Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About shakSplunk
shakSplunk
Path Finder
Member since:
06-01-2021
08-22-2021
Community Statistics
| Posts | 52 |
| Solutions | 0 |
| Karma Given | 14 |
| Karma Received | 1 |
| Member Since | 06-01-2021 |
Activity Feed
- Got Karma for Converting event into fields and values. 05-23-2023 07:32 PM
- Posted Re: Check if time is within last 3 hrs on Splunk Search. 08-22-2021 09:07 AM
- Posted Check if time is within last 3 hrs on Splunk Search. 08-22-2021 08:51 AM
- Posted Re: Only showing latest value in a multi-value cell on Splunk Search. 08-18-2021 10:01 AM
- Posted Re: Only showing latest value in a multi-value cell on Splunk Search. 08-18-2021 09:37 AM
- Posted Re: Only showing latest value in a multi-value cell on Splunk Search. 08-18-2021 09:35 AM
- Posted Re: Only showing latest value in a multi-value cell on Splunk Search. 08-18-2021 09:01 AM
- Posted Only showing latest value in a multi-value cell on Splunk Search. 08-18-2021 08:35 AM
- Posted Ordering an alpha numerical column and highlighting on Splunk Search. 08-17-2021 09:34 AM
- Posted Re: Creating colored tiles based on status field on Dashboards & Visualizations. 08-17-2021 08:52 AM
- Posted Creating colored tiles based on status field on Dashboards & Visualizations. 08-17-2021 06:26 AM
- Posted Converting event into fields and values on Splunk Search. 08-17-2021 06:15 AM
- Posted Re: rename command is changing time format on Splunk Search. 08-16-2021 08:00 PM
- Karma Re: rename command is changing time format for bowesmana. 08-16-2021 07:59 PM
- Posted Re: rename command is changing time format on Splunk Search. 08-16-2021 07:48 PM
- Posted Anchors or Hyperlinks to scroll down a page on Dashboards & Visualizations. 08-16-2021 05:37 PM
- Posted rename command is changing time format on Splunk Search. 08-16-2021 05:12 PM
- Posted Re: Highlight row if unique values exist within dynamic pivot table on Dashboards & Visualizations. 08-16-2021 07:25 AM
- Posted Re: (Table) Add dynamically generated columns (from field values) onto pre-existing columns on Splunk Search. 08-16-2021 06:37 AM
- Posted Re: (Table) Add dynamically generated columns (from field values) onto pre-existing columns on Splunk Search. 08-16-2021 06:36 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-29-2021
07:58 PM
Thanks @ITWhisperer @kamlesh_vaghela Thanks it's so close to working! It seems to work when there are no whitespaces in the version value, however in the case of a white space, it doesn't seem to work. E.g. If the Version value is "Version Unavailable", although the count column is showing 1, it's still highlighting red. Another Question - you have a particular section in the query: table User Place Version is there anyway in which you can do "table * exclude count" ? Also another question - I added two radio buttons to toggle the highlighting off and on. The 'Off' radio button has a value of ' "","" ' and the 'On' button as a value of ' "#ff0000","#22ba5c" '. I then placed the token for this field in the colour pallete line, i.e.: <colorPalette type="expression">if(match(value," "),$app_con_check$)</colorPalette> Although it works, it requires me to manually refresh the page for it to toggle (if I toggle and don't refresh the page, visually nothing changes on the dashboard). Even though I selected "Search on Change", it still isn't updating, is there anyway the radio button to refresh the dashboard? Really appreciate all your help! Apologies for so many questions in one message.
... View more
07-28-2021
11:17 PM
Hi @kamlesh_vaghela Is there anyway we could use simple xml for the solution instead of js. I only have access to simple XML through the "source" button that appears when going to edit a dashboard.
... View more
07-28-2021
11:10 PM
Hi, Thanks for your answer. However, I am trying to colour the whole column red if it detects all the values in the column are NOT the same. For instance, in the version column, if the values were all "1" is would remain as non-highlighted. However, if there are values of "1" , "2" , etc (aka different values), then it would highlight the whole column as red.
