Hello, I am working with some unstructured data so I'm using the rex command to get some fields out of it. I need three fields in total, and I have managed to extract them with three distinct rex commands. I am now trying to merge them into a single one, but I am having trouble doing so. Following is a run anywhere search where I've put the unstructured data into a string that is then used by the rex commands: | makeresults | eval string="================================================================ = JOB : MAXFED33S-LHMX#MDK1997DAILYFTPCONN[(2130 10/31/18),(0AAAAAAAAAAAOBWS)] = USER : DOMAIN\khectic = SCRIPT : c:\scripts\mdk_copy.bat = Job Number: 2484514 =============================================================== ******************************************************************************************** ** copying from ** \temp\mdk_temp.csv ** to ** \target\ ** success ** ******************************************************************************************** =============================================================== = Exit Status :OK ===============================================================" | rex field=string ".+#(?<job>[\w]+)\[." | rex field=string ".+SCRIPT[\s\t]*:[\s\t]*(?<script>[\w\d.\\\:\s-]+)" | rex field=string ".+Exit\sStatus[\s\t]*:[\s\t]*(?<exit_status>[\w]+)" Obviously this is not the most efficient way of doing it so I'm trying to use a single rex command, and this is where I'm having trouble. I'm trying to join them using the .+ notation which I think means "any character one or more times until the next field extraction", but no dice. This is what that looks like (doesn't work): | rex field=string ".+#(?<job>[\w]+)\[.+SCRIPT[\s\t]*:[\s\t]*(?<script>[\w\d.\\\:\s-]+).+Exit\sStatus[\s\t]*:[\s\t]*(?<exit_status>[\w]+)" Would appreciate a push in the right direction. Thank you in advance and best regards, Andrew ... View more

Hello, I am looking for optimization advice for a use case in which I need to create new event data and then calculate time delta between two timestamps. I have a set of tasks for which I need to calculate their lifetime, either from open to close, or from open to now() . Each task can be subject to multiple state changes: New, Waiting, In Progress, Complete, Closed. The objective is to calculate the time that a task is in each state (easy), and for those that are not closed I have to calculate the time up until now() that it has been in its last state (difficult). I would like some advice on how to manage the tasks that are not closed. I will now describe what I have currently done using a simplified data structure. Firstly the data: id,state,timestamp,prev_timestamp id001,New,2018-11-01 14:32:50, id001,In Progress,2018-11-01 16:54:43,2018-11-01 14:32:50 id001,Complete,2018-11-02 09:23:01,2018-11-01 16:54:43 id001,Closed,2018-11-02 15:41:53,2018-11-02 09:23:01 id002,New,2018-11-01 16:04:36, id002,Waiting,2018-11-01 16:54:23,2018-11-01 16:04:36 id002,In Progress,2018-11-05 11:12:51,2018-11-01 16:54:23 id001 is the simple case because it is currently not open so I just calculate all the deltas, while id002 is the more difficult case since it is not closed. It's difficult because I first have to create a new event that represents the time between the last state change until now() , and it is here that I would like some advice. Saving the above data as sample.csv and loading it into Splunk, I currently use the following search to get what I'm after: | inputlookup sample.csv | streamstats count as running by id | eventstats count as final by id | eval last = if(running=final,1,0) | eval now = strftime(now(),"%Y-%m-%d %H:%M:%S") | table id state timestamp prev_timestamp running final last now | eval timestamp = if(last=1 AND NOT state="Closed",mvappend(timestamp,mvzip(timestamp,now,",")),timestamp) | mvexpand timestamp | eval timestamp = split(timestamp,",") | eval prev_timestamp = if(mvcount(timestamp)>1,mvindex(timestamp,0),prev_timestamp) | eval timestamp = if(mvcount(timestamp)>1,mvindex(timestamp,1),timestamp) | eval hours_in_state = round((strptime(timestamp,"%Y-%m-%d %H:%M:%S") - strptime(prev_timestamp,"%Y-%m-%d %H:%M:%S"))/3600,2) To summarize what the search is doing: Use streamstats and eventstats combination to identify the last event for each task (field called last ) For each task's last event, determine whether it is Closed If a task's last event is not Closed (such as for id002), use mvzip and mvexpand to create a new event Calculate time in hours Step 3 is the most expensive operation because I have to concatenate two timestamps, create a multivalue, expand that multivalue to get the additional event, then split the timestamps again into their appropriate fields so that I can make the delta calculation. If you run it with two tasks it's fast, but I have more than 20000 tasks which sometimes causes the search to fail. What I'd like to ask is: is there a less expensive and more elegant way to accomplish the creation of an additional event for tasks that are not closed? Thank you in advance and best regards, Andrew ... View more

