_DM=$MXTIMING_TYPE_TOKEN$ AND MXTIMING.Context+Command = *$MXTIMING_Context_token$#* AND MXTIMING.Context+Command = *#$MXTIMING_Command_token$* AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time In the end i have to change the TOKEN to equal the full string repeating it self [], however this is long and if i want to use this token again i will have to strip out the token value prefix = MXTIMING.NPID <query>| tstats summariesonly=$summariesonly_token$ avg(MXTIMING.Elapsed) AS average FROM datamodel=MXTIMING_TEST WHERE host=$host_token$ AND MXTIMING.source_path = *$source_path_search_token$ AND MXTIMING.UserName2=$MXTIMING_UserName_token$ MXTIMING.NPID=10025 OR MXTIMING.NPID=10784 OR MXTIMING.NPID=11858 OR MXTIMING.NPID=12170 AND MXTIMING.MXTIMING_TYPE_DM=$MXTIMING_TYPE_TOKEN$ AND MXTIMING.Context+Command = *$MXTIMING_Context_token$#* AND MXTIMING.Context+Command = *#$MXTIMING_Command_token$* AND MXTIMING.Time = * GROUPBY MXTIMING.Context+Command MXTIMING.NPID MXTIMING.Time ... View more

Hi I have lots of file in a directory, some with data some with no data. If i understand correctly Splunk will forward on files only with data, however this is an issues for me as i parse the name and i use it. So for example 535211-11233-service.log. I take out the value 11233 and use it. In this case i also need the value 11235 on the 0KB file, but as the forwarder is not sending it i cant access it. So how can i get the forwarder to send the file with 0KB? 535211-11233-service.log 10kb 535613-11234-service.log 100kb 535614-11235-service.log 0kb etc... Thanks in advance Robert ... View more

Hi I am trying to set a token from a drilldown. I am able to to this, however the value that comes back is only for display, the real value is in a lookup table. NICKNAME Human_Name_Nickname mx MX_BASIC smcrisk_engine RISK_ENGINE mxtraderepository_engine MX_TRADE_REPO_ENGINE smcobjectrepository_engine SM_ENGINE mxmlexchange_mxtaskxa MXMLEXCHANGE mxdealscanner_engine DEAL_SCANNER mx_cesar CESAR mx_marketdata_repository_engine MARKET_DATA mxprocessingscript PROCESSING_SCRIPT So i need to take the value on the screen go to the look up and comeback with the real value. I am trying to do this by taking $trellis.value$, putting it into a lookuptable and getting back the correct answer. So for example, i display "MX_BASIC", i want to set the token to "mx" as this is the underlining value i need to pass into the token. <drilldown> <!--set token="form.NICKNAME_TOKEN">$trellis.value$</set--> <set token="SINGLE_CLICK_NICKNAME">ON</set> <eval token="form.NICKNAME_TOKEN">| inputlookup TEST_MXTIMING_NICKNAME.csv | search Human_Name_Nickname = $trellis.value$ | fields - Human_Name_Nickname</eval> </drilldown> ... View more

I am using a join, but is there a better way to replace values? I have the following table. (NICKNAME + Human_Name_Nickname are the headers) NICKNAME Human_Name_Nickname mx MX_BASIC smcrisk_engine RISK_ENGINE mxtraderepository_engine MX_TRADE_REPO_ENGINE smcobjectrepository_engine SM_ENGINE mxmlexchange_mxtaskxa MXMLEXCHANGE mxdealscanner_engine DEAL_SCANNER mx_cesar CESAR mx_marketdata_repository_engine MARKET_DATA mxprocessingscript PROCESSING_SCRIPT I am retriving back thousands of lines of data with NICKNAME, i want to replace values from the lookup table. E.G find "mx" and replace it with "MX_BASIC" etc.. so lots of entries. Then find "smcrisk_engine" and replace it with "RISK_ENGINE" if no match use the original value. This is what i have- But i have been told not to use joins...can i do this better? | join NICKNAME type=left [inputlookup TEST_MXTIMING_NICKNAME.csv ] | fillnull Human_Name_Nickname | eval Human_Name_Nickname=if(Human_Name_Nickname=0,$$NICKNAME$$,Human_Name_Nickname) | rename Human_Name_Nickname AS NICKNAME. This works, but i am concerned of performance. ... View more