... View more
07-28-2021
10:32 PM
Hi all, I am trying to highlight a particular column if the values in that column are no all the same. For instance, say I have a table such as the following: User Place Version Mark London 1 Sally US 2 Will Africa 2 I would specifically like to highlight the version column red because the values are not all the same on that column (the values are not all 2) , so that it looks like this (underline = should be highlighted) User Place Version Mark London 1 Sally US 2 Will Africa 2 I understand the first step is to turn the Version column into a multi-value field and add "RED" in each cell along that column but unsure as to how to do that. I'd imagine that logic is something like if (count(Version uniq) >1 )) then add RED. But again not sure how to implement something like that. Any help would be hugely appreciated!
... View more
07-26-2021
11:57 PM
The error is highlighting the "</panel>" (second last line) <row>
<panel>
<table>
<search>
<query>| pivot (command)
| fields - _* linecount
| foreach *
[| eval value=if("<<FIELD>>"=="CartridgeType" OR "<<FIELD>>"="CartridgeName", value, if(isnull(value),'<<FIELD>>',mvappend(value,'<<FIELD>>')))]
| eval value=mvdedup(value)
| foreach *
[| eval <<FIELD>>=if("<<FIELD>>"="value", '<<FIELD>>', if(mvcount(value)=1,'<<FIELD>>',mvappend('<<FIELD>>',"RED")))]
| fields - value</query>
<earliest>1614999151.000</earliest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">true</option>
<option name="totalsRow">false</option>
<option name="wrap">false</option>
<html>
<style>
#cartridges table tbody td div.multivalue-subcell[data-mv-index="1"]{
display: none;
}
</style>
</html>
<table id="cartridges">
<format type="color">
<colorPalette type="expression">case (match(value,"RED"), "rgb(255,0,0)")</colorPalette>
</format>
</table>
</panel>
</row> is the area that I'm putting the multivalue remover incorrect?
... View more
07-26-2021
11:34 PM
The coloring is working (it is highlighting red), however I'm having trouble with removing the "RED" multi value. When I try to add the following: <html>
<style>
#cartridges table tbody td div.multivalue-subcell[data-mv-index="1"]{
display: none;
}
</style>
</html>
<table id="cartridges"> I'm assuming that this gets the first index of the multivalue cells, however its giving me an unexpected close tag error.
... View more
07-26-2021
07:02 PM
It works! Thank you so much! It adds the string "RED" to the row with the differences. However, would it be possible to automatically highlight it red instead of adding a string? @ITWhisperer I had a look at this question (https://community.splunk.com/t5/Splunk-Search/How-to-add-a-color-to-the-field-in-one-column-based-on-the-other/m-p/521927/highlight/true#M147153) however I understand how to apply to one column, however how to apply to all columns? In the linked answer, one specific field is being selected --- your query
| eval service=service."|".status
| eval service=split(service,"|")
... View more
07-22-2021
08:51 PM
Hi all, I currently have a pivot table which has column named 'alias'. I was wondering is there a way to sort that column such that the value "error" always shows up on top, then the remaining values will show under it. The default alphabetical orders don't work here as in both alphabetical and reverse alphabetical order, error does not show up ontop and instead shows up somewhere in the middle. Any help would be greatly appreciated!
... View more
Labels
- Labels:
-
chart
07-22-2021
11:49 AM
Hi all, I have one field that simply shows that latest timestamp of logs. i) I was wondering how can I find the difference between the latest log time and the current system time? ii) Then with that value I was hoping to check run a condition and print the condition to another field (e.g. timeliness). The condition I wanted to implemented was that if the difference is greater than 3 hours, then input "Out of Sync" in the timeliness field. However, in the alternative case, enter "Synced" in the timeliness field. My latest log time is in the following format: 2021-07-23 02:54:09 Any help would be greatly appreciated!
