Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About joydeep741
joydeep741
Path Finder
Member since:
03-23-2015
10-20-2021
Community Statistics
| Posts | 87 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 8 |
| Member Since | 03-23-2015 |
Activity Feed
- Posted Password encryption - Splunk add on JIRA on All Apps and Add-ons. 08-18-2020 08:36 PM
- Posted Custom alert webhook validation on Splunk Search. 07-27-2020 06:11 PM
- Posted Custom alert webhook not allowing text editing : splunk-search-dropdown on Dashboards & Visualizations. 07-27-2020 05:17 PM
- Posted Re: Add-on for Atlassian JIRA Service Desk alert action : Showing connection error on All Apps and Add-ons. 07-08-2020 05:43 PM
- Got Karma for Re: How to add missing values to stats command result?. 06-05-2020 12:49 AM
- Got Karma for How to build a lookup table with a condition?. 06-05-2020 12:49 AM
- Got Karma for Re: How to drill down with readable format of date and NOT EPOCHs?. 06-05-2020 12:49 AM
- Got Karma for Multiple Base searches in a dasboard with post processing searches. 06-05-2020 12:47 AM
- Got Karma for Re: Multiple Base searches in a dasboard with post processing searches. 06-05-2020 12:47 AM
- Got Karma for Re: How to search new values for a field (exception) in the last 7 days which were not present the 7 days prior?. 06-05-2020 12:47 AM
- Got Karma for Re: How to search new values for a field (exception) in the last 7 days which were not present the 7 days prior?. 06-05-2020 12:47 AM
- Got Karma for How do I search the count of events and use that value to calculate another field?. 06-05-2020 12:47 AM
- Posted The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached on Reporting. 04-03-2020 01:14 PM
- Tagged The maximum number of concurrent running jobs for this historical scheduled search on this cluster has been reached on Reporting. 04-03-2020 01:14 PM
- Posted JIRA app for Splunk, not pulling data from JIRA server. on All Apps and Add-ons. 03-20-2020 11:38 AM
- Tagged JIRA app for Splunk, not pulling data from JIRA server. on All Apps and Add-ons. 03-20-2020 11:38 AM
- Posted Re: DB Connect App FAILS to pull entire data to Splunk. on All Apps and Add-ons. 04-12-2019 12:27 AM
- Posted Re: DB Connect App FAILS to pull entire data to Splunk. on All Apps and Add-ons. 04-11-2019 08:38 AM
- Posted Re: DB Connect App FAILS to pull entire data to Splunk. on All Apps and Add-ons. 04-11-2019 08:14 AM
- Posted DB Connect App FAILS to pull entire data to Splunk. on All Apps and Add-ons. 04-11-2019 03:52 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-08-2018
11:51 PM
timechart span=1d count by CREATED_DATE
This would put created_date as column names in the result...
... View more
08-08-2018
10:56 PM
I have a query which gives results like
COLUMN_1 COLUMN_2
1 a
2 b
3 c
4 d
5 e
6 f
I have a lookup mylookup.csv which has following data
COLUMN_1 COLUMN_2
1 1000
3 1111
6 2222
My query should search each value in column 1 and If its present in the lookup (mylookup.csv) replace the value of coulmn 2 with the value from column 2 of lookup.
The final result of my query should look like
COLUMN_1 COLUMN_2
**1 1000**
2 b
**3 1111**
4 d
5 e
**6 2222**
... View more
08-08-2018
10:13 PM
I have a search query
index=abc sourcetype=xyz | stats count by created_date
I get results like
CREATED_DATE COUNT
2018-08-08 12
2018-08-07 10
2018-08-04 05
2018-08-02 06
2018-08-01 03
But as you can see, some dates are not present in logs so do not appear in results.
Like 2018-08-06, 2018-08-05, 2018-08-03
I want these dates to come but with ZERO count.
The final result should look like
CREATED_DATE COUNT
2018-08-08 12
2018-08-07 10
**2018-08-06 0
2018-08-05 0**
2018-08-04 05
**2018-08-03 0**
2018-08-02 06
2018-08-01 03
Please suggest a solution.
