Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About krdo
krdo
Communicator
Member since:
01-25-2015
06-05-2020
Community Statistics
| Posts | 65 |
| Solutions | 2 |
| Karma Given | 19 |
| Karma Received | 22 |
| Member Since | 01-25-2015 |
Activity Feed
- Got Karma for Re: Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.". 06-09-2022 05:08 AM
- Got Karma for Re: Rename fields in Props.conf?. 12-07-2021 07:27 AM
- Got Karma for Re: Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.". 07-05-2021 10:57 PM
- Karma Re: Rest API - Returning 401 Unauthorized for jkat54. 06-05-2020 12:49 AM
- Got Karma for Re: Is it possible to extract dimensions from the source field for metrics imported from CSV files?. 06-05-2020 12:49 AM
- Got Karma for Re: Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.". 06-05-2020 12:49 AM
- Got Karma for Re: Why am I gettin the warning "Restricting results of the "rest" operator to the local instance because you do not have the "dispatch_rest_to_indexers" capability.". 06-05-2020 12:49 AM
- Karma Re: Why are tokens not replaced in Events drilldown? for niketn. 06-05-2020 12:48 AM
- Karma Re: Can streamstats reset_before (or reset_after) be used with a by clause? for sideview. 06-05-2020 12:48 AM
- Karma Re: Why is it when I drilldown from the second page of my results from a table on my dashboard it shows "No results found"? for jeffland. 06-05-2020 12:48 AM
- Karma Re: Why am I getting DateParserVerbose warnings although DATETIME_CONFIG is set to NONE? for dmaislin_splunk. 06-05-2020 12:48 AM
- Got Karma for Is it possible to use two base searches in one post-processing search?. 06-05-2020 12:48 AM
- Got Karma for Can streamstats reset_before (or reset_after) be used with a by clause?. 06-05-2020 12:48 AM
- Got Karma for Is it possible to use two base searches in one post-processing search?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to run a query only if two other search jobs finish first on the same dashboard?. 06-05-2020 12:48 AM
- Karma Events are not properly split for eirc. 06-05-2020 12:47 AM
- Karma Re: How to search unfinished transaction events and duration without a unique ID? for wpreston. 06-05-2020 12:47 AM
- Karma Re: Events Delayed / Not Split Correctly for woodcock. 06-05-2020 12:47 AM
- Karma Why are collected events in a summary index losing milliseconds from _time in Splunk 6.2.1? for arkadyz1. 06-05-2020 12:47 AM
- Karma Re: Why are collected events in a summary index losing milliseconds from _time in Splunk 6.2.1? for sowings. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 |
10-05-2016
05:49 AM
We moved DATETIME_CONFIG = NONE from the props.conf on the indexer to the forwarder props.conf and it works like a charm. Thanks for pointing that out!
... View more
10-03-2016
10:27 PM
Thanks for the reply,
I'll try that. Should I change the props.conf on the indexer as well?
Does DATETIME_CONFIG even influence the forwarder's behavior? Looking at http://wiki.splunk.com/Community:HowIndexingWorks it seems like it is only used by the indexer.
... View more
10-02-2016
10:49 PM
I've updated my question (added props.conf and a screenshot showing resulting events).
... View more
09-30-2016
02:54 AM
Hi,
I'm forwarding CSV files to Splunk. The timestamp for each event in a file should be set to the file's modtime, therefore I've set DATETIME_CONFIG = NONE for the sourcetype in the props.conf on the indexer. This seems to work, but I'm getting lots of the following warnings:
WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sat Apr 20 02:39:10 2013). Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-31-Values.amf|host::MY_HOST|Application Metrics|112033
WARN DateParserVerbose - A possible timestamp match (Mon Sep 24 17:04:52 2007) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::D:\LogFiles\2016-09\16-09-30\2016-09-30-10-30-Values.amf|host::MY_HOST|Application Metrics|111934
(131364 events produce 1694 warnings)
Why is Splunk trying to find/parse a timestamp? I thought DATETIME_CONFIG = NONE disables the date parser? Is it possible to disable the date parser (for a specific sourcetype)?
