Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About harshal_chakran
harshal_chakran
Builder
Member since:
09-26-2013
08-01-2025
Community Statistics
| Posts | 206 |
| Solutions | 5 |
| Karma Given | 25 |
| Karma Received | 35 |
| Member Since | 09-26-2013 |
Activity Feed
- Posted How to achieve drilldown from Dashboard Studio with results field value passed to it as token? on Dashboards & Visualizations. 06-19-2023 06:02 AM
- Posted Why are we receiving asyncio.TimeoutError while setting up 'Splunk Add-on for Salesforce Streaming API'? on Splunk Search. 02-15-2022 05:29 AM
- Karma Re: How to identify where the Splunk roles - authorize.conf is located in an app for isoutamo. 02-15-2022 05:24 AM
- Karma Re: How to identify where the Splunk roles - authorize.conf is located in an app for gcusello. 02-15-2022 05:23 AM
- Posted How to identify where the Splunk roles - authorize.conf is located in an app on Splunk Search. 02-07-2022 08:42 AM
- Posted Re: How to find the indexes.conf and monitor stanza for certain indexes in multisite environment on Monitoring Splunk. 10-12-2021 12:14 AM
- Posted How to find the indexes.conf and monitor stanza for certain indexes in multisite environment on Monitoring Splunk. 10-11-2021 06:08 AM
- Got Karma for Re: How to get kvstore data using Splunk's REST API in CSV format?. 06-05-2020 12:50 AM
- Got Karma for How to get kvstore data using Splunk's REST API in CSV format?. 06-05-2020 12:50 AM
- Karma Re: Why is KV store initialization failing after fassert() error in mongod.log? for scottrunyon. 06-05-2020 12:48 AM
- Got Karma for Re: what would be the cron expression when i want my alert to run in every 8 yours. 06-05-2020 12:48 AM
- Got Karma for Re: Why does my search return error "Unable to parse the search: Comparator '=' is missing a term on the right hand side"?. 06-05-2020 12:48 AM
- Karma Re: Cannot display the Plot from R on splunk for rfujara_splunk. 06-05-2020 12:47 AM
- Karma Re: How to create add-on and where to code for further processing for MuS. 06-05-2020 12:47 AM
- Karma Re: What is the recommended hardware Configuration and License requirement for below for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: How to replace column values in a CSV with static text? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How to extract all values for a single field using rex? for wpreston. 06-05-2020 12:47 AM
- Karma Re: How to extract all values for a single field using rex? for wpreston. 06-05-2020 12:47 AM
- Karma Re: How to join two tables with default row if tables do not match? for sideview. 06-05-2020 12:47 AM
- Got Karma for Re: Merge Multiple Events into a Single Event. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
03-28-2017
02:26 PM
@harshal_chakranarayan,
I'm sorry we missed this for a few weeks; did you ever resolve the issue? We will look into it.
... View more
02-02-2017
08:09 PM
Hi, thanks for sharing the link - this will help me.
Yes, rmasuoka definitely deserves an up vote.
... View more
02-02-2017
08:14 PM
Thanks skadadi,
Eagerly waiting for this feature.
... View more
03-10-2020
12:36 PM
Great answer. Thank you!
... View more
01-31-2017
05:47 AM
i see your point - however, further entries:
12/02/2015 12:00:00 AM, Execute Time: 1415
12/02/2015 12:00:00 AM, Execute Time: 1500
12/02/2015 12:00:00 AM, Execute Time: 1515
12/02/2015 12:00:00 AM, Execute Time: 1315
... View more
07-17-2017
04:08 AM
Check the macro definition in macros.conf at the location /opt/splunk/etc/apps/digitalguardian_web . In my case, the marco was wrongly defined.
$SPLUNK_HOME$/etc/apps/digitalguardian_web/local/macros.conf
Wrong Definition -
[index_macro]
definition = index=digitalguardian
Right Definition
[index_macro]
definition = digitalguardian
... View more
01-30-2017
09:56 PM
Well, this worked for me.
Do check if you have not missed the "" , i.e. `|search search="*eventtype=ABC"`
For macro, try the following:
| rest /servicesNS/-/-/admin/macros splunk_server=local |search definition="*eventtype=ABC*"| table title definition
... View more
01-23-2017
10:41 PM
DBConnect is not taking it as Timestamp format.