... View more
07-16-2018
03:30 AM
I have created a search to populate a lookup periodically.
index x sourcetype=y | outputlookup abc.csv append=true
Lookup is like
EventId, Start, End
000,1,2
111,3,5
I do not want duplicate rows for EventId. My current logic is not taking care of that.
What can I add to the search so that every time a new row gets added, Splunk should only update the existing and not add a new one if event id already exists
... View more
- Tags:
- duplicates
- lookups
07-11-2018
01:09 AM
Hi @woodcock
This gives me right chart.
I am able to drill down.
BUT, say I selected events for the month of MAY in the bar graph.
On the drill down page it will show me all events of MAY.
AND NOT all events where date_epoch was in MAY.
So I am getting slightly deviated results on drill down.
... View more
07-11-2018
01:06 AM
@niketn,
Drill down works fine. But as you said, since the events displayed will consider the earliest and latest of _time and not created_time, the results on the search page are slightly deviated.
I am not sure how I can tweak the logic to cater this part as well.
... View more
07-09-2018
09:40 PM
1 Karma
created_time is a typo.. It is actually date_epoch.
But I have understood the logic here.
Thanks man.. This resolves the issue.
... View more
07-09-2018
11:15 AM
I have a search
index=abc sourcetype=xyz | bucket created_time span=1w | stats count by date_epoch | eval date_readable = strptime(date_epoch, "%m-%d-%Y %H:%M:%S")
This results in a BAR GRAPH
Y-AXIS -> Count
X-AXIS -> date_readable
BUT, when the user clicks on any BAR, the drill down takes him to the search page with ALL THE EVENTS and not just the clicked events.
That is happening because of last condition in search query, where I am converting the EPOCH to READBLE.
I need to show READABLE format of date on graph and at the same time want my drill down to work.
Drill down seems to work only on EPOCHS.
How can I achieve this?
... View more
- Tags:
- chart
- drill-down
- epoch
07-05-2018
08:58 AM
I have a splunk query
index=abc sourcetype=xyz | timechart by field1
This gives me data like
_time column1 cloumn2 column3 ..... coulumnN
Now , I want to do a common eval operation on all of these columns. But I do not want to HARD CODE the column names (as I do not know before hand the values of field1)
Right now I am doing like this
index=abc sourcetype=xyz | timechart by field1 | eval column1= column1 + 100 | eval column2= column2 + 100 | eval coulmn3 = column3 +100 ........ and so on.
That way I am having multiple eval statements, even though I am performing the same operation eval column= column + 100
Can someone guide me a better approach of doing this?
... View more
07-01-2018
06:52 AM
@woodcock
I corrected it. Thanks a lot.
What a genius way of doing this.
... View more
06-29-2018
04:39 AM
I have a
SEARCH-1
Which Gives results like
-time column1 column2
I want to run a secondary search for each value of _time and add a column3 added to the existing columns in the result above.
-time column1 column2 column3
I am trying something like this. My old columns get lost in the process. And the number of results are also less.
index=abc sourcetype=sitescopev2log | timechart avg(Availability) by columns | map search="search index=xyz sourcetype=xyz_st | stats count as column3"
... View more
06-29-2018
01:48 AM
1 Karma
I have a lookup of epoch times:
epoch_time_lookup.csv
Start Time End Time
1529737700 1529737800
1529737600 1529737750
1529737800 1529737900
1529737720 1529737722
I have a search which gives me results with 2 columns. EPOCH TIME and AVAILABILITY
EPOCH AVAIL
1529737700 100
1529737600 100
1529737800 0
1529737720 100
Now I want to build a search, whenever AVAIL == 0 , check if the EPOCH is between any START and END times in epoch_time_lookup.csv lookup.
If yes, make availability 100.
Eg:
index= abc sourcetype=xyz | eval EPOCH = _time | eval AVAILABILITY = availability_field | **eval availability = (if EPOCH in START and END of lookup) ,100, 0)**
Need help in building the logic.
