Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About cmerriman
cmerriman
Super Champion
Member since:
09-10-2013
08-12-2025
Community Statistics
| Posts | 1453 |
| Solutions | 271 |
| Karma Given | 79 |
| Karma Received | 707 |
| Member Since | 09-10-2013 |
Activity Feed
- Got Karma for Re: DMA - datamodel artifacts filling up the dispatch dir. 10-15-2025 06:44 AM
- Got Karma for Re: Reset all inputs to default in dashboard studio?. 07-21-2025 10:38 AM
- Got Karma for Re: Reset all inputs to default in dashboard studio?. 06-16-2025 01:48 PM
- Posted Re: Reset all inputs to default in dashboard studio? on Dashboards & Visualizations. 06-16-2025 01:30 PM
- Posted Re: DMA - datamodel artifacts filling up the dispatch dir on Splunk Enterprise Security. 06-16-2025 12:28 PM
- Got Karma for Re: How can I create a query to find dashboard usage and top used dashboards of all the dashboards in my environment?. 05-20-2025 10:04 AM
- Got Karma for Re: How do you display a blank panel?. 05-19-2025 07:07 AM
- Got Karma for Re: Count of events based on two where conditions. 05-06-2025 04:45 PM
- Got Karma for Re: How to add final total count of results without adding another column?. 04-14-2025 06:24 PM
- Got Karma for Re: How do I add yesterday's date to an emailed report subject?. 03-13-2025 10:20 AM
- Got Karma for Re: Token substitues value with double quotes | unable to use panel token values in DB connect query to compare string values as they need single quotes. 02-25-2025 02:12 PM
- Got Karma for Re: What are the differences between append, appendcols, and join search commands?. 11-06-2024 02:19 AM
- Got Karma for Re: How to replace specific field value?. 06-20-2024 06:36 AM
- Got Karma for Re: "Other" in timechart. 01-11-2024 01:30 AM
- Got Karma for Re: Token substitues value with double quotes | unable to use panel token values in DB connect query to compare string values as they need single quotes. 12-14-2023 07:48 AM
- Got Karma for Re: If there are no results found, how do I get my search to return a field that has the value of zero?. 11-17-2023 07:09 AM
- Got Karma for Re: Search Query Help: Number of Events per Event Code and Total size of those events. 08-07-2023 06:54 AM
- Got Karma for Re: Stats (count(x) as countX, count(y) as countY) BY FIELD X. 03-16-2023 06:36 AM
- Got Karma for Re: How to reference a dashboard token in an HTML panel?. 01-30-2023 12:00 AM
- Got Karma for Re: "Other" in timechart. 01-13-2023 05:20 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 1 |
10-14-2016
06:17 AM
In your search, can you just add |head 1
... View more
10-14-2016
06:15 AM
Can you post the syntax?
... View more
10-14-2016
05:52 AM
You could compare what the DB Connect is showing to what is actually in your DB table(s)? Might not be the best method, but doing some field comparisons could be pretty automated, depending on the data.
... View more
10-14-2016
05:48 AM
use |streamstats
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Streamstats
it's great for rolling averages. you can do multiple streamstats, one for the 30, 60, and 90 day windows.
... View more
10-14-2016
05:03 AM
could you do
|convert mktime(DATNUM) as epochtime timeformat="%d.%m.%Y"| chart list(VOL_DDC_OUT) by epochtime,host useother=f | tail 15 | sort epochtime|convert ctime(epochtime) as datefield timeformat="%m/%d/%Y"|fields - epochtime
... View more
10-13-2016
02:49 PM
Could you try |join type=left host IP ?
... View more
10-13-2016
02:14 PM
Is the join on uidn and timestamp?
|inputlook first.csv |join uidn timestamp [|inputlookup second.csv|rename DN as DN2]
... View more
10-13-2016
11:17 AM
1 Karma
Also, there are much more UI edit features in 6.5 than previous versions, if you're on an older version.
... View more
http://docs.splunk.com/Documentation/Splunk/6.3.5/Report/Embedscheduledreports
this is the doc for 6.3.5
the embed.enabled parameter is in savedsearches.conf. you should be able to change it there?
... View more
10-13-2016
10:07 AM
or create a separate field and convert DATNUM to an epoch field and just sort by that.
... View more
10-13-2016
10:06 AM
it's because 01 is less than 17, I'd bet. Can you reformat the date to be Month/Day/Year? Or create a separate date field for Month/Day/Year that you sort by and then do a fields - MDY to hide that field in the output?
... View more
10-13-2016
09:45 AM
2 Karma
Have you read this doc
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Configuresecurityandaccesscontrols
... View more
10-13-2016
08:44 AM
Try adding a dc(id) by _time to your searches and see how many ids you actually have per _time
... View more
10-13-2016
08:40 AM
What I meant was that the table is only bringing back two fields and all other fields are lost and when you run the dedup without table, all other fields are still available (same with when you use "fields" instead of table). That could b e why. Not that field values are missing, but that fields themselves are gone.
... View more
Have you tried to enable it through the original way in the report?
In the report, click edit>embed>enable report embedding
http://docs.splunk.com/Documentation/Splunk/6.5.0/Report/Embedscheduledreports
... View more
10-13-2016
07:37 AM
It may be because with the table command the only two fields available are Id and time and without it has all fields? Dedup keeps the first event with the specified fields and dumps the rest.
Not sure if that's right but it's the best I've got.
https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Dedup
... View more
10-13-2016
05:08 AM
I know, I ran into this issue this past year with wanting to export panels that were run off of a base search so I had to recreate my dashboard through Sideview. It was a bit tedious, but that was the only work around I could find.
I did however talk with some members of the dashboard team at .conf this year, and hopefully that feature is in the pipeline now.
... View more
10-12-2016
07:33 AM
1 Karma
useother=f just leaves the 'other' field out of the results but still limits the amount of fields returned.
... View more
10-12-2016
07:29 AM
however, richgalloway is correct that it is deprecated. if you can, try to use simple xml.
... View more
10-12-2016
07:25 AM
1 Karma
You can't simply convert anymore. You'd have to use the Sideview Editor app and create a dashboard with advanced XML.
... View more
10-11-2016
02:10 PM
do you have db connect v1 or v2? if you are on v2, I think it is OUTPUTNEW instead of OUTPUT.
http://docs.splunk.com/Documentation/DBX/2.3.1/DeployDBX/Createandmanagedatabaselookups
... View more
10-10-2016
08:06 AM
2 Karma
case is for multiple arguements whereas if for three.
eval field=if(x=1,y,z) >>> if x is 1, then y, otherwise z
eval field=case(x=1,y,x=2,z,1=1,"other") >> if x is 1, then y, if x is 2, then z, if x is anything other 1 or 2, then "other"
the performance of them if they have the same x,y,z argument, is probably the same, but they were created for different reasons.
http://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/CommonEvalFunctions
... View more
10-10-2016
06:20 AM
index=tv_viewing_log |join channel date [search index=tv_program_data] |eval watched=if(startWatch>=startAir AND startWatch<=endAir,1,0)|search watched=1
where startWatch is 0800 is Time began to see, startAir is 0730 is Broadcast start time and endAir is 0900 is Broadcast end time in your example
maybe something like this?
... View more
10-07-2016
09:12 AM
https://regex101.com/ is a great place to learn/practice regex
so what (?12[^\s]+)\s(?[^\s]+)\s(?.) is doing is naming the first group host and starting it when it sees '12' stopping at a white space (\s) the second group is HSM and then stops at the next white space. the last group is CONN_STATUS and collects everything until the end of the string (.)
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-12-2025
10:31 AM
|
Karma given to