Issue occurs on a distributed system (6.4.3) and on a standalone Splunk instance (6.5.0).
EDIT
The props.conf on the forwarder:
###############################################################################
[Application Metrics]
###############################################################################
category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true
# Parsing Phase ###############################################################
CHARSET = UTF-8
INDEXED_EXTRACTIONS = csv
FIELD_DELIMITER = ,
FIELD_HEADER_REGEX = ^\s*[kK]ey\s*,
PREAMBLE_REGEX = ^\s*#
props.conf on the indexer:
###############################################################################
[Application Metrics]
###############################################################################
category = MyApp
description = Application Metrics (*.amf).
pulldown_type = true
# Parsing Phase ###############################################################
DATETIME_CONFIG = NONE
Events around the time at which the warnings are logged:
... View more
09-20-2016
10:37 PM
Hi gmahe,
We opened a support ticket for this and encountered something strange while doing a remote session: The dashboard actually works when used via a Remote Desktop Connection. I opened a RDP connection to my workstation, refreshed the dashboard which has already been loaded by the browser and everything worked as expected. I disconnected and tried using the dashboard directly on the workstation and the faulted behavior could be observed again.
No that we've upgraded to 6.4.3 we can't observe the faulty behavior anymore.
... View more
04-19-2016
11:18 PM
Thanks for you reply - the example above is fairly simple and it would be no problem to do this. But my actual searches are fare more complex and take some time to execute. Hence I wanted to avoid running the two base searches more than once. The solution you suggested would execute the rate calculation base search each time the user selects a different host.
... View more
04-18-2016
11:53 PM
2 Karma
I have a dashboard similar to this one:
<form>
<label>Multiple Base Searches</label>
<fieldset submitButton="false">
<input type="dropdown" token="selectedHost" searchWhenChanged="true">
<label>Host</label>
<search base="statsBase"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
</fieldset>
<search id="timechartBase">
<query>
index=_internal
| eval count = 1
| timechart per_minute(count) as rate
by host
</query>
<earliest>-10m@m</earliest>
<latest>@m</latest>
</search>
<search id="statsBase">
<query>
index=_internal
| stats count as count by host
| addinfo
| eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
</query>
<earliest>-20m@m</earliest>
<latest>-10m@m</latest>
</search>
<row>
<panel>
<single>
<title>Baseline</title>
<search base="statsBase">
<!-- The value of the "rate" field should replace the hard-coded value "123" -->
<query>
where host=$selectedHost|s$
| fields rate
</query>
</search>
</single>
</panel>
<panel>
<chart>
<title>Timechart with baseline overlay</title>
<search base="timechartBase">
<!-- Here i want to use the value of the "rate" field from the "statsBase" search instead of the hard-coded value 123 -->
<query>
fields _time $selectedHost|s$
| eval baseline = 123
</query>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">baseline</option>
</chart>
</panel>
</row>
</form>
Instead of the hard-coded value "123" in the search "Timechart with baseline overlay", I want to use the rate field which is calculated in the "statsBase" search. I could not find anything suitable in the documentation. Is this even possible?
