About jgauthier

jgauthier · ‎10-18-2013

Thank you! I might have sideviews, but I was intentionally avoiding them! I will take a look at the static content example! Thanks again!

jgauthier · ‎10-17-2013

I was just uncovering this mess. Wouldn't it be possible to include another openssl library somewhere and reference that?

jgauthier · ‎10-17-2013

Mine is also broken after upgrading. I am still diagnosing this.

jgauthier · ‎10-17-2013

I did have the module in the wrong spot. I corrected this, but it did not resolve the issue. I belive moving the button module around caused me to paste it wrong. I put the dashboard back, and when I add this: View Details http://google.com?q=something The entire dashboard breaks. Including other switchers, and even the pull down contents are empty.

jgauthier · ‎10-17-2013

Greetings, Using Splunk version 6. I would like to make a radialGauge a drilldown, but apparently that doesn't work. So, I decided to create a button on my dashboard. Unfortunately, the dashboard causes the entire dashboard to not render. Here is an example. I've tried moving the button all around inside the pulldown module. Any suggestions? <module name="PulldownSwitcher" layoutPanel="panel_row2_col2" group="Tickets - Unassigned"> <param name="mode">independent</param> <param name="label"> </param> <module name="Button"> <param name="label">View Details</param> <module name="Redirector"> <param name="url">http://google.com?q=something</param> </module> <module name="HiddenSavedSearch" group="All Unassigned" autoRun="True"> <param name="savedSearch">Helpdesk - Tickets - Unassigned</param> <module name="HiddenChartFormatter"> <param name="chart">radialGauge</param> <param name="charting.chart.rangeValues">[0,5,15,20]</param> <param name="primaryAxisTitle.text">Date</param> <param name="secondaryAxisTitle.text">Tickets</param> <param name="legend.placement">right</param> <module name="JobProgressIndicator"/> <module name="JSChart"> <param name="width">100%</param> <param name="height">300px</param> </module>  </module> </module> </module> </module>

jgauthier · ‎10-14-2013

Thanks. I really wanted to do this from a search, but I did make another dashboard. The original dashboard drills down into the second supplying the form information, and then those rows are able to be drilled down. So mission accomplished!

jgauthier · ‎10-14-2013

Greetings, I've done some reading, but I can't seem to put together the various answers over the course of the years. I am using Splunk 5. I have a dashboard, and it has a dynamic drill down which then just calls a splunk query. I would really like to make that query some of the data (an id field) be a clickable link to an outside page. (ie: http://website.com/info?$id$). How could I achieve this functionality?

jgauthier · ‎06-19-2013

Exactly.I tried to copy it here, but the formatting was terrible. 😉

jgauthier · ‎06-19-2013

No go. I attempted it, even though by using "top" it should inherently exclude other. The query does not include 'other' when I run it in the search. It does, however, in a dashboard.

jgauthier · ‎06-19-2013

Greetings, Since an update (I don't know what version to what version, sorry!), one of my dashboards with pie chart is showing "other", and I don't know why. My saved search is pretty basic: sourcetype="squid" action="*" uri_host="youtube.com"| top 10 username My dashboard module includes: name="charting.chart.sliceCollapsingThreshold">0 But it doesn't seem to work.

jgauthier · ‎09-12-2012

Bah, that has an asterisk before license_audit.log that the web form has removed on my behalf.

jgauthier · ‎09-12-2012

This query: index=_internal todaysBytesIndexed LicenseManager-Audit source=*license_audit.log | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | bucket _time span=1d | stats avg(Daily_Indexing_Volume_in_MBs) AS UsageMB first(licenseSize) AS LicenseSize by _time host | eval UsagePercent=UsageMB/(LicenseSize/1024/1024)*100 | eval UsagePercent=round(UsagePercent, 2) | table _time host LicenseSize UsageMB UsagePercent Which I have used for over a year no longer works. And no, I'm not over my licensing... and I haven't been.. .but this query always worked.

jgauthier · ‎09-12-2012

I noticed today that my license audit source is not up to date: index=_internal source=*license_audit.log This does not have any data since 09/08/2012... but I have on idea why. Any ideas for me?

jgauthier · ‎04-15-2012

Thanks. I gave that a try. It didn't work. So, I looked up the module reference, which says: "0.01 (slices smaller than 1% of the whole pie are collapsed)" That was definitely not the case either. If I change the value to '1' then I get 100% of pie collapse. It seems to be ignoring the value as 0, or the default is not working.

jgauthier · ‎04-13-2012

I have a couple simple saved searches, and they are on a dashboard. After upgrading to 4.3, "other" started showing up on the pie charts. The search is simple: sourcetype="squid" uri_host="facebook.com" | top 10 username When I run the search interactively, there isn't an "other". Only on the dashboard. So, I deciced to change the query to use chart, so I can 'useother=f'. So, I changed it to be slightly more complex: sourcetype="squid" action="*" uri_host="facebook.com"| chart count(username) as ucount by username useother=f| sort -ucount | head 10 But this resulted in: "The following options were specified but have no effect when a split-by clause is not provided:useother" So I remove 'useother=f' and I am back to a pie chart with 'other' in it. thanks for any assistance.

jgauthier · ‎04-13-2012

Here is the working query from both of your suggestions: sourcetype=HypervGuestCPU OR sourcetype=ComputerSystem NOT HCPU="_Total" | dedup HCPU keepempty=t | stats c(HCPU) AS Virtual_CPUs first(NumbOfProcs) AS PhysicalCPUs by host And (sourcetype=ComputerSystem Host="HYPERV") OR (sourcetype=HypervGuestCPU NOT HCPU="_Total") | stats first(NumbOfProcs) as Physical distinct_count(HCPU) as VCPU by Host

jgauthier · ‎04-13-2012

Thanks guys. Both were ridiculously close, considering that the data was not present for you. I am going to have to look at these and figure out some stuff so I can apply this. In short, I was able to get kristians to work quicker, with a small modification (removed Name from Dedup). I think the first(NumbOfProcs) was the key. Thanks both so much!

