Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About aohls
aohls
Contributor
Member since:
03-10-2017
05-04-2023
Community Statistics
| Posts | 143 |
| Solutions | 5 |
| Karma Given | 11 |
| Karma Received | 12 |
| Member Since | 03-10-2017 |
Activity Feed
- Posted How to run a search from rest search? on Splunk Search. 04-13-2023 11:17 AM
- Tagged How to run a search from rest search? on Splunk Search. 04-13-2023 11:17 AM
- Tagged How to run a search from rest search? on Splunk Search. 04-13-2023 11:17 AM
- Posted How to table results with multiple evals? on Splunk Search. 03-08-2023 12:30 PM
- Posted Best Way To Storing Predicted Values on Splunk Search. 10-22-2021 01:32 PM
- Posted Re: Results not populating only in dashboard studio on Dashboards & Visualizations. 10-22-2021 06:17 AM
- Posted Results not populating only in dashboard studio on Dashboards & Visualizations. 10-21-2021 01:39 PM
- Posted Re: How to get the last hour of events but also over the past 6 weeks? on Splunk Search. 08-27-2021 12:01 PM
- Posted Re: How to get the last hour of events but also over the past 6 weeks? on Splunk Search. 08-27-2021 11:18 AM
- Posted How to get the last hour of events but also over the past 6 weeks? on Splunk Search. 08-27-2021 11:04 AM
- Posted Search not working when Chained on Dashboards & Visualizations. 08-20-2021 01:12 PM
- Posted Re: Case with multiple potential wildcard matches on Splunk Search. 06-22-2021 06:26 AM
- Posted Case with multiple potential wildcard matches on Splunk Search. 06-21-2021 12:06 PM
- Posted Best way to baseline for alerting on Alerting. 04-28-2021 09:31 AM
- Posted Events per second without hitting limitations on Splunk Search. 04-01-2021 08:28 AM
- Posted Stats Average after timechart incorrect on Splunk Search. 02-12-2021 12:06 PM
- Posted Add Column to Event List on Dashboards & Visualizations. 02-04-2021 01:47 PM
- Posted Re: Workflow action not showing in dashboard event panel on Dashboards & Visualizations. 02-03-2021 09:40 AM
- Posted Workflow action not showing in dashboard event panel on Dashboards & Visualizations. 02-03-2021 09:25 AM
- Posted What is an easy way to call event action? on Dashboards & Visualizations. 01-22-2021 12:58 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-14-2019
06:57 AM
Much of our instance is handled by another team. I want a way to test some add on before a full install. If I download something from Splunkbase, will it be specific to my user or does it have to be installed to our Splunk instance itself?
... View more
10-10-2019
08:26 AM
I am not sure what you are looking for but assuming you are looking for the value 5. You could do a regex on that field first maybe.
| rex field=_raw "count: (?<timerCount>\d+)"
With that you can then check: timerCount > 5
... View more
10-07-2019
06:21 AM
I am not sure the best way to ask this but we have a job with subtasks, and the subtasks have subtasks. I wanted to get the total runtime. These are not jobs related to Splunk, they are internal jobs we log times and steps. Currently I get
Job1|Sub1|Task1|1 minute
Job1|Sub1|Task2|5 minutes
Job1|Sub1|Task3|2 minutes
Job1|Sub2|Task1|10 minutes
I do not want to have Job1 show multiple times and I want it to have a total run time, then it would break down for each Sub task. I want this to almost be a collapsible list where Job1 can have multiple Subs and each sub with tasks but I do not want Job1 to get printed multiple times. Ideally I want Job1's only result to also show the total runtime of the job. Then each Subtask would break down the runtime of that specific subtask.
... View more
10-07-2019
05:55 AM
I am not sure what extracts you have setup but you could use a transaction: https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Transaction
| transaction src_ip maxspan=5m
Need some more information to get things exact but it seems using transaction should work. If you can provide some more information that would help.
... View more
10-01-2019
08:02 AM
You could use a case statement here.
|eval risk = case(score <= 10, "A", score > 10 AND score <= 20, "B", score > 20 AND score <= 30......)
