Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About andrewtrobec
andrewtrobec
Motivator
Member since:
11-09-2016
08-04-2025
Community Statistics
| Posts | 336 |
| Solutions | 7 |
| Karma Given | 124 |
| Karma Received | 48 |
| Member Since | 11-09-2016 |
Activity Feed
- Got Karma for Can a Splunk search call a Python script to perform data manipulation?. 06-18-2025 07:40 AM
- Got Karma for Why does a user with user role not see images on a dashboard studio dashboard?. 06-11-2025 12:00 AM
- Karma Re: Change text panel position in dashboard studio for biwanari. 04-08-2025 10:53 AM
- Got Karma for Re: The Client forwarder management not showing the clients. 08-14-2024 09:02 AM
- Posted Re: The Client forwarder management not showing the clients on Deployment Architecture. 06-14-2024 08:24 AM
- Karma Re: The Client forwarder management not showing the clients for AAlhabba. 06-14-2024 08:23 AM
- Got Karma for When will emojis in dashboard dark mode work properly (still persists in 9.2.1)?. 06-03-2024 10:51 PM
- Posted When will emojis in dashboard dark mode work properly (still persists in 9.2.1)? on Dashboards & Visualizations. 05-22-2024 05:16 AM
- Tagged When will emojis in dashboard dark mode work properly (still persists in 9.2.1)? on Dashboards & Visualizations. 05-22-2024 05:16 AM
- Got Karma for Re: How can I avoid overwriting the local folder when reloading from my deployment server?. 05-02-2024 03:28 AM
- Got Karma for How can I avoid overwriting the local folder when reloading from my deployment server?. 05-02-2024 03:27 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 09:17 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 09:16 AM
- Karma Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? for lucacaldiero. 03-06-2024 09:15 AM
- Posted Re: Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-06-2024 03:00 AM
- Posted Why is my LINE_BREAKER parameter not breaking properly with multiple capture groups? on Getting Data In. 03-05-2024 11:09 AM
- Got Karma for Re: Why does updating a token with JavaScript not cause panels dependent on those tokens to refresh?. 01-03-2024 02:10 PM
- Posted Why does user with "power" role only see the "Search" option in the navigation menu and nothing else? on Splunk Enterprise. 12-13-2023 06:15 AM
- Posted Why is a sourcetype not being applied to a summary index that was migrated? on Getting Data In. 10-27-2023 07:38 AM
- Karma Re: Can Azure AD and Microsoft Entra be configured together on Splunk Enterprise? for isoutamo. 10-27-2023 06:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-04-2017
10:49 AM
I have an index that has those values already, so it would be
index=my_index | table Field_1 Field_2 Contact
There are filters in place that will make sure that Contact will be the same for every event. There will be between 2 and 25/30 results. I want to be able to send an e-mail to Contact , but configure the body so that the Contact field doesn't appear.
... View more
08-04-2017
07:37 AM
Thanks for the reply. This suggestion does the opposite of what I'm looking for: it sends an e-mail to the address and the e-mail content is just the contact column. I'd like to send an e-mail to the address, but have the inline table contain everything but the contact field.
... View more
08-04-2017
06:23 AM
Hello,
I'm trying to find a way to use search result fields to address an e-mail, but remove those fields in the inline table in the body of the e-mail.
Here is an example of the search results:
Field_1, Field_2, Contact
Value_F1_1, Value_F2_2, contact@domain.com
Value_F1_2, Value_F2_3, contact@domain.com
Value_F1_3, Value_F2_2, contact@domain.com
The send e-mail command I am using needs the Contact field to determine who to send the e-mail to:
... |sendemail to=$result.Contact$ subject=subject sendresults=true format=table
As you can imagine, the inline table in the e-mail contains the Contact field as well. What I'd like to know is whether there is some way to remove the field from the inline table sent in the e-mail.
Thank you and best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
08-03-2017
11:47 PM
I need to be able to parse the timezone specified in the field so that I can convert the timestamp to UTC.
Using %Z doesn't seem to work. Would it be able to parse Europe/San_Marino ? The documentation here states that %Z is "The timezone abbreviation. For example EST for US Eastern Standard Time". Maybe it's expecting CET or CEST rather than Europe/San_Marino . If I parse CET , do you think it would recognize in July that it should be CEST ?
Regards,
Andrew
... View more
08-03-2017
11:40 PM
I've tried running this search, but it doesn't work: in particular it doesn't parse the %Z . If I remove it then timestamp and mytime2 are returned, but those will be with my system timezone rather than Europe/San_Marino .