Hello, I've noticed that the addcoltotals command doesn't display decimals if the total contains a decimal. Run anywhere code: | makeresults | eval decimal = 1.5 | eval whole = 1.5 | append [ | makeresults | eval decimal = 1 | eval whole = 1.5] | addcoltotals I'm using Splunk 6.4.1 and my results are: decimal,whole 1.5,1.5 1,1.5 2,3.0 (here it truncates to a single decimal place for the decimal field) Is there something I'm missing? Regards, Andrew ... View more

Hello, I am having trouble understanding why a token update via JavaScript does not cause a panel that is dependent on that token to refresh. I have a date input called status_date that is configured to set a token tok_status_date during initialization (with today's date), and when it changes. JS file is as follows: require([ 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function ($, mvc) { // initialization var tokens = mvc.Components.get("default"); document.getElementById("status_date").valueAsDate = new Date(); tokens.set("tok_status_date",document.getElementById("status_date").value); $('#status_date').on("change", function (e){ tokens.set("tok_status_date",document.getElementById("status_date").value); }); }); An HTML panel that I have configured will always show the value of tok_status_date , even when I update the value of the input. <row> <panel> <html> <center><h1>$tok_status_date$</h1></center> </html> </panel> </row> I also have an XML panel whose search is dependent on tok_status_date , but it does not update whenever I change the value of the input: <query>| makeresults | eval Day = strftime(strptime("$tok_status_date$","%Y-%m-%d"),"%d/%m/%Y") | table Day</query> Why is this? Am I missing something in the JavaScript file? Thank you and best regards, Andrew ... View more

Hello, I'm the process of designing a simple data entry form using Splunk, but I am worred that too many inputs (50+) will make the interface slow and unusable. As an alternative, I'm trying to use a simple HTML form and then extract the values when a checkbox value is selected. As a simple example, I have an HTML form that has two inputs: firstname and lastname <row> <panel> <title>HTML Form</title> <html> <div> <form> First name: &lt;br/&gt; <input type="text" name="firstname"/>&lt;br/&gt; Last name:&lt;br/&gt; <input type="text" name="lastname"/> </form> </div> </html> </panel> </row> What I'd like to do is generate a result set based on those values by selecting a checkbox. I want to concatenate the values from all of the form fields and then assign it to a single input. Something along the lines of this: <row> <panel> <input type="checkbox" token="tok_submit_values"> <choice value="Submitted">Submit</choice> <change> <condition match="$tok_submit_values$"="Submitted"> <set token="tok_input_concatenation">form.firstname + form.lastname</set> </condition> <condition> <unset token="tok_input_concatenation"></unset> </condition> </change> </input> </panel> </row> Once the value has been concatenated, I can use the makeresults command to format the data before writing it to index. Is this possible? Any pointers would be greatly appreciated! Best regards, Andrew ... View more

Hello, I have an external script that makes calculations. The problem is that it is limiting the number of results to 100000. By default it is 50000, but I managed to extend it to 100000 by adding the following stanzas to limits.conf under the app's local folder: [searchresults] maxresultrows = 100000 [stats] maxresultrows = 100000 [top] maxresultrows = 100000 Now I'd like to extend that limit to 500000, but updating the maxresultrows values does not make any difference. For reference, my limits.conf file now looks like this: [default] max_mem_usage_mb = 0 [searchresults] maxresultrows = 500000 [stats] maxresultrows = 500000 [top] maxresultrows = 500000 [set] maxresultrows = 500000 [anomalousvalue] maxresultrows = 500000 What am I missing? Thank you and best regards, Andrew ... View more