Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About fredclown
fredclown
Builder
Member since:
07-17-2013
08-06-2025
Community Statistics
| Posts | 154 |
| Solutions | 10 |
| Karma Given | 81 |
| Karma Received | 40 |
| Member Since | 07-17-2013 |
Activity Feed
- Got Karma for Dashboard Studio Input Change Event Handler. 12-05-2025 10:59 AM
- Posted Re: Is it possible to do search time field extraction based punct on Getting Data In. 08-06-2025 08:02 AM
- Posted Is it possible to do search time field extraction based punct on Getting Data In. 08-05-2025 04:06 PM
- Got Karma for Re: Where to check the clock skew. 07-02-2025 12:08 PM
- Posted Re: How to create a central dashboard containing links to all other dashboards for users to navigate to? on Dashboards & Visualizations. 05-16-2025 04:43 PM
- Got Karma for Re: What is the splunk.secret file, and is it possible to change it?. 04-10-2025 09:00 AM
- Posted Re: Any way to use trellis layout on Dashboard Studio? on Dashboards & Visualizations. 02-18-2025 11:07 AM
- Posted Dashboard Studio Input Change Event Handler on Dashboards & Visualizations. 10-11-2024 10:49 AM
- Got Karma for Re: Introducing the 2024 Splunk MVPs!. 09-17-2024 04:00 PM
- Got Karma for Re: Introducing the 2024 Splunk MVPs!. 09-12-2024 07:33 AM
- Got Karma for Re: Is there any optimal way to get context bith before and after fir search result. 09-06-2024 11:29 AM
- Posted Can you still search logs on an indexer that is turned into a heavy forwarder on Deployment Architecture. 08-05-2024 02:52 PM
- Posted Re: How to deploy updates to inputs.conf, outputs.conf, and deploymentclient.conf files to the "C:\Program Files\Sp on Deployment Architecture. 07-29-2024 04:09 PM
- Posted Re: distsearch.conf and the web interface on Deployment Architecture. 07-26-2024 09:56 AM
- Karma Re: What's the best way to create an alert to tell whether a windows server is shutdown or down ? for gcusello. 07-26-2024 08:32 AM
- Karma Re: How to get full results from 2 queries joined together? for ITWhisperer. 07-22-2024 08:49 AM
- Posted Non replicated internal indexes on Deployment Architecture. 07-19-2024 05:35 PM
- Posted Re: Describe the pattern matching syntax used for 'punct'? on Splunk Search. 07-18-2024 11:31 AM
- Got Karma for Re: How to get full results from 2 queries joined together?. 07-17-2024 11:16 PM
- Posted Re: How to get full results from 2 queries joined together? on Splunk Search. 07-17-2024 01:48 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-05-2023
03:12 PM
I understand that it is by row or cell. I'm clicking on a mv cell and wondering if there is a way to get the index of the cell item I clicked on. My hunch is no ... I've been searching and not finding anything, but thought I would reach out to the experts to see if there might be a trick I'm unaware of.
... View more
07-05-2023
12:14 PM
In a simple XML dashboard is there a way to get the index of a clicked mv field in a dashboard drilldown? For instance, if I click on 5 in the count field of row 1 I would like to also get the user bob into a token. If I know the index of the count that I clicked on I could use $row.user$ and then split it by comma and keep the one with the same index as the count that was clicked. Or maybe there is an even better way to do this ... I'm all ears. host user time count host1 bob joe 2023-07-05 07:36:51 2023-07-05 07:49:32 5 4 host2 steve john 2023-07-05 09:22:02 2023-07-05 06:14:12 4 4 I suppose I could do something like combining values in a field and parsing it on click like the below examples. However, if possible, I would like to have them in separate fields as I think it looks nicer. host user time count host1 bob joe 2023-07-05 07:36:51 2023-07-05 07:49:32 5 {bob} 4 {joe} host2 steve john 2023-07-05 09:22:02 2023-07-05 06:14:12 4 {steve} 4 {john} OR host user | time | count host1 bob | 2023-07-05 07:36:51 | 5 joe | 2023-07-05 07:49:32 | 4 host2 steve | 2023-07-05 09:22:02 | 4 john | 2023-07-05 06:14:12 | 4
... View more
Labels
- Labels:
-
drilldown
-
simple XML
06-27-2023
11:09 AM
Did this get you what you were looking for? If so, please mark the solution as accepted.
