Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About grittonc
grittonc
Contributor
Member since:
02-13-2017
04-02-2021
Community Statistics
| Posts | 105 |
| Solutions | 13 |
| Karma Given | 283 |
| Karma Received | 20 |
| Member Since | 02-13-2017 |
Activity Feed
- Got Karma for Re: Is there a way to remove the "Open in Search, Inspect, and Export" options from the bottom of the dashboard?. 09-27-2021 04:58 AM
- Got Karma for Re: Preview Mode not working in Custom Command. 06-15-2021 01:03 PM
- Got Karma for Re: What is the best analogy for explaining 'sourcetypes'?. 06-09-2021 08:06 AM
- Karma Re: Double field extraction for the JSON data for maciep. 04-02-2021 06:49 AM
- Karma Re: Double field extraction for the JSON data for maciep. 04-02-2021 06:49 AM
- Karma Double field extraction for the JSON data for nawazns5038. 04-02-2021 06:48 AM
- Karma Re: Why are we getting message "waiting for queued job to start..." and search job takes 5 minutes to run? for andygerber. 01-15-2021 01:37 PM
- Karma Re: how to avoid join for thambisetty. 12-02-2020 05:48 AM
- Karma PipelineComponent - Process delayed by 46.548 seconds, perhaps system was suspended? for manikandankasi. 10-21-2020 06:19 AM
- Karma Does anybody have idea on "INFO PipelineComponent - Process delayed by 1524.266 seconds, perhaps system was suspended?" log message? for sesharao92. 10-21-2020 06:19 AM
- Karma Process delayed - Could you suggest a way to speed up our search? for tonniea. 10-21-2020 06:19 AM
- Karma What does Splunk search log "Process delayed... perhaps system was suspended" mean? for xindeNokia. 10-21-2020 06:19 AM
- Got Karma for Re: How to use timepicker from a CSV lookup?. 10-06-2020 05:50 AM
- Got Karma for Re: Preview Mode not working in Custom Command. 08-28-2020 12:29 PM
- Karma Re: How to mvcombine results that already have OTHER Multivalue results without messing up the formatting? for woodcock. 08-05-2020 08:38 AM
- Got Karma for Re: How can I set a dynamic default value in a dropdown (Simple XML). 07-09-2020 12:50 AM
- Posted Re: Preview Mode not working in Custom Command on Splunk Search. 06-25-2020 01:40 PM
- Karma Unable to get the correct min and max values. for maverick2701. 06-05-2020 12:51 AM
- Karma How to extract fields between backslashes and quotes with rex command? for kjonesdba_lm. 06-05-2020 12:51 AM
- Karma Re: how to add a new column to existing inputlookup for richgalloway. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 |
07-19-2019
12:48 PM
Please see https://answers.splunk.com/answers/424815/since-splunk-64-some-users-do-not-see-the-export-b.html. There is now a capability called export_results_is_visible that was apparently new in Splunk 6.4. You can take this capability away from roles where you don't want them to be able to export.
... View more
07-19-2019
07:21 AM
You can definitely send data to Splunk Cloud via API. You will need to configure the HTTP Endpoint Collector: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Data/UsetheHTTPEventCollector
... View more
07-17-2019
09:50 AM
Do the two rows have anything in common?
... View more
06-12-2019
09:21 AM
In that case, why is row 6 the one that stays? Is it because it's the latest one? How would we know that other than the ID?
... View more
06-12-2019
08:39 AM
Try append with stats . Also, I'm not sure how this is running without a search command inside the subsearch.
sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI earliest=-d@d latest=@d
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats avg(count) as AverageCount by Hour
| append
[search sourcetype="SysEvents" OR sourcetype="Sysout" TransactionId=TI* AND TransactionId!=TI AND TransactionId!=OPF earliest=@d latest=@h
| timechart span=1h count
| eval Hour = strftime(_time, "%H")
| stats count as TodaysCount by Hour]
| stats min(AverageCount) as AverageCount, min(TodaysCount) as TodaysCount by Hour | fillnull value=0 AverageCount TodaysCount
... View more
05-30-2019
05:30 AM
Sorry, the span=1h@h was a red herring. According to the docs, the snap-to option (the @ ) is only used with the week span. If you try some timecharts with your own data, with either span=1w and span=1w@w , you'll see what the difference is.