Regards,
Andrew
... View more
08-03-2017
08:29 AM
This has just worked for me, thanks!
... View more
08-03-2017
08:26 AM
Thanks for the input. The REGEX works but doesn't solve the problem. I've found what I was looking for here:
https://answers.splunk.com/answers/209824/how-to-get-splunk-to-ignore-the-second-line-of-a-l.html
Suggestion was to use a null-queue transform by modifying props.conf and transforms.conf
... View more
08-03-2017
07:38 AM
Hello All,
I've been trying to figure out how to parse the timestamp 2017/07/25 12:14:53,849 Europe/San_Marino so that it recognizes the timezone as well. This is not the timestamp being used as the _time value associated to the event, which is also happens to be in the same format (it's is configured in props.conf as TZ = Europe/San_Marino ).
I've gone as far as eval timestamp=strptime(timestamp, "%Y/%m/%d %H:%M:%S,%f") but I can't figure out the last bit since %Z expects a UTC offset which I don't have. I've considered just adding +01:00 to the result, but I'm not sure whether that will account for daylight savings...
Any help would be greatly appreciated!
Best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
07-28-2017
02:34 AM
Hello,
I am currently using the following REGEX for PREAMBLE_REGEX in props.conf which works on Splunk 6.4.x running on Windows:
(^|[\r\n])(Job\.Description[^\r\n]+|String[^\r\n]+)
This is used to tell Splunk to skip the second and third lines of log files which always start:
Job.Description,Job.NumJobWaitEvents...
String,Integer,Integer...
I've since migrated my app to a Splunk 6.4.x instance running on Linux, but it doesn't work anymore (the lines aren't ignored). What changes should I be looking out for to ensure that the regular expression works in Linux as well?
Thank you and best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
07-06-2017
08:01 AM
2 Karma
Hello,
I'm working with Splunk 6.4.1. I have an accelerated data model with calculated fields, and aliases configured to map index fields to the data model calculated fields. I recently had to add a new calculated field to the data model, so I disabled the acceleration, added the field, and then created a new field alias. Everything works as expected. When I re-enable the data model acceleration, however, I've noticed, that the field aliases don't work anymore. For the time being I've disabled data model acceleration. How do I get the alias to work with data model acceleration enabled?
Regards,
Andrew
... View more
- Tags:
- splunk-enterprise
06-18-2017
11:16 PM
Thanks for the reply. I've updated the tables as you've mentioned and have the following:
table_row_highlighting.js
mvc.Components.get('highlight01').getVisualization(function(tableView) {
tableView.on('rendered', function() {
// Apply class of the cells to the parent row in order to color the whole row
tableView.$el.find('td.range-cell').each(function() {
$(this).parents('tr').addClass(this.className);
});
});
// Add custom cell renderer, the table will re-render automatically.
tableView.addCellRenderer(new CustomRangeRenderer());
});
mvc.Components.get('highlight02').getVisualization(function(tableView) {
tableView.on('rendered', function() {
// Apply class of the cells to the parent row in order to color the whole row
tableView.$el.find('td.range-cell').each(function() {
$(this).parents('tr').addClass(this.className);
});
});
// Add custom cell renderer, the table will re-render automatically.
tableView.addCellRenderer(new CustomRangeRenderer());
});
table_decorations.css
[id^="highlight"] tr td {
background-color: #c1ffc3 !important;
}
[id^="highlight"] tr.match td {
background-color: #93ca3b !important;
}
[id^="highlight"] tr.no-match td {
background-color: #ff0030 !important;
}
[id^="highlight"] .table td {
border-top: 1px solid #fff;
}
[id^="highlight"] td.range-severe, td.range-elevated {
font-weight: bold;
}
This doesn't seem to work. I understand what you're getting at, though. The generic case will catch anything that starts with the word highlight .
Shouldn't I have an * character somewhere?
... View more
06-16-2017
05:19 AM
Hello,
I was following the "Table Row Highlighting" example as part of the "Splunk 6.x Dashboard Examples" app, and I have managed to get it working for one table on my dashboard. Since there is a total of 10, I would like to extend the highlighting logic to all of them,
What is the best way for doing this?
Thank you and best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
04-28-2017
02:48 PM
Thanks for your input. Just like to add: if I run the command as index="my_index" | transaction FIELD then it creates the transactions and puts them in chronological order. I figured that using startswith and endswith would do the same thing, but exclude all evens in between. Is this the wrong understanding of the command?
