Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About _gkollias
_gkollias
Builder
Member since:
08-21-2013
02-09-2026
Community Statistics
| Posts | 221 |
| Solutions | 8 |
| Karma Given | 91 |
| Karma Received | 39 |
| Member Since | 08-21-2013 |
Activity Feed
- Karma Splunk Cloud Platform EDU courses! for SplunkCommunity. 01-17-2025 07:10 AM
- Posted Re: File growth rate must be higher than indexing or forwarding rate on Getting Data In. 01-17-2025 06:28 AM
- Karma Re: i want to refresh the dashboard on button click. is it possible? for niketn. 11-27-2023 09:42 AM
- Karma Re: Splunk Agent Status by Host for martin_mueller. 05-12-2023 03:06 PM
- Karma Announcing Our Splunk MVPs for jhupka_splunk. 03-03-2023 05:06 PM
- Got Karma for Re: Why search with postprocessing returns no results in dashboard, but the actual search does?. 02-09-2022 11:17 PM
- Karma Re: What is the difference between Splunk and ELK Stack Elasticsearch in terms of Security, Infrastructure, deployment etc? for outcoldman. 01-17-2022 11:31 AM
- Karma Re: Query for Users, Roles, AD Groups and Indexes. for harsmarvania57. 10-11-2021 02:07 PM
- Karma Re: how to display pattern tab result in report in dashboard? for s2_splunk. 07-23-2021 10:43 AM
- Got Karma for Splunk Agent Status by Host. 07-02-2021 03:06 PM
- Karma Re: Splunk Agent Status by Host for somesoni2. 06-14-2021 08:32 AM
- Karma Re: Splunk Agent Status by Host for martin_mueller. 06-14-2021 08:31 AM
- Karma Re: Splunk Agent Status by Host for Runals. 06-14-2021 08:31 AM
- Karma Re: Splunk Add-on for ServiceNow: How to populate custom mandatory fields in a ServiceNow Incident? for chrisyounger. 03-25-2021 02:03 PM
- Karma Re: Extract data from within only double quotes "*" in a _raw log for niketn. 02-24-2021 12:56 PM
- Posted Re: License Usage by Each Indexer on Splunk Search. 08-18-2020 11:42 AM
- Karma Re: Parse nested json array without direct key-value mapping for to4kawa. 08-18-2020 06:47 AM
- Karma Re: Have I properly configured advanced conditional attributes for my alert in savedsearches.conf? for frobinson_splun. 08-03-2020 01:31 PM
- Posted Re: Parse nested json array without direct key-value mapping on Splunk Search. 07-16-2020 07:01 PM
- Karma Re: Regex/Rex - Non Capture Groups for gcusello. 07-16-2020 01:37 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-16-2015
02:37 PM
Sure thing! Here are the searches:
Inbound
index=contract_gateway sourcetype=esb_audit bp_bp_name=InvoiceAudit SourceSystem=ESB OR SourceSystem=ESB2 earliest=-1d@d
| stats latest(Amount) as Amount, latest(InvoiceNumber) as InvoiceNumber, latest(SourceSystem) as SourceSystem by bp_context_id
| table InvoiceNumber, Amount, SourceSystem
| sort 0 SourceSystem,InvoiceNumber
| dedup InvoiceNumber
| outputcsv inbound_invoice_list_4152015.csv
Outbound
index=contract_gateway sourcetype=esb_audit bp_bp_name=InvoiceAudit SourceSystem=CTG earliest=-1d@d
| stats latest(Amount) as Amount, latest(InvoiceNumber) as InvoiceNumber, latest(SourceSystem) as SourceSystem by bp_context_id
| table InvoiceNumber, Amount, SourceSystem
| sort 0 SourceSystem,InvoiceNumber
| dedup InvoiceNumber
| outputcsv inbound_invoice_list_4152015.csv
The SourceSystem fields are how we differentiate what comes in and what comes out. Also we group the other fields by bp_context_id as this is the unique identifier for each transaction.
Let me know if I can provide any other information - Thanks!
... View more
04-16-2015
02:22 PM
2 Karma
I have two results from two separate searches that give me a list of invoices that came in to our systems and a list of invoices that left our systems.