As for producing the results that you want without changing your timezone settings, that's an understandable want. Based on @woodcock 's answer here: https://answers.splunk.com/answers/321361/how-to-search-accounting-transactions-based-on-the.html You could try something like this: | eval hour_my_tz=strftime(_time, "%H %z"), wd_my_tz=strftime(_time, "%A"), hour_pacific_tz=strftime(_time-3*60*60, "%H"), wd_pacific_tz=strftime(_time-3*60*60, "%A") which should work despite daylight savings time because the difference is always 3 hours. You would just have to make sure to pick a large enough time range for your search to get all of the PT events if your system is set to ET. If you add the eval statement above to your search you'll see where the wd_my_tz is not the same as wd_pacific_tz .
... View more
05-29-2019
11:40 AM
Do you know what your timezone is set to in your user settings? Splunk stores _time in UNIX time but displays it for you in your timezone. So yes, your hour calculation is going to be based on your timezone. See https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usedefaultfields#Internal_fields and https://docs.splunk.com/Documentation/Splunk/7.2.6/SearchReference/DateandTimeFunctions#time.28.29
To see how Splunk would convert a UNIX time according to your user settings, try:
| makeresults
| eval right_now=1559154449, my_hour=strftime(right_now, "%H %Z")
Does date_wday look at Friday pacific time or Friday eastern time?
date_wday is a default datetime field, which, according to the documentation, are literal values from the event.
The datetime values are the literal values parsed from the event when it is indexed, regardless of its timezone. So, a string such as 05:22:21 will be parsed into indexed fields: date_hour::5 date_minute::22 date_second::21.
But, if you have a date_wday field, do you have a date_zone field as well? That should tell you what TZ was used for date_wday.
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Usedefaultfields#Default_datetime_fields
I'm pretty sure the eval is printing the hour in eastern time
Yes, it probably is if you have your TZ set to eastern. This probably won't help unless you want to convert to Pacific.
Do i need to change my timechart with something like aligntime=@d-3h?
If you're doing an hourly timechart, why not use span=1h@h ? I don't understand having a span of 1 day and then counting by a calculated hour field. If you have date_wday in Pacific time, and Pacific time is how you want to report, have you tried | chart count by date_hour ?
... View more
05-20-2019
12:42 PM
I couldn't get this to work with the above answer, but using the savedsearch command did work.
<row>
<panel>
<event>
<title>test_report</title>
<search><query>|savedsearch test_report</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<option name="list.drilldown">none</option>
</event>
</panel>
</row>
... View more
05-08-2019
12:31 PM
Try alertMessage=\"?(?<msg>[a-zA-z0-9 ]*) . It works in this example:
| makeresults
| eval foo="alertMessage=User logged in"
| append
[| makeresults
| eval foo="alertMessage=\"User logged in\""]
| rex field=foo "alertMessage=\"?(?<msg>[a-zA-z0-9 ]*)"
I just made the first quote optional, and the msg field can only contain alphanumerics or a space, which leaves out the second quote.
... View more
05-08-2019
09:50 AM
Do you need the dot after <msg> ? That would match any single character, right?
... View more
05-06-2019
01:57 PM
Have you tried transposing the results? I got this to work with your XML:
| makeresults
| eval urgency="high"
| append
[| makeresults
| eval urgency="medium"]
| append
[| makeresults
| eval urgency="low"]
| append
[| makeresults
| eval urgency="informational"]
| chart count by urgency
| transpose 0 header_field=urgency
| table count high medium low informational
... View more
05-06-2019
01:38 PM
How many days will you have on your dashboard at one time?
... View more
05-03-2019
06:33 AM
I would think about creating a db input for each rising column that you might use. You can have the same basic query for every input, but use a different rising column in each input.
For example, if you use data from tables A, B, and C in your query, could you have one input that will ingest new/updated records from table A, and another input to ingest new/updated records from table B?
