Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About KailA
KailA
Contributor
Member since:
01-19-2017
02-23-2022
Community Statistics
| Posts | 82 |
| Solutions | 23 |
| Karma Given | 20 |
| Karma Received | 25 |
| Member Since | 01-19-2017 |
Activity Feed
- Got Karma for Re: Where could I edit the apps bar on splunk?. 02-23-2022 12:07 AM
- Karma Re: Where could I edit the apps bar on splunk? for isoutamo. 02-22-2022 04:49 AM
- Posted Re: Where could I edit the apps bar on splunk? on Splunk Enterprise. 02-22-2022 01:30 AM
- Got Karma for Re: How to format 86401 seconds as 24:00:01. 02-07-2022 03:08 PM
- Got Karma for Re: Why is my JSON format log getting truncated?. 01-13-2022 11:08 AM
- Got Karma for Re: Need to change the value of field using sed. 03-19-2021 07:23 AM
- Posted Re: Need to change the value of field using sed on Splunk Search. 03-19-2021 07:17 AM
- Posted Re: count number of events for each client? on Career Resources. 03-02-2021 04:37 AM
- Posted Re: Convert Time from Stats avg into seconds on Splunk Search. 03-02-2021 01:55 AM
- Got Karma for Re: Convert Time from Stats avg into seconds. 03-02-2021 01:45 AM
- Posted Re: Convert Time from Stats avg into seconds on Splunk Search. 03-02-2021 01:39 AM
- Karma Re: add field values for null field for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: regex field extraction for poete. 06-05-2020 12:50 AM
- Karma Re: How to group a list per Index/object? for poete. 06-05-2020 12:50 AM
- Karma Re: How to uninstall an app from a heavy forwarder? for richgalloway. 06-05-2020 12:50 AM
- Karma Re: How do I search for events within _indextime? for 493669. 06-05-2020 12:50 AM
- Karma Re: Parse Nested JSON Array into Splunk Table for poete. 06-05-2020 12:50 AM
- Karma Re: Dashboard display fields language. for poete. 06-05-2020 12:50 AM
- Got Karma for Re: How do I create an alert that is triggered if a source type exists in a lookup table?. 06-05-2020 12:50 AM
- Got Karma for Re: single value with trellis. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 |
08-01-2019
06:33 AM
Hi,
I don't know what to include in your require block but I can show how I'm doing a sleep in my JS
function sleep(ms) {
return new Promise(resolve => setTimeout(resolve, ms));
}
And after creating this function you can use it like this await sleep(1000);
Let me know if it helps you
... View more
07-31-2019
12:03 AM
I'm not 100% sure, but for me, your Heavy Forwarder should be consider more like an indexer than a forwarder, you should upgrade it in the same time that you upgrade your Splunk Enterprise to avoid any problems.
... View more
07-30-2019
12:25 AM
Hi !
I think this doc will tell you what you want to know : https://docs.splunk.com/Documentation/Forwarder/7.3.0/Forwarder/Compatibilitybetweenforwardersandindexers
From what I read, it should be good for you, you just can't send metrics 🙂
... View more
07-19-2019
08:43 AM
Its maybe a problem with the lookup.
Can you add this to your lookup command:
| lookup prod product_id output product_name append=true
Let me know if it help you !
... View more
07-15-2019
02:26 AM
I tried this
| makeresults
| eval "Time period with no info" = "08:53:07-000"
| where 'Time period with no info' = "08:53:07-000"
and it seems to work so could you please send us the full search or maybe an example of your data to have more informations ? 🙂
... View more
05-21-2019
08:42 AM
Hello,
After sorting your data, you can try that :
| streamstats count as nb
| where nb > 20
This will remove the first 20 rows of your table 🙂
Let me know if it helps you.
... View more
05-07-2019
06:42 AM
1 Karma
Hi alfaconsult,
In token , put a variable name without space, for example:
<fieldset submitButton="false" autoRun="false">
<input type="time" token="time_token" searchWhenChanged="true">
<label>Start thru end of first entity load:</label>
<default>
<earliest>1555779600</earliest>
<latest>1555870800</latest>
</default>
</input>
</fieldset>
Let me know !
... View more
03-12-2019
07:20 AM
Does your subsearch returns more than 50000 events ?
Did you check the job inspector? Sometime your subsearch can also expire.
Let me know about that 🙂
... View more
03-12-2019
01:30 AM
You can try that
| inputlookup host.csv
| stats count by host
| eval count = if(count > 0, count." machines","Any machines")
Let me know 🙂
... View more
03-06-2019
05:56 AM
And if you add | where foo != 0 AND bar != 0 at the end ?
... View more
03-06-2019
02:11 AM
1 Karma
Hello,
Your problem here is using chart that will sort your data alphabetically.
Try like that :
My Base Search
| eval date_wday=lower(strftime(_time,"%A"))
| eval date_w=strftime(_time,"%d/%m")
| where NOT (date_wday = "sunday" OR date_wday = "saturday")
| timechart span=1d count(foo) as "foo", count(bar) as "bar"
That should work for you, let me know 🙂
... View more
03-04-2019
05:17 AM
Ok so something like that I guess:
Base search
| where NOT match(username,"\d")
or with @vnravikumar solution (the regex one)
Unfortunately, you can not do it directly in the base search.