... View more
04-28-2017
12:00 PM
Thanks for the response. This does work, and is a good solution. Maybe I'm not understanding the transaction function properly, but I thought that it would filter out the events automatically using the startswith and endswith definition options.
EDIT: Now that I've run the solution I get the following:
FIELD,eventcount
FIELD1,2
FIELD1,2
FIELD2,2
FIELD2,2
So it still produces a double transaction for each FIELD value...
... View more
04-28-2017
11:15 AM
Hello!
I am working with the transaction command. I am passing a field and using startswith and endswith definition options. When I run it, though, the output produces two results per transaction. The first contains all events in the transaction while the second, the one I'm looking for, contains the events specified in the definition options. To provide a simplified example, the events in a transaction are as follows:
_time,FIELD,MESSAGE
28/04/2017 00:00:01,FIELD1,Starting Message
28/04/2017 00:00:02,FIELD1,Intermediate Message 1
28/04/2017 00:00:03,FIELD1,Intermediate Message 2
28/04/2017 00:00:04,FIELD1,Intermediate Message 3
28/04/2017 00:00:05,FIELD1,Ending Message
28/04/2017 00:00:11,FIELD2,Starting Message
28/04/2017 00:00:12,FIELD2,Intermediate Message 1
28/04/2017 00:00:13,FIELD2,Intermediate Message 2
28/04/2017 00:00:14,FIELD2,Intermediate Message 3
28/04/2017 00:00:15,FIELD2,Ending Message
The search is then:
index="my_index" | transaction FIELD startswith=eval(MESSAGE="Starting Message") endswith=eval(MESSAGE="Ending Message") | table FIELD, eventcount
Which produces the following table:
FIELD,eventcount
FIELD1,5
FIELD1,2
FIELD2,5
FIELD2,2
Instead, I was expecting
FIELD,eventcount
FIELD1,2
FIELD2,2
How do I ensure that only the transaction containing the startswith and endswith events is returned?
Thank you!
Andrew
... View more
04-05-2017
01:07 AM
I tried to control click on the column values but it doesn't work! I really though this was the solution! To convey what I'm trying to do, I've created a dashboard that you can replicate:
<form>
<label>Drilldown Example</label>
<fieldset submitButton="false">
<input type="multiselect" token="category_tok">
<label>Category</label>
<choice value="*">All</choice>
<default>*</default>
<initialValue>*</initialValue>
<delimiter> OR </delimiter>
<fieldForLabel>Category</fieldForLabel>
<fieldForValue>Category</fieldForValue>
<search>
<query>| makeresults count=100000
| eval CategoryNumbers = round(((random() % 50)/(random() % 25)*100),0)
| sort CategoryNumbers
| eval Category = "Category " . CategoryNumbers
| dedup Category
| table Category</query>
</search>
<prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>Category="</valuePrefix>
<valueSuffix>"</valueSuffix>
</input>
</fieldset>
<row>
<panel>
<title>Random Pareto</title>
<chart>
<search>
<query>| makeresults count=1000
| eval Category = "Category " . round(((random() % 50)/(random() % 25)*100),0)
| stats count by Category
| sort -count
| streamstats sum(count) as RunningTotal
| eventstats sum(count) as Total
| eval CumulativePercent = round((RunningTotal/Total)*100,2)
| fields - Total, RunningTotal</query>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<set token="form.category_tok">$click.value$</set>
</drilldown>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">1</option>
<option name="charting.axisY2.maximumNumber">100</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">CumulativePercent</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">minimal</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
<panel>
<title>Random Metric Chart</title>
<table>
<search>
<query>| makeresults count=10000
| eval Category = "Category " . round(((random() % 50)/(random() % 25)*100),0)
| search $category_tok$
| eval SubCategory = "SubCategory " . round(((random() % 10)/(random() % 25)*100),0)
| eval Metric = round((random() % 100)/(random() % 50))
| chart sum(Metric) as MetricSum over SubCategory by Category</query>
<earliest>0</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">5</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
</row>
</form>
The Category input at the top is a multiselect and can be interacted with. The Random Pareto chart displays Category on it's X axis. The Random Metric Chart chart is dependent on the Category input. To update the Random Metric Chart I can either set the values in the input, or I can click on a column in the Random Pareto chart.
My goal is to be able to click on multiple columns in the Random Pareto chart so that they are added as separate values in the Category input. Right now clicking a column will overwrite the entire input.
Any ideas?
Thanks!
Andrew
... View more
04-04-2017
02:57 PM
Thanks for the links!