I want to create a match between the lists to show how many of the invoices came in and went out.
So far what I have done is exported the results using outputcsv due to the results being greater than 10,000.
Any insight on the best way to create a match using these results would be greatly appreciated.
Thanks in Advance.
... View more
02-27-2015
06:26 AM
3 Karma
Good thing I'm pretty cool with a Splunk God 🙂
Here is a "hobo" solution, bro:
Not-so-brief Background -
We needed a solution where we could go back in time greater than yesterday to view various transactional-type statistics (please let me explain :0) ). What was happening was we had a summary index storing this transactional data. Once the scheduled job ran to pick up the latest data, it would be stored in the summary index.
There could be a few problems here - it could be possible that when the job ran the transaction wasn't exactly completed yet, or it could have gone in to some NOT success status where it would later need to be reprocessed. Although that transaction was reprocessed later on, we could not tell from our dashboard that it was - so some success rates would stay low or transactions considered in progress would just sit in a processing bucket with no end in sight 😞 We needed to create an additional summary that acted as a transactional reconcile-er!...? This way we could obtain the absolute latest status of our transactions and display more accurate stats. Then we sort of ran in to this issue where we were overloading our dis usage limit by running this search longer than -24h@h:
Search auto-finalized after disk usage limit (100MB) reached.
THE SOLUTION!
Essentially we can create mini searches which are used as tokens for a specific period of time. Here is the sample solution in simple XML -
<form>
<label>Hobo_SearchSwapper</label>
<fieldset autoRun="true" submitButton="false">
<input type="dropdown" token="tkn_base_timerange_search" searchWhenChanged="true">
<label>Select a timerange:</label>
<default>Last 60 minutes</default>
<choice value="index=main earliest=-60m | timechart span=2m count by host">Last 60 minutes</choice>
<choice value="index=main earliest=-4h | timechart span=15m count by host">Last 4 hours</choice>
<choice value="index=summary earliest=-14h | timechart span=30m count by host">Last 24 hours</choice>
<choice value="index=summary earliest=7d | timechart span=2h count by host">Last 7 days</choice>
</input>
</fieldset>
<row>
<chart>
<searchString>$tkn_base_timerange_search$</searchString>
<option name="charting.chart">line</option>
</chart>
</row>
</form>
Hope this helps anyone interested in this use case!
... View more
02-19-2015
01:54 PM
I am in need of a search-switcher for simple XML. I can't seem to find anything in respect to this out there. If this is not available, does anyone have any ideas on some custom work that could be done to implement this functionality?
Thanks in Advance!
... View more
01-22-2015
01:58 PM
Hello All,
I've installed the SNMP Modular Input, and configured SNMP so that OIDs are coming in at 300 second intervals.
Things look good, but now I'd like to get the MIB indexed so that we get the "real names" rather than the Pycrypto type stuff i.e. SNMPv2-SMI::enterprises."1.3.6.1.4.1.311.0" = n
I downloaded a free SNMP browser tool to help with this (ManageEngine MIB Browser), but don't really know where to go from here.
Any thoughts on how I could get the real names in to Splunk would be a huge help.
Thanks in Advance!
... View more
01-13-2015
05:52 AM
sorry for the late response on this.
This is exactly what I did - thanks for your response!
... View more
12-15-2014
02:01 PM
Hi All,
I have a list of invoice numbers that I want to try and find data for in Splunk. I added the list in a CSV but am having trouble getting other values in Splunk related to those InvoiceNumbers.
Here is where I have left off:
index=contract_gateway sourcetype=esb_audit bp_bp_name=Invoice
| join type=outer InvoiceNumber [ | inputlookup ctg_invoice_check_lookup.csv | table InvoiceNumber ]
Along with this list I want to find other fields being logged (if they have even logged initally)...something like:
...| stats first(InvoiceNumber) as InvoiceNumber, latest(status) as exit_status, latest(other) as exit_message by bp_context_id
is there a way to "append" these values with the list of invoice numbers in Splunk if they are being logged?
Thanks in advance!
... View more
12-10-2014
10:46 AM
Hello,
I am looking for a way to calculate the avg rate of occurrence for a particular field. There are multiple values given in this field, but we want to see at the avg rate how often they occur.
