Hey Splunksters, Noob here. The query below is for a dashboard panel that lets me toggle to see (for example) sourcetypes/ hosts that haven't sent data in 24 hours, but not more than 48 hours. It works, but its super slow. Any thoughts on the easiest way to speed this up? Perhaps a saved search? / loadjob? lookup? of so, what would the query for that look like???.. Any help is much appreciated! <form> <label>Missing Data Dashboard</label> <fieldset autoRun="true" submitButton="false"> <input type="dropdown" token="simple"> <label>Select Period</label> <choice value="1">Missing 1 day</choice> <choice value="2">Missing 2 days</choice> <choice value="3">Missing 3 Days</choice> <choice value="4">Missing 4 Days</choice> <choice value="5">MIssing 5 Days</choice> <choice value="6">MIssing 6 Days</choice> <choice value="7">MIssing 7 Days</choice> <choice value="8">Missing 8 Days</choice> <choice value="9">Missing 9 Days</choice> <default>1</default> </input> <input type="dropdown" token="simple_2"> <label>Select Cutoff</label> <choice value="2">Not > 2 Days</choice> <choice value="3">Not > 3 Days</choice> <choice value="4">Not > 4 Days</choice> <choice value="5">Not > 5 Days</choice> <choice value="6">Not > 6 Days</choice> <choice value="7">Not > 7 Days</choice> <choice value="8">Not > 8 Days</choice> <choice value="9">Not > 9 Days</choice> <default>2</default> </input> </fieldset> <row> <panel> <title>Select Day for Silent Hosts / Sourcetypes (Last 15 Days)</title> <table> <search> <query>| tstats latest(_indextime) as lt by host sourcetype | eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d"), newer_than=relative_time(now(), "-$simple_2$d@d") | eventstats count(host) as tots_hosts by sourcetype | eventstats dc(sourcetype) as tots_st by host | where lt < timeLastSeenCheck and lt>newer_than | eventstats count(host) as ghost_hosts by sourcetype | eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100 | eventstats dc(sourcetype) as ghost_st by host | eval percent_ghost_st = (ghost_st / tots_st) * 100 | convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M" | convert ctime(lt) as "Cutoff" timeformat="%Y/%m/%d %H:%M" | dedup sourcetype | rename host as Host sourcetype as Sourcetype percent_ghost_host as "This Hosts Percentage Missing to Whole" percent_ghost_st as "This Sourcetypes Percentage Missing to Whole" tots_hosts as "Total Count of Hosts by Sourcetype" tots_st as "Total Count of Sourcetypes by Host" ghost_hosts as "Count of Missing Hosts" ghost_st as "Count of Missing Sourcetypes" Time_LAst_Seen_Check as "Day Last Seen" | table Host Sourcetype "Total Count of Hosts by Sourcetype" "Count of Missing Hosts" "This Hosts Percentage Missing to Whole" "Total Count of Sourcetypes by Host" "Count of Missing Sourcetypes" "This Sourcetypes Percentage Missing to Whole" "Day Last Seen" "Cutoff"</query> <earliest>-15d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> <row> ... View more

Hey splunksters, The following dashboard allows the user to select a timeframe to show hosts/sourcetypes that havent reported in. For instance, the current selection dropdown allows them to select everything that hasnt reported in for 24 hours...I'd like to change it with a second token (or something) that shows hosts/st that havent reported in 24 hours but not greater than 48 hours... I assume it involves adding a second token and changing the "where" clause in the search query to some thing like | where lt < timeLastSeenCheck AND timeLastSeenCheck > secondtoken However, I'm having trouble getting it to work..any help is much appreciated! Thanks! <label>missing data alert panels (under construction) Clone Clone</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="simple"> <label>Simple Time Picker</label> <choice value="1">Over 24 Hours</choice> <choice value="2">Over 48 Hours</choice> <choice value="3">Over 72 Hours</choice> <choice value="4">Over 96 Hours</choice> <default>1</default> </input> </fieldset> <row> <panel> <title>Host / Sourcectype Silent (15 day grab)</title> <table> <search> <query>| tstats latest(_indextime) as lt by host sourcetype | eval timeLastSeenCheck=relative_time(now(), "-$simple$d@d") | eventstats count(host) as tots_hosts by sourcetype | eventstats dc(sourcetype) as tots_st by host | where lt < timeLastSeenCheck | eventstats count(host) as ghost_hosts by sourcetype | eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100 | eventstats dc(sourcetype) as ghost_st by host | eval percent_ghost_st = (ghost_st / tots_st) * 100 | convert ctime(timeLastSeenCheck) as Time_LAst_Seen_Check timeformat="%Y/%m/%d %H:%M" | dedup sourcetype | rename tots_hosts as Total_hosts_by_ST tots_st as DC_Total_ST_by_HOST | table host sourcetype percent_ghost_host percent_ghost_st Total_hosts_by_ST ghost_hosts DC_Total_ST_by_HOST ghost_st Time_LAst_Seen_Check</query> <earliest>-15d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">10</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form> ... View more