I did some reading, but I'm still not sure how to construct a drill down so that it passes multiple values to an input. By clicking one column I only get one value assigned to $click.value$ meaning that I have to click on another column which will overwrite the first $click.value$. I'm trying to get it so that I can maintain the initial value, so something like:
<drilldown>
<set token="token_tok">$token_tok$,$click.value$</set>
</drilldown>
I was hoping that I could pass those values to a multiselect input, but It just seems to just construct a string.
Do you know whether this sort of approach is feasible?
Thanks!
Andrew
... View more
04-04-2017
08:04 AM
Hello, and thank you for taking the time.
i see what you've done, but what I'm trying to do is slightly different. Adding on to your example, what I'd like to do is have a multiselect input that when passed values (in this case "Test,Test3"), automatically parses them into the their individual values. The result would be:
The values Test and Test3 would be columns selected from a column chart. Is this possible?
Regards,
Andrew
... View more
04-04-2017
06:24 AM
Hello,
I'm trying to get a chart drill down to pass multiple values to a dashboard multiselect input. The scenario is that I have a column chart and the columns that I click on get added as filter criteria to the input. First we have the muliselect:
<input type="multiselect" token="token_tok">
<label>Configuration Item</label>
<delimiter> </delimiter>
<choice value="Value 1">Value 1</choice>
<choice value="Value 2">Value 2</choice>
<choice value="Value 3">Value 3</choice>
</input>
Then with the column chart I have the following drill down code:
<drilldown>
<set token="form.token_tok">$form.token_tok$,$click.value$</set>
</drilldown>
The idea is to have the drill down append the selected value so that the input updates with the values. I thought that maybe adding a , would cause the values to be parsed into the multiselect values, but this doesn't work. Instead I end up with a single invalid value consisting of the token value, a comma, and the value selected from the chart.
Is there a way of getting around my problem?
Thank you and best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
04-03-2017
11:34 PM
Perfect, thank you!
... View more
04-03-2017
11:32 PM
Hello all,
I have successfully managed to create a column chart and pass a clicked upon value to another panel through use of a token:
<drilldown>
<set token="token_tok">$click.value$</set>
</drilldown>
What I'm trying to do is be able to select multiple column chart values and create the token so that it contains multiple values. Is this possible? So assuming I have a field named Field it would be great to do something like:
<set token="token_tok">Field=$click.value$ OR Field=$click.value2$ OR Field=$click.value3$</set>
Thoughts?
Thank you and best regards,
Andrew
... View more
- Tags:
- splunk-enterprise
03-29-2017
02:22 AM
Hello!
Is it possible to use the content of a text input token to run a search? So instead of:
index="my_index" | ...
i use
$token_text$ | ...
The goal here is to pass the text content to an external script and then be able to output a result. The text that needs to be analyzed, however, is not within an index, but is provided ad-hoc.
Is this possible?
Thanks!
Andrew
... View more
- Tags:
- splunk-enterprise
03-13-2017
02:26 PM
Hello,
I've been working with statistics tables and I've noticed that they're quite ugly to look at. For example, if I split a chart across more than one column, the column header becomes:
column1:::column2:::value
Is there a way to make the tables more visually appealing? Something like this:
instead of:
Maybe there is a Splunkbase app that gives better formatting options?
Best regards,
Andrew
... View more
03-08-2017
10:41 PM
Just to make sure that I'm following the right procedure I'm going to list out the steps I've followed:
Edit props.conf located in SPLUNKHOME\etc\apps\MY_APP\local to contain
[MY_SOURCETYPE]
FIELD_DELIMITER = ,
HEADER_FIELD_LINE_NUMBER = 1
INDEXED_EXTRACTIONS = csv
PREAMBLE_REGEX = (^|[\r\n])(Job.Description[^\r\n]+|String[^\r\n]+)
TIMESTAMP_FIELDS = RunStart
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
Restart splunkd via cmd: net stop splunkd/net start splunkd
Once up, log into Splunk (6.5.2 btw) and enter my app
From the Settings menu, select Add Data
Select upload
Select the csv that contains the data above
Select Next
From the Source type list, select MY_SOURCETYPE
At this point, the first two lines of the event list are as follows
If the regex works as planned, would I see those two lines at that point?
Best regards,
Andrew
... View more
03-08-2017
10:53 AM
Thanks for the suggestion, but unfortunately it doesn't work. I think I see what you're getting at, though: you're trying to create one expression that covers both lines, right? I'm not too proficient with regexs.
I'll keep playing with it, thanks!
Andrew
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-04-2025
06:01 AM
|