jgauthier · ‎04-12-2012

Thank you. I've made heavy edits of the original to outline the data, and details much more clearly.

jgauthier · ‎04-12-2012

Ugh! I hate having to ask for query help, but I'm close.. but not close enough. Basically, I have two sets of data. I want to compare information in a field from set 'A', to the cumulative set of records in set 'B'. So, my set 'A' data will look something like this: [EDITED to include real data] In my environment, I run a visualization cluster. One area I want to get visibility into is overallocation of CPUs. Using splunk, I am recording a lot of machine information from the Hypervisors. For instance a data set for a hypervisor looks like this: Timestamp=1334260801 Host=S-HYPERV2 Source=ComputerSystem Name=S-HYPERV2 NumbOfProcs=16 In this data set, I am interested in NumbOfProcs. In the second data set, I am going to count how my virtual processors are allocated, and compare that to the total above. That data set looks like this: (record 1) Timestamp=1334260801 Host=S-HYPERV2 Source=HypervGuestCPU HCPU="v-sqldb:Hv VP 0" PercGuestTime=17 PercHostTime=1 PercTotalTime=18 (record 2) Timestamp=1334260801 Host=S-HYPERV2 Source=HypervGuestCPU HCPU="v-sqldb:Hv VP 1" PercGuestTime=2 PercHostTime=0 PercTotalTime=2 For each record, it's a unique vcpu. So, I have done this to get pretty close: Host="*HYPERV*" AND sourcetype="HypervGuestCPU" AND NOT HCPU="_Total" |dedup HCPU | chart count(HCPU) by host | appendcols [search Host="*HYPERV*" AND sourcetype="ComputerSystem" | dedup Host | eval NumbofCPUs=(NumbOfProcs) | chart sum(NumbofCPUs) by Host ] Issues I have are, that I don't like the output. I also am just dumping out out,I would prefer to be able to compare the numbers (total and the count). Additionally, if there are no vcpus being used, then I have a weird looking table. Ultimately, I attempting to get the output of : Server VCPUs Physical S-HYPERV2 2 16 And it would be fantastic if I could actually compare them for alerting. I'm afraid this is a little over my query foo. This doesn't have the Total number in it, but this another method I was using to build the data set: Host="*HYPERV*" AND sourcetype="ComputerSystem" OR sourcetype="HypervGuestCPU" AND NOT HCPU="_Total" | dedup HCPU |eventstats count(HCPU) as VCPU by Host | dedup Host| table Host, VCPU But this is just Host by VCPU, in a table.

jgauthier · ‎04-06-2012

Yes, I checked that as well. As stated, this was fine in 4.2, and I did not change the user account.

jgauthier · ‎04-06-2012

I recently upgraded from 4.2 to 4.3. Since then, I cannot delete from a remote command line. sourcetype="dontcare" | delete Returns: Login failed Unauthorized I am using a shell script to remotely connect to a remote windows splunk server. This worked with 4.2, and I am passing the credentials on the command line. Since 4.3, it does not work.

jgauthier · ‎03-14-2012

Not the best subject. I'm not sure how to explain it in the title. But I'd like to use the results of an custom search to limit my search results. psuedo-code: custom_search returns a field named "custom_results" sourcetype of "xyz" has a field called "expected_results" sourcetype="xyz" | custom_search | search expected_results=custom_results However, the search command takes the "results" literally, instead of the field contents. How is this achieved? Thanks!

jgauthier · ‎03-14-2012

Wow. That totally worked. Thanks!

jgauthier · ‎03-14-2012

That's a really interesting approach. but 'rest' is not a command for me. Is there a minimum version number, or configuration? "Search operation 'rest' is unknown. You might not have permission to run this operation."

jgauthier · ‎03-02-2012

Is it possible for splunk to be able to index a file with this kind of formatting: host=hostname sourcetype=source timestamp=timestamp field1=unique data field2=unique data field3=unique data field4=unique data host=hostname sourcetype=source timestamp=timestamp field1=unique data field2=unique data field3=unique data field4=unique data host=hostname sourcetype=source timestamp=timestamp field1=unique data field2=unique data field3=unique data field4=unique data Making each "record" a unique record in splunk as well, using the host, sourcetype, and timestamp on each? Thanks.

Posts	139
Solutions	5
Karma Given	5
Karma Received	30
Member Since	‎03-12-2011

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Splunk App for Web Analytics: How to resolve missi...

sideview multiple pulldowns

dbquery and variables

Splunk SSO change - no longer works.

apache virtual hosts - custom field?

Cold bucket move error

FSChangeMonitor errors?

Apache Dashboards?

iplocation missing after upgrade

Button on dashboard?

Re: Button on dashboard?

Re: Splunk 6 Ciso ips error

Re: Splunk 6 Ciso ips error

Re: Button on dashboard?

Button on dashboard?

Re: Search results, link to url

Search results, link to url

Re: Why is "other" on this pie chart?

Re: Why is "other" on this pie chart?

Why is "other" on this pie chart?

Re: License source not up to date

Re: License source not up to date

License source not up to date

Re: Why is 'other' showing up?

Why is 'other' showing up?

Re: Query assistance needed with unrelated data se...

Re: Query assistance needed with unrelated data se...

Re: Query assistance needed with unrelated data se...

Query assistance needed with unrelated data set

Re: Cannot delete from command line

Cannot delete from command line

Using search fields to compare against custom comm...

Re: current user in search?

Re: current user in search?

Multiple Records - one file

Join the Conversation