I have also tried : yyyy-MM-dd HH:mm:ss.S XXX as the timezone used is in +1:00 format, but still doesn't work
... View more
01-26-2018
09:39 AM
Can you inject html in that field? So say create a clickable link as part of the description..?
... View more
10-20-2016
01:40 AM
I don't think so!
maybe you could print your dashboard in a pdf scheduling it, but I don't know if it's acceptable for you.
Maybe (but I didn't tried it before!) You could append all your searches creating a single one report and schedule it to have all the result
in a single CSV, but every way nont in a single button!
Bye.
Giuseppe
... View more
10-18-2017
01:09 AM
Hello, I have the same question:
We need to Export an Dashboard with many different Panels to a Excel file.
Every Splunk Dashboard Panel should use an own Excel-Sheet in the exported Excel file?
How can we do that?
Is the App "Splunk for Excel Export" (https://splunkbase.splunk.com/app/760/) a solution here or do it not have the ability to export a full (and big) Dashboard to an Excel file with one excel-sheet per dashboard-panel?
... View more
08-04-2019
12:56 PM
Here is what I would do. Create 2 base searches, one with index=xyz sourcetype=abc ... | addinfo and another with index=def ... | addinfo and at the end of each, have a section like this:
<done>
<condition>
<set token="xyz_job_token">$result.info_sid$</set>
</condition>
</done>
Then you can load the event data in any panel/search with | loadjob $xyz_job_token$ or | loadjob $def_job_token$ as many times and in as many places as you like/need with no additional search penalty (other than RAM to load the events).
... View more
10-18-2016
01:22 PM
If all else fails, you can bring the timeframe tokens into the search itself and then use subsearches and SPL to ensure that if your token is null, that a value of "0" is used instead. Here is a basic search that shows you what I mean:
index=main [|makeresults
| eval earliest=null(), latest="9999" | fields - _time
| eval earliest=coalesce(earliest, "0")
| format "" "" "" "" "" ""
| rex field=search mode=sed "s/\"//g"]
The important part to notice is is the coalesce command and the fact that you will not be using literal values like "9999" but your tokens like "$time.earliest$".
... View more
10-09-2016
11:11 PM
Thanks Cusello, thanks for the anwser.
I am good to go with newly formed axis labes like- Param1 Jan16, Param2 Jan16...Param1 Feb16, Param2 Feb16...
... View more
09-22-2016
06:54 AM
You need to use unarchive_cmd . Here is a good tutorial:
http://blogs.splunk.com/2011/07/19/the-naughty-bits-how-to-splunk-binary-logfiles/
... View more
07-07-2015
06:40 AM
I am assuming that you are getting "Waiting for data to load" (you really should be more specific). Generally the problem is that you have a token in your search somewhere that does not have a value. This happens EITHER when you are using a token, say tokenx , and have mis-spelled it somewhere (e.g. Tokenx , tokenX or even toknex ) OR when you are copying a search string from somewhere else and do not notice that it has a token buried in it and you have not set this token. It can also happen if you have a search string copied from a working search bar example that uses the $field name$ syntax to specify that a thing is a field name and not a string. In such a case, you need to translate it to $$field name$$ inside your dashboard to escape the dashbaord from using it is a token.
... View more
07-02-2015
12:09 AM
2 Karma
Yes, simply eval that field:
inputlookup ... | eval Result=if(match(Value, "0"),"Red","Green")
match in eval expects a regular expression as its second argument, so you can adjust that to your needs.
... View more
06-27-2015
10:18 AM
1 Karma
If you put 1.5TB of license on the table building that relationship should be quick and easy 😄
... View more
06-09-2015
12:49 PM
3 Karma
Let's say your lookup is named "myLookup", then here's what you want. The rows that are a match for all three values, (parameter, value and result) will get the corresponding color1 and color2 values from the lookup. The rows that are not a match will end up with whatever color1 and color2 values are listed in the row that has the value "def" for all three fields.
