About carasso

carasso · ‎12-25-2013

Just to confirm -- you can't download ANY apps, right? I've forwarded this to the website admin, but if you don't have unfiltered internet access to the internet, there may not be much they can do.

carasso · ‎12-25-2013

I just downloaded it successfully. This is not a bug with the app. This is not a bug with apps.splunk.com. It seems like you're just having internet trouble. I can go in a browser and get to: http://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.4.4/underscore-min.js

carasso · ‎12-23-2013

1) If the settings are saved in props.conf, they are preserved after reboot. If must be the case that the regexes are not matching your data. Also, make sure that you actually save each rule created, if there are multiple rules created. 2) Sometimes the app is not able to create a rule that extracts a value you want and not one you don't want. In that case, you'll have to edit the rule (by clicking on 'edit' in the ui)

carasso · ‎12-13-2013

@glancaster, in the latest version of timewrap, I added an argument "series=short", which gives the series short names, like s0, s1, s2, s3, should would make your renames much simpler. (there's also series=exact, which gives things like "week_of_dec10").

carasso · ‎12-10-2013

I've since updated the names of the serieses to be more convenient -- no more whitespace -- and more clear and correct -- current_w, 1w_before, 2w_before

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. source="Perfmon:CPU Load" counter="% Processor Time" host="SERVER01" earliest=-1d@d latest=-0d@d | timechart avg(Value) span=1h | timewrap w | where strftime(_time, "%A") == "Thursday" That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap w That's it! If you want to limit it to a specific day of the week, add: ... | where strftime(_time, "%A") == "Saturday" http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

use eval strftime.

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap d That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap d That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap w That's it! You can then average whatever columns you want. http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap w That's it! If you want to limit it to a specific day of the week, add: ... | where strftime(_time, "%A") == "Wednesday" http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap w That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap w That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results used to a pain in Splunk, with complex date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. ... | timechart count span=1h | timewrap d That's it! http://apps.splunk.com/app/1645/

carasso · ‎12-06-2013

Comparing week-over-week results is a pain in Splunk. You have to do absurd math for crazy date calculations. No more. Now there is a better way. I wrote a convenient search command called "timewrap" that does it all, for arbitrary time periods. http://apps.splunk.com/app/1645/

carasso · ‎12-05-2013

Glancaster, your search with appendcols seems wrong. "earliest=-7d latest=-6d earliest=-14d latest=-13d earliest=-21d latest=-20d" You need ORs, like "(earliest=-7d latest=-6d) OR (earliest=-14d latest=-13d) OR (earliest=-21d latest=-20d)" appendcols will put the first value from the subsearch with the first value from the main search, then the second, etc. because the main search is over one day and the subsearch is over 3 days -- really 3 weeks -- the values won't correspond to eachother, so you're getting averages from the wrong time.

carasso · ‎12-05-2013

I think this should do it: index=_internal earliest=-4w | timechart count span=1h | where strftime(_time, "%A") == strftime(now(),"%A") | timewrap w | rename "* ago" as * | addtotals "2w" "3w" "4w" | eval avg=Total/3.0 | table _time, _span, 1w, avg get events for last month generate timechart filter out results not from today's day-of-the-week (keeps only thursday data if today is thursday) timewrap all the days (e.g. thursdays) into the same day. rename fields for ease, calculate the total and the avg output just the columns needed to produce the chart

carasso · ‎12-04-2013

I see the confusion. Yes, "1w ago" really means "the most recent week". "2w ago" means "the 2nd most recent week". Think if it referring to the start of each time period. Perhaps if I just removed the word "ago", it might be less misleading. "1w", "2w", etc. The problem is that people might not be clear which is the more recent week. is the oldest "1w" and the next oldest "2w"? that's the exact opposite of what it means. bottomline: i'm open to suggestions!

carasso · ‎08-07-2013

Docs and error system could also be more clear that the setup.xml blocks must be wrapped in " ... " they don't say that or show that in their examples.

Posts	150
Solutions	59
Karma Given	117
Karma Received	218
Member Since	‎01-23-2010

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

What are your best anomaly finding searches?

Do you have sample data and want an app built for ...

How can I graph today vs yesterday vs the weekly a...

error in standard setup.xml example

How can I get my Splunk events to use Star Trek "S...

What do you want to see in a Splunk Mobile app?

Since March 13th 2011 GMT, Splunk no longer proper...

solera-deepsee problem in 4.2

Re: I can not download this app.

Re: I can not download this app.

Re: Field Extractor App V 1.6 with Splunk 6.0

Re: How to Chart Average of Last 4 Thursdays vs To...

Re: How to Chart Average of Last 4 Thursdays vs To...

Re: Comparing time ranges one report

Re: How do I compare a Saturday to another Saturda...

Re: average count of events over days of the week

Re: Compare two timerange in one report

Re: Compare today to yesterday's results

Re: Fraud detection - how to compare last weeks av...

Re: How do we specify same day last week

Re: Compare set of data from different times

Re: Problems comparing 2 Weeks, timeranges get los...

Re: Line chart comparing yesterday's result with t...

Re: Comparing time ranges one report

Re: How to Chart Average of Last 4 Thursdays vs To...

Re: How to Chart Average of Last 4 Thursdays vs To...

Re: Is 1w ago the same as this week in the timewra...

Re: Example setup.xml failure