... View more
06-26-2023
01:04 PM
The inputlookup command has an append option for it so that you do not have to use a subsearch and the limitations that come with those. index=user
| inputlookup lookup.csv append=true
| eval fromlookup=if(isnull(source), "true", null())
| eval stripped_email_address = replace(email_address, "@xyz.com.*", "@xyz.com")
| stats list(email_address) as email_address list(department) as department values(fromlookup) as fromlookup by stripped_email_address
| where mvcount(email_address) > 1 OR isnull(fromlookup)
... View more
06-26-2023
12:39 PM
This should get you what you want. {your base search here}
| chart useother=f limit=0 count by serviceName, responseCode
... View more
06-26-2023
12:23 PM
Something like this should work. index="xyz" [
| makeresults count=1
| eval fileName="this.is.my.file.received.on."+strftime(_time, "%Y%m")+".test.json"
| fields fileName
| format
]
| {the rest of your SPL}
... View more
06-21-2023
11:39 AM
Oh, goodness! I was not aware of the time() function. That's what I was looking for. Thanks.
... View more
06-21-2023
08:29 AM
The example I gave is a simplified one to show the behavior. My real SPL has the | rest command inside the map. The | rest command does not return _time. I am trying to figure out the time the rest command started for each iteration of the loop. My hunch is this isn't possible.
... View more
06-21-2023
08:26 AM
I was using makeresults as a simplified example to show the behavior. My real SPL is using the rest command inside the map. There is no _time with results returned from | rest. I'm trying to get the time the rest command was started for each iteration of the loop. My hunch is this is not possible.
... View more
06-20-2023
08:53 AM
It appears that using now() inside of the map command will always return the time that the map was started rather than the time for each loop. The below SPL shows an example of this. Does anyone have any thoughts on how to get the time for each iteration of the loop?
| makeresults count=100
| map maxsearches=100 search="| makeresults count=1
| eval outer_time=$_time$
| eval outer_time_formatted=strftime($_time$, \"%Y-%m-%d %H:%M:%S\")
| eval now=now()"
| table outer_time_formatted outer_time _time now
... View more
- Tags:
- map
Labels
- Labels:
-
eval
06-08-2023
11:58 AM
It's not an error. It is a warning (it has the yellow triangle icon). You will see that ... I see that on my servers. That is unavoidable and is a Splunk issue, but it does not affect the results of the search.
... View more
06-08-2023
09:48 AM
1 Karma
I'm not sure this works any more. The update field that is returned from the REST API is always set to"1969-12-31T16:00:00-08:00" for all my servers. Maybe it's just my environment. Anyway, here is an alternate solution. | rest splunk_server=* /services/search/jobs/export search="| makeresults count=1 | rename _time as time" output_mode=csv
| makemv tokenizer="([^\n]+)" value
| eval local_time=now()
| eval remote_time=mvindex(value,1)
| eval local_time_formatted=strftime(local_time, "%Y-%m-%d %H:%M:%S")
| eval remote_time_formatted=strftime(remote_time, "%Y-%m-%d %H:%M:%S")
| eval delta_secs=abs(local_time-remote_time)
| fields splunk_server, local_time_formatted, remote_time_formatted, delta_secs
| sort - delta_secs
... View more
06-08-2023
07:56 AM
It works very well on the multiple search heads I've put it on. Also, this is originally not my macro. I've simply made some tweaks to it to account for some bugs in the original. Originally, this comes from a splunk.com blog post and the source has been put on github.