... View more
- Tags:
- lookup
- search-query
06-27-2018
11:54 AM
1) There is no co relation with respect to _time
2) Second search results in start and end time stamps.
... View more
06-27-2018
09:57 AM
I have 2 absolutely independent searches.
Search-1 gives me the availability of server throughout the day.
Sample data :
9am - 100
9.30am - 100
10am - 100
10.30am - 0
11am - 100
11.30am - 100
Search-2 gives me the time range for planned outages
10am to 11am
3pm to 4pm
So I have to build a logic to timechart Search-1 and if the time is BETWEEN the planned outage TIME RANGE than hard code the availablity to 100.
I am not able to co relate 2 different searches reffereing 2 different sourcetypes of the same Index.
Need help.
... View more
06-27-2018
04:49 AM
does it matter if the inner search is searching a different index than outer search ?
I am still getting
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
... View more
06-27-2018
02:57 AM
I want to get a value from subsearch assigned to outer search.
I am trying like this
index=OUTER sourcetype=OUTER_ST | eval value = [search index=INNER sourcetype=INNER_ST |eval x=10 |return $x ]
But this gives me
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
How to resolve this ?
... View more
06-26-2018
04:42 AM
Super Thanks ..!!
It worked. 🙂
... View more
06-26-2018
03:30 AM
Hi niketnilay,
1) span=$field2$
Values are like "1m", "1d", "1w" for month , day , week respectively.
2) fieldformat _time=strftime(_time, "$BarChartFormat$")
_time comes like
06-18
05-18
etc
My URL earliest and lastest values are like
earliest=06-18 latest=1530008118
This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"
... View more
06-26-2018
03:27 AM
Hi rvany,
My URL earliest and lastest values are like
earliest=06-18& latest=1530008118
This 06-18 seems to irritate splunk and thus the invalid earliest time error.
Any idea how can i convert this to the format in which i get the "latest"
... View more
06-26-2018
12:39 AM
When ever I click on a BAR of a bar graph , it drills down to search page with an error "invalid earliest_time"
How do i correct this invalid earliest_time error ?
THE TIME PICKER ON MY DASHBOARD
<input type="time" token="field3">
<label></label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
THE BAR GRAPH PANEL ON MY DASHBOARD
<chart>
<search>
<query>index=abc sourcetype=xyz |dedup number| bucket _time span=$field2$| stats count by _time|tail 7|eval Target=$IncidentTitle$|fieldformat _time=strftime(_time, "$BarChartFormat$")|reverse</query>
<earliest>$field3.earliest$</earliest>
<latest>$field3.latest$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">linear</option>
<option name="charting.chart">column</option>
<option name="charting.chart.overlayFields">Target</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="trellis.enabled">0</option>
<option name="trellis.size">large</option>
<option name="trellis.splitBy">_aggregation</option>
</chart>
... View more
06-25-2018
09:18 AM
I want to build a logic for SEARCH-2
My SEARCH -1
Gives me start and End time stamp of a Planned Outage.
My SEARCH-2
Gives me the availaiblity graph of my server.
Now in the availibility graph, if the timestamp is in the time range of planned outage (given by search 1) than I should mark that as "planned outage" (so that no one is confused whether its planned or an actual outage).
index=avail sourcetype=availaibility | if availaibility == 0 | check if the time of event is in the time range given by SUB SEARCH ""My Search 1
... View more
02-02-2017
01:23 AM
how to check on FORWARDERS if firewall is opened for the DEPLOYMENT server ? Any command ?
Operating system is linux.
... View more
01-24-2017
07:17 AM
[monitor://D:\Program Files\Tableau\Tableau Server\data\tabsvc\logs\httpd]
whitelist = access.[\d_]+$
# I don't think you need the blacklist anymore
# blacklist = .(?:gz|bz2|z|zip)$
index = tableau
sourcetype = httpd_access
This worked.
Thanks ..!!
... View more
01-23-2017
05:09 AM
The problem is not with slashes. All my other logs are getting monitored perfectly fine.
Only this one, where I have used wild card, is not getting monitored.
Windows seem to have a problem with *
... View more