... View more
09-26-2019
05:33 AM
This is what I was hoping for, thanks. I have been debugging my searches but I wanted to check to make sure there was not some fundamental issue in the setup.
... View more
09-25-2019
11:09 AM
We are just starting to really dive into some more in depth reports. In some cases we are seeing some slow run times; I expect this with the millions of events to go through. We have on main index with over 100 hosts, though the sourcetype breaks it down further. Is this 'normal'? My primary question is that if we were to break up the hosts and have a few different indexes, would that speed up any search? Does that get negated as soon as you add specification to a host or sourcetype?
Any documentation would be helpful; most of this is handled by a separate team so I have not interfaced with this.
... View more
09-18-2019
05:34 AM
@gcusello I added my full search. I also noticed I had a typo in why the search did not generate. I now have it working but, I am not getting data back for my 7 day average in the subsearch. I am also unsure of if there is a better way to do this.
... View more
09-18-2019
04:57 AM
I want to get a 7 day and 30 day average in a single search.
sourcetype="businessService" OR sourcetype="bpmservice-2" JobName
| eval host = lower(host)
| lookup client-mapping.csv hostname as host OUTPUT clientename as clientName
| transaction unifyends=true GUID maxspan=12h
| eval duration=round(duration/60, 2)
| lookup JobStatsData.csv codeName as codeName,JobName as JobName OUTPUT avgRunTimeMinutes as avgRunTimeMinutes, stdDevDuration as stdDevDuration, jobHasFTPDownload as FTPDownload
| join JobName
[search sourcetype="businessService" JobName earliest=-7d@d
| eval host = lower(host)
| lookup client-mapping.csv hostname as host OUTPUT clientname as clientName
| transaction unifyends=true GUID maxspan=12h
| eval duration=round(duration/60, 2)
| stats avg(duration) as AverageRunTime7Days by JobName
| fields + AverageRunTime7Days]
| stats avg(duration) as AverageRunTime30Days, avg(avgRunTimeMinutes) as historicalRunTime, avg(stdDevDuration) as historicalStdDev,values(FTPDownload) as FTPDownload by JobName
| eval OneStdDevOfAvg = historicalRunTime + (historicalStdDev)
| eval Action = if(AverageRunTime30Days > OneStdDevOfAvg, if(FTPDownload=="Yes","Potential Review Needed","Review Needed"), "No Issues")
| rename JobName as BPMJob
| table BPMJob,FTPDownload, AverageRunTime30Days, AverageRunTime7Days, OneStdDevOfAvg, Action
I have a lookup with historical statistics data and I want to compare that to a 30 day and 7 day run time. I am not getting any results right now; but if I remove the above code I get the 30 day average. I want to pass the 7 day average and JobName into my main search, so I can include it in my table output.
... View more
09-16-2019
05:10 AM
I had created a field extraction not realizing that happened automatically; this caused duplicate results.
... View more
09-12-2019
05:07 AM
@somesoni2 The first one worked great. I attempted to use match very quickly but must have mistyped something along the way.
... View more
09-11-2019
10:17 AM
I am using a transaction to group some jobs and get the timings. In doing so I want to check for certain steps, file download steps. I have the following.
| transaction unifyends=true JobID maxspan=12h
| eval duration=round(duration/60, 2)
| eval FTPDownload=if(like(_raw, "%FTPDownload%"), "Yes", "No")
In this case I want to check if the transaction itself contains FTPDownload, and set FTPDownload to Yes or No. I am at times getting both Yes and No, for the same job which does not change. Also for jobs I know and see there is an FTPDownload step, I am getting No back. Is _raw in this case only evaluating the first event in the transaction? Is there any issue with this approach I am overlooking? It seems like this should work but the results are not correct.
... View more
09-05-2019
05:45 AM
I have a search I created that runs for the last 5 minutes. I scheduled this to run every 5 minutes to update a summary index I have. I am finding duplicates on my data. Is there a better way to manage the run times to make sure there are no duplicates? I am only putting a table into the summary, there are no stat commands. Is there some way to handle this better?