As I workaround, I tried to use the loadjob command to access the result of the second base search as shown in the code below:
<form>
<label>Multiple Base Searches</label>
<fieldset submitButton="false">
<input type="dropdown" token="selectedHost" searchWhenChanged="true">
<label>Host</label>
<search base="statsBase"></search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
</fieldset>
<search id="timechartBase">
<query>
index=_internal
| eval count = 1
| timechart per_minute(count) as rate
by host
</query>
<earliest>-10m@m</earliest>
<latest>@m</latest>
</search>
<search id="statsBase">
<query>
index=_internal
| stats count as count by host
| addinfo
| eval rate=count * 60 / (info_max_time - info_min_time)
| fields host rate
</query>
<earliest>-20m@m</earliest>
<latest>-10m@m</latest>
<done>
<!-- Make search results available for loadjob command. -->
<set token="sid">$job.sid$</set>
</done>
</search>
<row>
<panel>
<single>
<title>Baseline</title>
<search base="statsBase">
<query>
where host=$selectedHost|s$
| fields rate
</query>
</search>
</single>
</panel>
<panel>
<chart>
<title>Timechart with baseline overlay</title>
<search base="timechartBase">
<!-- Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression -->
<query>
fields _time $selectedHost|s$
| eval [ | loadjob $sid|s$ | where host=$selectedHost|s$ | return baseline=rate ]
</query>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">baseline</option>
</chart>
</panel>
</row>
</form>
When I open the panel in search using the magnifier icon, the generated search works perfectly however.
I'm on Splunk enterprise 6.3.1 by the way.
... View more
02-08-2016
12:51 AM
New finding: Everything starts to work once you do the following:
1. Select a time range (drag mouse across Timechart) which contains one or more columns.
2. Click on one of the column (parts) within the selection.
Now everything works just as i expect it to. Once you reload the page the behavior is buggy again. Seems like a Splunk bug to me.
... View more
02-05-2016
04:06 AM
Select a part of a column in Timechart: Events with any log_level in the time range of the Timechart are shown (but i want to show only events with the selected log_level during the time of the column).
Select a specific log_level by clicking on a label in the legend: Events with any log_level in the time range of the Timechart are shown (but i want to show only events with the selected log_level).
... View more
02-05-2016
03:56 AM
Hi gyslainlatsa,
I tried your code - with the same result, use cases 2 & 3 don't work. Were you able to reproduce the problem?
... View more
02-03-2016
01:03 AM
Hi,
I'm trying to use both drilldown and selection in a timechart to limit the events shown in an events view (note that this only a simple demo which should work on most systems to reproduce the problem):
<dashboard>
<label>☢ TEST ☢</label>
<row>
<panel>
<title>Timechart</title>
<chart>
<search>
<query>index="_internal" sourcetype="splunkd" | timechart count by log_level</query>
<earliest>-1h@h</earliest>
<latest>@h</latest>
</search>
<option name="charting.chart">column</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{ "FATAL": 0x956E96, "ERROR": 0xD85D3C, "WARN": 0xF7902B, "WARNING": 0xF7902B, "INFO": 0x5379AF, "DEBUG": 0xD0D0D0 }</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<drilldown>
<set token="selected.levels">$click.name2$</set>
<set token="selected.timeRange.earliest">$earliest$</set>
<set token="selected.timeRange.latest">$latest$</set>
</drilldown>
<selection>
<set token="selected.levels">*</set>
<set token="selected.timeRange.earliest">$start$</set>
<set token="selected.timeRange.latest">$end$</set>
</selection>
</chart>
</panel>
</row>
<row>
<panel>
<title>Selected Events: $selected.levels$s from $selected.timeRange.earliest$ to $selected.timeRange.latest$</title>
<event>
<search>
<query>index="_internal" sourcetype="splunkd" log_level=$selected.levels|s$</query>
<earliest>$selected.timeRange.earliest$</earliest>
<latest>$selected.timeRange.latest$</latest>
</search>
<option name="count">10</option>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">0</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">table</option>
<fields>host, level</fields>
</event>
</panel>
</row>
</dashboard>
What I want:
Select a time range (drag mouse across Timechart😞 Show all events in the selected time range (log_level does not matter).
Select a part of a column in Timechart: Show all events in the selected time range with the selected log_level.
Select a specific log_level by clicking on a label in the legend: Show all events with the selected log_level in the time range of the Timechart.
What I have:
Using drilldown and selection
1. Works.
2. Does not work; Events with any log_level in the time range of the Timechart are shown.
3. Does not work; Events with any log_level in the time range of the Timechart are shown.
The label of Selected Events briefly shows the correct values but then switches to the wrong ones.