... View more
06-07-2023
10:31 AM
That's not an error. It's a warning and yes, you will see that. That is unavoidable, but it does not affect the results. Also your server "socsiemfe" needs to be set as a search peer on the search head you are searching from ... if you've not done that already. Otherwise, it will not be able to call the REST api for the "socsiemfe" search head. It can be set up in (Settings -> Distributed search -> Search peers).
... View more
06-07-2023
10:08 AM
Simply running this will not work. rest splunk_server=$server$ /services/search/jobs/export search="| inputlookup $lookup$ It is not correctly formatted. It is missing the pipe at the beginning, the quotes are imbalanced, and the $server$ and $lookup$ tokens are not set. A simplified version of the first line that would be returned from the macro would be the below SPL. The $server$ and $lookup$ tokens are replaced by the macro call. Also, the macro SPL does not have the preceding pipe on purpose. It is expected that the pipe will be supplied before the macro call "| `remotelookup(server,lookup)`". Also, if you do not supply the "output_mode=csv" in the "| rest" command you will not see anything. This is required. | rest splunk_server=local /services/search/jobs/export search="| inputlookup geo_attr_us_states.csv" output_mode=csv
... View more
06-07-2023
09:20 AM
I'm not using the v2 endpoint. Yes it is deprecated, but typically that takes a while to be completely removed as they try to support backwards functionality for a while. Like I said hopefully at some point they either add the GET method for the v2 endpoint or they add an option in the "| rest" command to support POST.
... View more
06-07-2023
09:01 AM
That REST endpoint only supports POST right now now and the "| rest" command only supports GET. So, you cannot use that endpoint in the Splunk UI yet. Hopefully, they will add the GET method to it at some point.
... View more
06-07-2023
08:50 AM
It sounds like what you want to do is join two datasets based on a couple common field. Is that correct? There are a few commands in Splunk that let you do this and it depends upon your use case which you would use. Could you post example data (not real data) with the appropriate field names and an example of what you would like to see as the result?
... View more
06-07-2023
08:40 AM
Try this REST endpoint (/services/search/jobs/export). The "v2" is the problem.
... View more
06-07-2023
08:33 AM
Did this get what you want? If so, please accept the solution. If not, let me know and I'll try and fix whatever isn't right in it. Thanks.
... View more
06-07-2023
08:30 AM
Have you set up the remote server as a search peer? If so is it showing as healthy in the search peers UI? Is the remote server a full Splunk install (not a UF)? This does work with 9.x, although I did have to make a tweak yesterday but it should work now. The code above has been updated. However, the tweak I made should not have corrected the issue you are having. In fact when I tried it on 9.x without the tweak I didn't get an error. So, the fix is probably not related to your issue.
... View more
06-05-2023
03:28 PM
That is a good option. I think my way would work as well, but I like the output of something like this better. It looks cleaner.
... View more
06-05-2023
01:38 PM
After thinking about it more for a bit I think this should work and do the same thing as != for each field/value pair but still allows me to use | format. | format "ip=* AND (NOT" "" "" "" "NOT" ")" I think this should give me the same results. Does this look right?
... View more
06-05-2023
01:28 PM
I have a search and in the initial part of the search I have a subquery that returns some IP addresses formatted like this using the | format command.
(ip="10.10.10.10 OR ip="1.1.1.1" OR ip="2.2.2.2")
I have a different search where I want to negate it. Is there a way to do this? I know that the format command does allow you to do things like this ...
(NOT ip="10.10.10.10 NOT ip="1.1.1.1" NOT ip="2.2.2.2")
However, NOT ip="value" is not the same as ip!="value" in Splunk land. So, I guess I'm wondering if anyone has a great way in a subquery to pass back the field/value pairs with != rather than =. My hunch is | format can't do it, but maybe there is a different way. Hope that makes sense.
... View more
Labels
- Labels:
-
subsearch
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-06-2025
08:00 AM
|