... View more
03-04-2019
04:58 AM
Hi,
You can try to use the match function like in this example and filter on the new field created:
| makeresults
| eval username ="joe.blogs132"
| append
[| makeresults
| eval username ="andrew.smith"]
| eval Type = if(match(username,"\d"),"Student","Staff")
| where Type = "Student"
Like that you can chose if you want to match a student or a staff, as you want.
Let me know if it help you 🙂
Kail
... View more
02-28-2019
06:38 AM
Hi,
You can try that:
Base search
| eval match = case(match(yourField,"^11\d{5}|,11\d{5}"),"YES",1=1,"NO")
| where match = "YES"
| fields - match
Let me know if it works
Kail
... View more
02-28-2019
06:20 AM
1 Karma
Hi,
You can try something like that
Base search
| sort ProgramTime
| streamstats count as nb
| eventstats max(nb) as max
| eval quarter = round((max / 4)),
half = round((max / 2))
| where nb = quarter (or half or whatever you want)
You can define your own variable like half and quarter and replace them in the last | where
Let me know 🙂
... View more
01-07-2019
02:03 PM
This might be a bit faster.
Trying to not use distinct count here :
| tstats prestats=f count WHERE index=* sourcetype=* by _time, host span=1mon
| stats count AS distinct_host_count BY _time
... View more
11-13-2018
11:48 AM
1 Karma
Hi guys,
I have a new problem since one week.
When I choose a date in my Time Picker in a dashboard, let say for example the 11/09/2018 and apply it, the date change by itself to a Custom Period : from 11/09/2018 06:00:00 to 11/10/2018 06:00:00 .
What I already try and check :
I verified my Time Zone in Preferences and I'm still in Default System Timezone
I deleted and re-created the Time Picker on my dashboard but it didn't change anything (I have the same problem in every dashboard, every application)
I'm actually working in NYC on a server in Paris and my colleague who is working in France don't have this problem.
My coworker here in NYC has the same problem as me.
I guess the problem come from here because there is 6h difference between Paris and NYC.
Any idea ?
Thanks guys 🙂
KailA
... View more
11-08-2018
09:58 AM
Ohhhhhh wait i'm so sorry, didn't saw that you forgot to give a name to your field in rex
I think that should work
index=abc
|rex field=_raw "MACHINE\:\s(?<Machine_Name>[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = if(isnull(Machinecase),"no_machine",Machine_Name),
description = "CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
Hope it will work now...
KailA
... View more
11-08-2018
08:11 AM
Ok but with the snippet of code I give it didn't return you
CAUAJM:CAUAJM_I_40245 STATUS:JOBFAILURE JOB:GPW_AFF_PFX_DL MACHINE:No Machine with ExitCode:1 at:2018/11/08 08:04:05 Environment:AWP
??
... View more
11-08-2018
07:18 AM
Thats strange, I've just copy/paste you eval for description and add an if() in it.
But I think I understand what you wanted to do now, try that :
index=abc
|rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
description = if(isnull(Machine_Name),"CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:No Machine" . " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
Let me explain : if your Machine_name field is null, it will return the descrption with MACHINE:No Machine (put whatever you want here), if not, it should return the full description.
... View more
11-08-2018
07:08 AM
1 Karma
Hi @CMSchelin,
I think you can do something like that :
| metadata type=hosts
|rex field=host "^(?<hostname>.+)\.example.tld"
| table hostname, lastTime
| stats max(lastTime) as lastTime BY hostname
That will return you the most recent activity by host.
Let me know.
KailA 🙂
... View more
11-07-2018
01:24 PM
Hi,
If you are an admin, you can go in Settings > User Interface> Views and after just select the account of the user that left.
After that you just have to select Delete in Actions .
Hope it helps.
KailA
... View more
11-07-2018
01:12 PM
Hi,
I think we can use an if to fill your description field like that :
index=abc
|rex field=_raw "MACHINE\:\s(?[^ ]+).*"
| eval time = strftime(_time,"%Y/%m/%d %H:%M:%S") ,
node = host ,
resource = "Auto" ,
type = "Alarm" ,
severity = 1,
Machine_Name = case(isnull(Machine_Name),"NONE",isnotnull(Machine_Name),Machine_Name,1=1,"unknown"),
description = if(isnull(Machine_Name),"Write your comment here","CAUAJM:" .CAUAJM ." STATUS:" . STAT . " JOB:" . JOB_Name . " MACHINE:" .Machine_Name. " with ExitCode:" .EXITCODE. " at:" . time . " Environment:AWP" )
| table node resource type severity CAUAJM job_event JOB_Name Machine_Name time description
I think that should do the trick 🙂
Let me know
KailA
... View more
11-06-2018
12:03 PM
Hey !
I think you just missed the ip field.
Can you try something like that
| rest /services/deployment/server/clients splunk_server=local
| table hostname applications*.stateOnClient ip
| eval hostname = hostname."___".ip
| untable hostname applications value
| stats count by hostname
| where count < 3
| rex field=hostname "(?<hostname>.*)___(?<ip>.*)"
Let me know if it works for you.
Kail
... View more
11-05-2018
03:40 PM
1 Karma
Hello,
I think it's just a little mistake you made in the first search.
Should be like this i guess
index="web_access" host="mywebhost1" OR host="mywebhost2"
| timechart span=15m dc(clientip)
That should give you the number of unique IP adress in 15min buckets.
Kail
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
02-23-2022
01:24 PM
|