Using drilldown only
1. Does not work; Chart zooms in.
2. Works.
3. Works.
Using selection only
1. Works.
2. Does not work; Default drilldown is performed.
3. Does not work; Default drilldown is performed.
I'm using Splunk Enterprise 6.3.1
Kind regards,
Dominik
... View more
12-10-2015
05:54 AM
1 Karma
I had the same problem. Best documentation i could find was Simple XML Reference (search for trendInterval ). I figured it out using the following query:
| gentimes start=12/09/2015 end=12/10/2015 increment=1h
| streamstats count as n
| eval n=n*n
| eval _time=starttime
| fields _time n
| timechart span=1h sum(n) as count
This query simply generates testdata.
Set the time range for the search to (12/09/2015 00:00:00 to 12/09/2015 24:00:00).
Now try changing Compared to to Custom 3 Hours. The trend compares the last value in the result (576) to the value 3 hours before the last value (441) resulting in a value of 576-441=135 or (576-441)/441=30.6%.
... View more
11-10-2015
06:14 AM
It seems like the documentation explaining how splunk handles precision has been removed; http://docs.splunk.com/Documentation/Splunk/4.2.5/SearchReference/Eval is the last version containing the section Significant figures and precision which is pretty important IMHO.
... View more
11-10-2015
05:50 AM
When I execute the following search
index="does not matter"
| stats count AS value
| eval value=123456.0
| eval x=value/(1024*1024*1024)
| eval y=(value*1.0)/(1024*1024*1024)
I get results which do not quite meet my expectations:
value: 123456.0
x: 0.0001149774
y: 0.00011
Seems like splunk truncates the value. But why? Multiplying by 1.0 should (could, might, ...) transform the value into a floating point number but strangely this results in a less precise result. Is there any documentation on which precision splunk uses for arithmetic operations?
... View more
10-08-2015
06:13 AM
1 Karma
Another way to solve the problem is the following custom JavaScript behavior in the target dashboard (sfatnass's answer shows how to solve the problem in the source dashboard).
require([
'underscore',
"splunkjs/mvc",
"splunkjs/mvc/simplexml/ready!"
], function(_, mvc) {
function MultiselectBehavior()
{
/* Find all multiselect inputs. */
var components = mvc.Components.getInstances().filter(function(item) { return item.options && (item.options.type=='multiselect' || item.options.type=='checkbox'); });
/* Get default tokens. */
var tokens = mvc.Components.get("default");
_(components).each(function(component)
{
// Split single values into multiple values:
// 'Value1,Value2' => ['Value1', 'Value2']
var tokenName = 'form.' + component.settings.get('token');
var tokenValue = tokens.get(tokenName);
if(typeof tokenValue === 'string')
{
tokens.set(tokenName, tokenValue.split(","));
}
console.log("Multiselect behavior enabled for '" + component.options.label + "'.");
});
}
MultiselectBehavior();
});
... View more
10-06-2015
02:37 AM
Yes exactly. The user selects multiple values by checking the checkboxes. The user then clicks on a row (drilldown). The same checkboxes should be selected on the new dashboard. Currently that doesn't work.
... View more
10-06-2015
01:22 AM
I think we are taking about different things here; I don't want to pass a value from the row to the drilldown target. I want to pass the current state of checkbox input (the $form.sourcetypes$ token) to the drilldown target.
... View more
10-05-2015
10:51 PM
This doesn't work, $row.sourcetypes$ isn't defined and therefore Splunk creates a URL similar to this: http://localhost:8000/en-GB/app/search/dashboard2?form.sourcetypes=%24row.sourcetypes%24 (decoded value is $row.sourcetypes$ ).
... View more
10-05-2015
12:58 AM
Hi,
I have a dashboard with a checkbox input allowing the user to select multiple values. Now I want to pass the selected values to a drilldown target (so that the checkboxes are automatically selected).