Here is the simple base search which finds all values for exit_status:
index=contract_gateway_summary earliest=-14d@d | stats count by exit_status | dedup exit_status
Any help would be greatly appreciated.
Thanks in advance!
... View more
10-17-2014
05:26 PM
This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:
http://screencast.com/t/9yVnvtpl
I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:
| eval days_since_last_txn=case(days_since_last_txn=0,"Today",days_since_last_txn=1,"1 Day",days_since_last_txn>1, days_since_last_txn."[".Days."]")
This didn't work for me, but do you have any insight on rounding by number of days?
Thank you!
... View more
10-17-2014
03:07 PM
Hi All,
I might be over thinking this one, but since I've already used _time--> ...| stats earliest(_time) as first_seen, latest(_time) as last_seen, ... |, is it possible find the "current_time"?
What I want to do is do something like ..| eval days_since=(current_time-last_seen)
Is this possible?
Thanks!
... View more
10-15-2014
11:19 AM
This didn't quite work. What I did was send a test email to my own email account, and the dashboard still sent the eReceipt, however the table is not displaying any message. Please view the screenshot:
http://screencast.com/t/CehgFRg7tr
Thanks a lot for your efforts! Please let me know if there is anything else you need from me to resolve this.
... View more
10-15-2014
09:07 AM
Hi Martin, have you had a chance to observe these results? Your help would be greatly appreciated.
Thanks!
... View more
10-15-2014
08:54 AM
Thanks, but I am still getting the same result using ...| rex field=ctgResponse "(?[^<]+)"
...Not 100% sure what the issue is.
... View more
10-15-2014
08:23 AM
It will just be "Ereceipt successfully sent out". Please view this screen shot:
http://screencast.com/t/vXfMwsQmgM
... View more
10-15-2014
06:28 AM
Hi All,
I am having trouble stripping HTML from a response from sending eReceipts to customers via dashboard. Here is the HTML I am trying to strip to only show the message in a pretty human-readable format:
<BODY bgcolor=#dddddd> <TABLE bgcolor=#dddddd border=1> <TR> <TD valign="top"><B>message</B></TD> <TD>Ereceipt successfully sent out</TD> </TR> </TABLE> </BODY>
For testing, I used this search to strip the initial HTML of the response in the search app (it works):
| stats count
| eval ctgResponse=HTML ABOVE
| spath input=ctgResponse output=responseMessage path="BODY.TABLE.TR.TD{2}"
However, when sending an eReceipt to a customer, the dashboard still displays the HTML formatted response.
Here is the search behind the dashboard including the spath command (cgereceiptsresubmit is a custom command):
<title>Your Re-Submit Results:</title>
<searchString> <![CDATA[
|stats count as dummy_field| eval bp_context_id="$bp_context_id$"
| eval PID_OUT="$PID_OUT$"
| eval TPCode="$TPCode$"
| eval OrderNumber="$OrderNumber$"
| eval ShipmentNumber="$ShipmentNumber$"
| eval OrderLink="$OrderLink$"
| eval emailTo="$emailTo$"
| eval emailCC="$emailCC$"
| eval emailBcc="$emailBcc$"
| eval emailSubject="$emailSubject$"
| eval emailBody="$emailBody$"
| fields - dummy_field
| fillnull value=""
| cgereceiptsresubmit
| eval responseMessage=if(responseMessage=="",ctgResponse,responseMessage)
| spath input=ctgResponse output=responseMessage path="BODY.TABLE.TR.TD{2}"
| table resubmit_url,ctg_response, resubmit_error
| rename resubmit_url as "Re-Submit URL", ctg_response as "CTG Response", resubmit_error as "Re-Submit Error Message"
]]>
</searchString>
Any insight on a why this might not be working would be greatly appreciated..
Thanks in advance!