... View more
08-27-2019
07:51 AM
This works perfect, I had attempted something similar but I had: operation="?(?<operation>[^\,]+)"?, . I was missing a quote in the expression so I was getting the closing quote in my result. Thanks.
... View more
08-27-2019
07:39 AM
I am hoping to accomplish this within the extraction and avoid any search time requirements.
... View more
08-27-2019
07:09 AM
I am working to extract a field that at times is surrounded by quotes. This means I have either; operation or "operation". I have attempted the following:
Log Example:
operation="status"
operation=status
operation="?(?P<operation>"?[^\,]+),
Doing this does is close but on the fields with quotes, the closing quote is included which I did not want. My thought is to just do two extractions with the same name which is not ideal for me. I am extracting until a comma, which is either after the end of the string or after the closing quote.
Edit: I do not want to do anything at search time, I want the values to be correct for other users with limited knowledge.
... View more
08-26-2019
09:49 AM
I have a summary index I am looking to put data in.
| table Name,host,_time, component, operation, userName, responseTimeSeconds
| fields - _raw
This is the basis of what I have. When putting it into the summary index I was hoping to have only the fields specified in my table. Instead I am getting things like the following included:
08/26/2019 12:29:59 -0400, search_name=savedReport, search_now=1566837000.000, info_min_time=1566836700.000, info_max_time=1566837000.000, info_search_time=1566837197.992,
Is there any way strip out this information in my index? Will it automatically add it. I used collect with testmode=true and thought that should indicate what my output looks like. Is there a step I am missing or is that what I should expect to have in my data? For awareness what I am trying to do is gather some data we want that will stay around longer than our current setup by stripping out a lot of items in the logging we do not need.
... View more
08-22-2019
09:01 AM
One minor change I needed to make was to add
| fillnull value=No Skip
If this was not applied I did not get values. Thanks!
... View more
08-21-2019
07:22 AM
1 Karma
We have ms within our logs as well; the focus log section I used to test was "=2074 ms"
(?<Time>.?)ms This did not work for me, no results
(?<Time>.?) ms Has a space and works ok but only gets the end number, 4 in my case.
(?<Time>\d+) ms This worked the best as it is getting the full number.
... View more
08-21-2019
05:50 AM
1 Karma
Your event looks to have a space before ms, have you confirmed Time is getting values?
Maybe | rex field=_raw "(?.?) ms" would work.
Edit: not displaying right but (?<Time>.?) ms
... View more
08-20-2019
07:32 AM
@woodcock I am really the only real end users; I wouldnt have access to change anything on the way in. I shouldn't say really it is noise but it is other lines of data I do not care about with this effort which is application response times. I will look at the accelerated data model. My thought was the stripped out table as its own index would get me only the data I making the runtime faster for less than 7 days. Then the longer term I would be averaging everything daily or weekly for trending.
... View more
08-15-2019
06:13 AM
You actually might not need to edit the xml depending on what you want to do. In your panel on the three dots you can select Edit Drilldown, next to the trellis. You would then want to link either to a report, dashboard or search of your choice. In this area you would connect the link and then the tokens you want to pass.
I have only linked dashboards and takes a bit of testing to get what you want potentially. Yours might look something like the following:
<drilldown>
<set token="boolean">$click.name2$</set>
<link target="_blank">search?q=index=foo bar=$boolean$</link>
</drilldown>
</chart>
</panel>
When you click you set boolean to true or false; you might need to edit the "click.name*" see: https://docs.splunk.com/Documentation/Splunk/7.3.1/Viz/PanelreferenceforSimplifiedXML#Predefined_drilldown_tokens.
Then you pass the boolean value to the search in the target.
... View more
08-14-2019
12:30 PM
You will want to use tokens with a click event. Below is a good starting point. You will need to edit the xml.
https://docs.splunk.com/Documentation/Splunk/latest/Viz/ContextualDrilldown
... View more