I've created two dashboards (both use the same code, only the name/drilldown target has been changed):
<form>
<label>Dashboard1</label>
<fieldset submitButton="false">
<input type="time" token="timeRange" searchWhenChanged="true">
<label>Time Range</label>
<default>
<earliest>-60m@m</earliest>
<latest>now</latest>
</default>
</input>
<input type="checkbox" token="sourcetypes" searchWhenChanged="true">
<label>Sourcetypes</label>
<search>
<query>search index="_internal" component="*" | stats count by sourcetype | fields sourcetype | eval label=replace(sourcetype, "[^a-zA-Z0-9]+", " ") | rename sourcetype as value</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<fieldForLabel>label</fieldForLabel>
<fieldForValue>value</fieldForValue>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>sourcetype="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter> OR </delimiter>
</input>
</fieldset>
<row depends="$sourcetypes$">
<panel>
<table>
<search>
<query>index="_internal" $sourcetypes$ | stats count by component | sort -count | rename component as Component count as Count</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
<option name="drilldown">row</option>
<option name="count">10</option>
<drilldown>
<link>dashboard2?form.sourcetypes=$form.sourcetypes$</link>
</drilldown>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
</table>
</panel>
</row>
</form>
Now when I click on a row in the table, the second dashboard opens but the input values are not selected.
Splunk creates a drilldown URL similar to this:
http://localhost:8000/en-GB/app/search/dashboard1?form.sourcetypes=splunk_web_service%2Csplunkd
Note there is only one query parameter named form.sourcetypes with the decoded value splunk_web_service,splunkd
When I select the values on the dashboard the current URL changes to something like this:
http://localhost:8000/en-GB/app/search/dashboard1?&form.sourcetypes=splunk_web_service&form.sourcetypes=splunkd
As you can see there are two query parameters, one for each value (splunk_web_service and splunkd)
Is there another way to specify the tokens in the drilldown link? Or is it possible to instruct the checkbox input to use the single value version when the dasboard is loaded?
... View more
07-13-2015
04:28 AM
"Extract data from files with headers" ( http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Extractfieldsfromfileheadersatindextime ) might help
... View more
07-07-2015
02:56 AM
1 Karma
We use UFs and we expect the distributed search and clustering features to be disabled - so is there a way to disable the warning? Did we use a wrong configuration (we only modified deploymentclient.conf , inputs.conf and outputs.conf )?
... View more
07-07-2015
12:32 AM
1 Karma
When I restart the Splunk Universal forwarder, the following warnings get logged (to the _internal index):
07-07-2015 12:34:56.789 +0200 WARN DistributedPeerManager - feature=DistSearch not enabled for your license level
07-07-2015 12:34:56.765+0200 WARN ClusteringMgr - Ignoring clustering configuration, the active license disables this feature.
Do forwarders need to connect to the license master? Or is there another way to get rid of these warnings? The second warning can be suppressed by removing the [clustering] stanza from server.conf , but I don't know how to get rid of the first one.
PS: There is no distsearch.conf on the forwarder.
regards, Dominik
... View more
06-24-2015
02:10 AM
1 Karma
Also happens on Splunk 6.2.3
My workaround is to use ... | eval fractionalSeconds = _time % 1 in the populating search and EVAL-_time = (_time + fractionalSeconds) in my props.conf .
... View more
06-17-2015
10:43 PM
1 Karma
We now use two separate indexes (A and B). Events with sensitive data are re-routed to index B while all others go to index A. A saved search uses summary indexing to select all events from index B, removes fields with sensitive data and adds them to index A. A configuration stanza in props.conf ensures all fields are set to their original values, this way users can search for events as usual. Obviously summary indexing adds a slight delay (WCET 2 minutes in hour case).
Thanks for pointing me in the right direction!
... View more
- « Previous
-
- 1
- 2
- Next »