... View more
10-04-2014
09:24 AM
2 Karma
Hi All,
I am looking for duplicate invoices, and have created a search which gives me the total list. However, I would like to summarize the data to show total counts of dupes per day over the last 30 days. Here is my initial search:
index=contract_gateway sourcetype=esb_audit svc_context_name= bp_bp_name=Invoice status=START PublishInvoice earliest=-30d@d
punct="--::._-,,{=..},{|||....|||,||.:|----|||},{||....|}"
| stats count earliest(_time) as start_time, latest(_time) as end_time, first(svc_context_name) as svc_context_name by batch_id
| eval _time=start_time
| eval start_time=strftime(start_time,"%m/%d/%Y %H:%M:%S")
| sort _time
| search NOT batch_id=PO81*
| where count > 1
| table start_time, count,svc_context_name, batch_id
| dedup batch_id
Is there a way to summarize this list? Maybe using the Splunk field "date_wday"?
Thank you in advance!
... View more
10-01-2014
07:34 AM
2 Karma
Hi All,
Is there a way to add multiple values in a drop down to a single choice? For example, I have a drop down with multiple values which really should be under the same status. Here is my example below:
<label>Select a status:</label>
<default>*</default>
<choice value="*">All</choice>
<choice value="SUCCESS">SUCCESS</choice>
<choice value="FAILED">FAILURE</choice>
<choice value="FAIL">FAILURE</choice>
<choice value="FAILURE">FAILURE</choice>
</input>
Is there a way to combine the three failures so that they all fall under "FAILURE"?
Thanks in advance!
... View more
09-19-2014
08:39 AM
OK cool! I added the csv. I think my problem lies in that since orders are routed different, they are stored in different indexes as well. So I think I need to do some more digging and find which indexes they lie in and do an append at first...then maybe switch to index=* (instead of just the initial OrderNo: which you helped extract for a single order). To start, is there a way to table the match just from
orders in index=contract_gateway sourcetype=esb_audit and the OMS csv (index=contract_gateway sourcetype=contract_sunrise)? Your help is greatly appreciated!!
... View more
09-19-2014
07:31 AM
Great idea on using a lookup! I assume there will be a modified search for that. So I could do something like ...base search | lookup as400_orders_lookup.csv OUTPUT OrderNumber|...?
... View more
09-19-2014
05:01 AM
This actually gives me millions of events back since it's looking at all of the other sourcetypes except contract_sunrise. Is there a way correlate the OrderNumber count by making a match? IE for 09/16, this many orders made it to our OMS (the list from the CSV via sourcetype=contract_sunrise) compared to this many orders we see in Splunk that are not on the the list? Please let me know your thoughts!
... View more
09-18-2014
02:08 PM
Great!! The CSV has headers, and I added some configs in props.conf to extract the values and remove the headers..The field is OrderNumber here, and I created a dummy sourcetype (contract_sunrise). I took one order number and found it in two other sourcetypes. The events look like the following:
%Y-%m-%d %H:%M:%S,3Z OrderStatus- INFO OrderStatus - OrderStatus: run: success: Updated OrderNo: OrderNumber, ProcTime(ms): 91 DtlCount: 4, Emailed:
The next is in a summary search
OrderNumber here is found in this field - psrsvd_ss_memUsedMB=OrderNumber
Each order is also routed differently
... View more
09-18-2014
01:48 PM
I tried doing something like index=* 12345 (OrderNumber) to show all of the different indexes the order went through, but I don't necessarily want to track one order from beginning to end. Instead, what I want to try and do is say ok - using this CSV, here are all of the orders in splunk compared to how many are in the CSV. This helps us to find visibilty from CTG to our order mgt system on how many/ which orders made it to the OMS, and which did not. Maybe I need to compare a count? I'm not quite sure how to go about it., but it would great to find some visibility here.
... View more
09-18-2014
12:28 PM
Hello,
I'd like to create a search to show how many transactions are in Splunk compared to how many orders are on the CSV (the number of orders should be the same, but right now we have no visibility to what orders actually hit what is it in the CSV). The goal here is to discover how many transactions are not on the CSV.
I stored the CSV in my home directory, and Splunk picks up the data and forwards it to the following:
index=contract_gateway sourcetype=contract_sunrise
All other orders are located in the same index
index=contract_gateway
Is there a way to display a correlation to table the total amount of orders that are in Splunk compared to how many are in the CSV?
Your help is greatly appreciated.
Thanks in advance!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-09-2026
09:56 AM
|
Karma from
Karma given to