Hey spunksters, My query below shows hosts/sourcetypes that have been silent for a week. I was wondering if there was a way to add a token to the where clause (currently set at one week) so that the user could update that query to show hosts/sourcetype that have been silent for a different time period ??? Any help is musch appreciated ! | tstats latest(_time) as lt by host sourcetype | eval NOW=now() | eval difftime=NOW-lt | rangemap field=difftime "0 - 60 Min"=0-3600 "1 - 24 Hours"=3601-86400 "1-7 Days"=86401-604800 default="Greater than 1 Week" | eventstats count(host) as tots_hosts by sourcetype | eventstats count(sourcetype) as tots_st by host | where difftime >= 604801 | eventstats count(host) as ghost_hosts by sourcetype | eval percent_ghost_host = (ghost_hosts / tots_hosts) * 100 | eventstats count(sourcetype) as ghost_st by host | eval percent_ghost_st = (ghost_st / tots_st) * 100 | dedup sourcetype | table host sourcetype difftime range percent_ghost_host percent_ghost_st tots_hosts ghost_hosts tots_st ghost_st ... View more

Hey splunksters, Noob here. Title says it all. (Example would be if a DB connect input stops sending data because of a password expiration ...we would get an alert)* Unfortunately, I cant just go download an app for this-have to do it by spl query. Anybody have any cool suggestions! Thanks splunksters! ... View more

Hey Splunksters, Noob here. I have a dashboard that can add values (server names) to a lookup so users can easily blacklist servers. The xml below works. However, I need to add a button so the user can remove the server from the blacklist when they are finished. Any thoughts? Thanks! <form> <label>Dashboard Blacklist Toggle</label> <fieldset submitButton="true" autoRun="false"> <input type="text" token="hostname"> <label>Host</label> </input> </fieldset> <row rejects="$field1$"> <panel> <table> <search> <query>| inputlookup alert_blist.csv | table host</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row depends="$field1$"> <panel> <table> <search> <query>| inputlookup alert_blist.csv | append [ | makeresults | eval host="$hostname$"| fields - _time ] | table host | outputlookup alert_blist.csv</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> ... View more

Hey Splunksters, Noob here. Trying to build a dashboard with a submit button so user can blacklist a server?? Thinking I need to add a line to the lookup that no one can see, and then read and write to that area of the lookup. Incorporate into dashboard with a submit button. Here is the query portion my coworker was kind enough to get me started below. Any help is much appreciated. Also, any thoughts on how to creatively make sure that users aren't overwriting each others changes accidentally | inputlookup alert_blacklist.csv | streamstats count as count | eval hidden_hosts = if(host = "SPLUNK ADMIN ONLY HOSTS ABOVE", 'count', 0) | eventstats max(hidden_hosts) as hidden_hosts | search count > 'hidden_hosts' Thanks!!! ... View more

Hey Splunkers, Noob. Trying to only retrieve the log names (ex. utility.log) after the last slash blah\blah\blah\logs\error.log blah\blah\blah\logs\audit.log blah\blah\blah\logs\utility.log blah\blah\blah\logs\service.log blah\blah\blah\logs\servlet.log Does anyone have any ideas as to why my regex returns the error below? Thanks all! | rex field=source "\\\([^\\\]+)$" Error in 'rex' command: Encountered the following error while compiling the regex '([^]+)$': Regex: missing terminating ] for character class. P.S. The regex I am using above worked on regex 101 ... View more