Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About cmerriman
cmerriman
Super Champion
Member since:
09-10-2013
09-03-2024
Community Statistics
| Posts | 1451 |
| Solutions | 271 |
| Karma Given | 79 |
| Karma Received | 698 |
| Member Since | 09-10-2013 |
Activity Feed
- Got Karma for Re: What are the differences between append, appendcols, and join search commands?. 2 weeks ago
- Got Karma for Re: How to replace specific field value?. 06-20-2024 06:36 AM
- Got Karma for Re: "Other" in timechart. 01-11-2024 01:30 AM
- Got Karma for Re: Token substitues value with double quotes | unable to use panel token values in DB connect query to compare string values as they need single quotes. 12-14-2023 07:48 AM
- Got Karma for Re: If there are no results found, how do I get my search to return a field that has the value of zero?. 11-17-2023 07:09 AM
- Got Karma for Re: Search Query Help: Number of Events per Event Code and Total size of those events. 08-07-2023 06:54 AM
- Got Karma for Re: Stats (count(x) as countX, count(y) as countY) BY FIELD X. 03-16-2023 06:36 AM
- Got Karma for Re: How to reference a dashboard token in an HTML panel?. 01-30-2023 12:00 AM
- Got Karma for Re: "Other" in timechart. 01-13-2023 05:20 AM
- Got Karma for Re: How do I use the reverse command to change the order of my table?. 01-10-2023 07:29 AM
- Got Karma for Re: Get single value panel to display a "date". 12-27-2022 07:12 AM
- Got Karma for Re: How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?. 09-23-2022 10:13 AM
- Got Karma for Re: How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?. 09-15-2022 05:06 AM
- Got Karma for Re: In a dashboard, how can I remove the panels that say "No results found." with code or something equivalent?. 09-12-2022 01:38 AM
- Got Karma for Re: "Other" in timechart. 08-11-2022 05:22 AM
- Got Karma for Re: "Other" in timechart. 08-07-2022 10:23 PM
- Got Karma for Re: "Other" in timechart. 08-07-2022 10:23 PM
- Got Karma for Re: Why are the two base searches throw warnings in a dashboard?. 08-01-2022 06:04 AM
- Got Karma for Re: How to replace specific field value?. 07-12-2022 12:30 AM
- Got Karma for Re: How to properly use OR and WHERE in splunk. 06-09-2022 12:13 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
10-14-2016
06:22 AM
Yeah I know that it tokens it. But then if they only brought the one row back, they could use done or another to token.
... View more
10-14-2016
06:17 AM
In your search, can you just add |head 1
... View more
10-14-2016
06:15 AM
Can you post the syntax?
... View more
10-14-2016
05:52 AM
You could compare what the DB Connect is showing to what is actually in your DB table(s)? Might not be the best method, but doing some field comparisons could be pretty automated, depending on the data.
... View more
10-14-2016
05:48 AM
use |streamstats
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats
it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows.
... View more
10-14-2016
05:03 AM
could you do
|convert mktime(DATNUM) as epochtime timeformat="%d.%m.%Y"| chart list(VOL_DDC_OUT) by epochtime,host useother=f | tail 15 | sort epochtime|convert ctime(epochtime) as datefield timeformat="%m/%d/%Y"|fields - epochtime
... View more
10-13-2016
02:49 PM
Could you try |join type=left host IP ?
... View more
10-13-2016
02:14 PM
Is the join on uidn and timestamp?
|inputlook first.csv |join uidn timestamp [|inputlookup second.csv|rename DN as DN2]
... View more
10-13-2016
11:17 AM
1 Karma
Also, there are much more UI edit features in 6.5 than previous versions, if you're on an older version.
... View more
http://docs.splunk.com/Documentation/Splunk/6.3.5/Report/Embedscheduledreports
this is the doc for 6.3.5
the embed.enabled parameter is in savedsearches.conf. you should be able to change it there?
... View more
10-13-2016
10:07 AM
or create a separate field and convert DATNUM to an epoch field and just sort by that.
... View more
10-13-2016
10:06 AM
it's because 01 is less than 17, I'd bet. Can you reformat the date to be Month/Day/Year? Or create a separate date field for Month/Day/Year that you sort by and then do a fields - MDY to hide that field in the output?
... View more
10-13-2016
09:45 AM
2 Karma
Have you read this doc
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Configuresecurityandaccesscontrols
... View more
10-13-2016
08:44 AM
Try adding a dc(id) by _time to your searches and see how many ids you actually have per _time
... View more
10-13-2016
08:40 AM
What I meant was that the table is only bringing back two fields and all other fields are lost and when you run the dedup without table, all other fields are still available (same with when you use "fields" instead of table). That could b e why. Not that field values are missing, but that fields themselves are gone.
... View more
Have you tried to enable it through the original way in the report?
In the report, click edit>embed>enable report embedding
http://docs.splunk.com/Documentation/Splunk/6.5.0/Report/Embedscheduledreports
... View more
10-13-2016
07:37 AM
It may be because with the table command the only two fields available are Id and time and without it has all fields? Dedup keeps the first event with the specified fields and dumps the rest.
Not sure if that's right but it's the best I've got.
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup
... View more
10-13-2016
05:08 AM
I know, I ran into this issue this past year with wanting to export panels that were run off of a base search so I had to recreate my dashboard through Sideview. It was a bit tedious, but that was the only work around I could find.
I did however talk with some members of the dashboard team at .conf this year, and hopefully that feature is in the pipeline now.
... View more
10-12-2016
07:33 AM
1 Karma
useother=f just leaves the 'other' field out of the results but still limits the amount of fields returned.
... View more
10-12-2016
07:29 AM
however, richgalloway is correct that it is deprecated. if you can, try to use simple xml.
... View more
10-12-2016
07:25 AM
1 Karma
You can't simply convert anymore. You'd have to use the Sideview Editor app and create a dashboard with advanced XML.
... View more
10-11-2016
02:10 PM
do you have db connect v1 or v2? if you are on v2, I think it is OUTPUTNEW instead of OUTPUT.
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Createandmanagedatabaselookups
... View more
10-10-2016
08:06 AM
2 Karma
case is for multiple arguements whereas if for three.
eval field=if(x=1,y,z) >>> if x is 1, then y, otherwise z
eval field=case(x=1,y,x=2,z,1=1,"other") >> if x is 1, then y, if x is 2, then z, if x is anything other 1 or 2, then "other"
the performance of them if they have the same x,y,z argument, is probably the same, but they were created for different reasons.
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions
... View more
10-10-2016
06:20 AM
index=tv_viewing_log |join channel date [search index=tv_program_data] |eval watched=if(startWatch>=startAir AND startWatch<=endAir,1,0)|search watched=1
where startWatch is 0800 is Time began to see, startAir is 0730 is Broadcast start time and endAir is 0900 is Broadcast end time in your example
maybe something like this?
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-03-2024
12:56 PM
|
Karma from
Karma given to