... View more
05-01-2019
11:01 AM
Would a wildcard-based lookup from a lookup table work for you? You can save values like *test* in your lookup table and then define the lookup as matchtype WILDCARD. See this question for an example: https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html.
You can do this either through the back end or in the GUI.
... View more
04-22-2019
10:37 AM
@SloshBurch this sounds like a job for the best practices tag.
... View more
04-17-2019
06:54 AM
@niketnilay , isn't access to a source something that can be configured in a role under restricted search terms?
... View more
04-17-2019
06:53 AM
Can you add a table statement to index=auth_idx source="*auth-log*" to indicate the fields you need in your dashboard?
Do you get results in the dashboard if you remove the inputs like username, eventcode, and time?
... View more
04-16-2019
04:03 PM
Now I think we're getting to the root of the problem. As it is, the dashboard is looking to find a base search called My_Auth_Log_Report and is not finding one. Base searches (post-process searches) and scheduled searches are two different things. Read more about base searches here: https://answers.splunk.com/answers/239159/multiple-base-searches-in-a-dasboard-with-post-pro.html
For a scheduled search, you need to use the loadjob command to load the results of the scheduled search. Assuming that My_Auth_Log_Report is the name of your saved search, do you get anything if you replace yourusername and appname and run this command in a search window? | loadjob savedsearch="yourusername:appname:My_Auth_Log_Report" ?
... View more
04-16-2019
09:48 AM
Did you | rename values(RouterA) as column ?
... View more
04-16-2019
06:44 AM
Is this the whole XML? I don't see where the base search My_Auth_Log_Report is defined.
... View more
04-16-2019
06:31 AM
You have to convert Time into epoch time:
<search base="My_Auth_Log_Report">
<query>fields * |search duser=$username$ evtcode=$event_code$
| eval epoch_time=strptime(Time, "%b %d %Y %X.%3Q %Z")
| search epoch_time>=$time.earliest_epoch$ AND epoch_time<$time.latest_epoch$
</query>
</search>
Another thing you can try when your dashboard is blank is to try "Open in Search" (lower right corner of dashboard panel) to see how tokens are being passed to your search.
... View more
04-16-2019
06:02 AM
What is the time field called in My_Auth_Log_Report, and what do the values look like?
... View more
04-16-2019
05:51 AM
Does your time input have a default value?
Also, I'm not sure what duser=$username$ evtcode=$event_code$ is doing outside your query tag so I've moved it inside.
Give this a try:
<form>
<label>My Authentication Activity Dashboard</label>
<fieldset submitButton="false" autoRun="true">
<input type="text" token="username">
<label>Username</label>
</input>
<input type="dropdown" token="event_code">
<label>Event Type</label>
<choice value="*">All Authentication Activity</choice>
<choice value="0">Login Succeeded</choice>
<choice value="3">Logout Succeeded</choice>
<choice value="4">Session Expired</choice>
<choice value="1">Invalid Username</choice>
<choice value="2">Invalid Password</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="time" token="field1">
<label></label>
<change>
<eval token="time.earliest_epoch">if(isnum('earliest'),'earliest',relative_time(now(),'earliest')</eval>
<eval token="time.latest_epoch">if(isnum('latest'),'latest',relative_time(now(),'latest')</eval>
</change>
</input>
</fieldset>
<row>
<panel>
<event>
<search base="My_Auth_Log_Report">
<query>fields * |search duser=$username$ evtcode=$event_code$
| search _time>=$time.earliest_epoch$ AND _time<$time.latest_epoch$</query>
</search>
</event>
</panel>
</row>
</form>
... View more
04-16-2019
05:22 AM
What have you tried?
... View more
04-15-2019
06:03 PM
I'm 99% sure there's a better way to do this.
Rename values(RouterA) as column.
Then:
your search
| append [your search again|transpose 0 header_field=column]
|stats min(*) by column
Is outputting the main search to a lookup table an option? Then you could append it to a transpose of itself without running the search twice.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-02-2021
10:09 AM
|
Karma from
Karma given to