<your search terms> | lookup myLookup parameter value result OUTPUT color1 color2 |fillnull defaultParameter defaultValue defaultResult value="def" | lookup myLookup parameter as defaultParameter value as defaultValue result as defaultResult OUTPUT defaultColor1 defaultColor2 | eval color1=coalesce(color1,defaultColor1) | eval color2=coalesce(color2,defaultColor2)
And I don't normally advise using append or join, but in cases where the subsearch is extremely efficient and returns only a couple rows, their drawbacks don't really come into play.
Since the above example runs the lookup twice, and with a join command all you're joining in is an inputlookup search yielding only a single row, the join command way below is a viable alternative.
<your search terms> | lookup myLookup parameter value result OUTPUT color1 color2 | eval foo=1 | join foo [| inputlookup myLookup | search parameter="def" value="def" result="def" | rename color1 as defaultColor1 defaultColor2 | eval foo=1 | table foo defaultColor1 defaultColor2] | fields - foo | eval color1=coalesce(color1,defaultColor1) | eval color2=coalesce(color2,defaultColor2)
Or instead of the eval+coalesce at the end you can avail yourself of the join command's overwrite argument.
<your search terms> | lookup myLookup parameter value result OUTPUT color1 color2 | eval foo=1 | join overwrite=f foo [| inputlookup myLookup | search parameter="def" value="def" result="def" | eval foo=1 | table foo color1 color2] | fields - foo
... View more
05-29-2015
05:29 AM
Yes you can do this by using drilldown as well as you can pass values by token, may be below link will help you.
http://docs.splunk.com/Documentation/Splunk/6.2.3/Viz/Dynamicdrilldownindashboardsandforms
... View more
05-21-2015
04:37 AM
As vganjare mentions it would be handy to get an idea of what you are doing with your lookup. At any rate I think what you are looking for is when you do a | lookup somefile.csv you need to put append=true. As an example here is the first of 2 queries used to track systems that stop sending logs. This one tracks the last time a host sent in logs (runs every 4 hrs) and others run every 8 and run a check against the last_seen field.
index=foo | eval host=lower(host) | rex field=host "(?<host>(^[^0-9]\S[^\.]+)|(^[0-9]\S+))" | stats max(_time) AS last_seen by host | inputlookup append=T hosts_list.csv | stats max(last_seen) AS last_seen by host | eval right_now = now() | eval time_diff = right_now - last_seen | where time_diff < (86400 * 3) | table host last_seen | outputlookup hosts_list.csv
Relative to your question I'm getting results from a query, adding those results to the csv, manipulating the results, and then writing the results back to the csv. The 2 almost back to back stats commands are because once you've appended the results to the existing csv most systems will have 2 lines and I'm only interested in keeping the latest.
BTW I do this as a csv because if a system is decommissioned I can simply remove it from the list.
... View more
03-22-2016
11:05 PM
Hi i am new to splunk, can you please give me a sample code which i can use?
... View more
03-20-2015
09:03 AM
I think you are assuming that the date that you have in your first column is going to be the date that it will use for the event, which is not the case because it is not a complete date. It is going to use the date of the file or the date of indexing, depending on the way you are putting the data into Splunk.
Use a complete date in the column and you might get the results you are expecting. A date like "01-Jan-15 00:00:00" is a complete date and Splunk will respect the date for the event (read: line or row).
With a proper date, then timestamp for the row will be able to be used with the timepicker because the event _time will match the data on the row.
... View more
02-24-2016
02:26 PM
In your app (I'll use the default search app as the example though) you edit the event_renderers.conf file. For the default search app this would be under Splunk/etc/users/%user% (for example admin)/search/local. In this file you will find an example like below.
[eventtype_name_stanza]
css_class = et_red
eventtype = eventtype_name
priority = 6
The colour is being set by "css_class = et_red" from the file application.css which for the default search app would be under Splunk/etc/apps/search/appserver/static. You can even play with this real time in Firefox or Chrome by editing the html on the search results page.
By default it will be like so (standard white no eventtype colours).
<td class="expands " tabindex="0"><a><i class="icon-triangle-right-small"></i></a></td>
If you edit the html to be purple you will see it change.
<td class="expands et_purple" tabindex="0"><a><i class="icon-triangle-right-small"></i></a></td>
... View more
03-16-2015
09:05 AM
Thanks gfuente...
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-01-2025
07:43 AM
|
Karma from