... View more
Labels
- Labels:
-
time
07-22-2021
11:29 AM
Hi all, I have a dropdown field that is used to filter the results of a pivot table. Is there a way that I can show and hide a column in the pivot table? For instance, say the token of the dropdown field is 'select_field_1' ('version' and 'daysRemaining' are columns) Id imagine there is a conditional command where you can do if ($select_field_1|s$=certificate,show daysRemaining hide version) Any help would be greatly appreciated!
... View more
07-22-2021
08:09 AM
Hi @ITWhisperer , thank you so much for the help. However the problem has changed slightly. I'm trying to apply this to dynamic fields in a pivot table. I've asked an additional question here as to not go to far outside the scope of this thread. https://community.splunk.com/t5/Dashboards-Visualizations/Highlight-values-in-a-row-within-dynamic-pivot-table/m-p/560488#M38980 I'd be incredibly grateful for any help I can get with this newer more detailed question ^
... View more
07-22-2021
08:06 AM
Hi all, I have a pivot that changes the number of columns based on a drop-down selection. The first two columns remain consistent however the remaining columns can change (1st e.g. has 6 additional columns with auto-generated column names whereas 2nd has 4 additional columns). E.g. 1 CartridgeType Cartridge E:::MCAS1 E:::MCAS2 S:::MCAS1 S:::MCAS2 S:::MCAS3 S:::MCAS4 user etf 4 4 4 4 4 4 product brd 4 4 5 5 5 5 E.g. 2 CartridgeType Cartridge E:::MCAS1 E:::MCAS2 D:::MCAS1 D:::MCAS2 user etf 4 4 4 4 product brd 4 4 5 5 Is it possible (purely through the html or css AKA through the 'Source' button when editing a dashboard) to highlight rows red if they have different values along a row in the dynamically generated columns? For instance, in e.g. 1 since the second row's mcas columns don't all have the same value, highlight the whole row. CartridgeType Cartridge E:::MCAS1 E:::MCAS2 S:::MCAS1 S:::MCAS2 S:::MCAS3 S:::MCAS4 user etf 4 4 4 4 4 4 product brd 4 4 5 5 5 5 The confusion I'm having here is due to i ) non-static column names ii) Number of columns can change in quantity based on the dropdown selection. Any help would be hugely appreciated! I've tried looking at the sample dashboard however haven't been able to figure out a solution based of them and an unable to implement a js option.
... View more
07-21-2021
08:42 PM
Hi @ITWhisperer Tried the recommended approach and it would highlight the whole table in green.
... View more
07-21-2021
01:14 AM
Apologies for the lack of detail. 1) It would be preferred that the ROW get highlighted and not the whole table itself. 2) Good pickup - lets scrap the idea of highlighting an individual cell, instead if there is a difference in the last 4 cells in a row, highlight the whole row. In this example, since the last 4 cells of the second row are different. It should thus have the whole row be highlighted foo bar 4 4 4 4 goo car 4 4 5 4
... View more
07-21-2021
12:04 AM
Hi all, I have a row of a pivot table as shown in the picture. However, is there a way to make it so that if the values are different when comparing the last four rows, it will highlight the row? If possible an even better solution would be to highlight the cell that is different AND has the least frequency number. For instance, say in the last 4 columns when looking at one row, the values are shown as '4', '4', '5', '4' - only highlight the cell that has the 5 in it because yes it is different but it also shows up the least number of times. Any help would be hugely appreciated. Please let me know if there are any issues with seeing the image.
... View more
06-09-2021
11:17 PM
Hi All, Currently I have a pivot table within a dashboard. I've added a dropdown that filters the pivot table based on the selected dropdown item. I was wondering is there a way where I can add a column to the pivot table if a particular dropdown value is selected. E.g. Something along the lines of the following logic: if($dropdownfield$=="cartridge") add column "Catridge" remove column "Artefact" Feel free to ask for further clarification if the question doesn't make sense. Any help would be highly appreciated.
... View more
06-09-2021
07:00 PM
Hi all, I've setup a dynamic dropdown field in a dashboard through the following configurations: I then use the field value as a input to filter one of the pivot tables on the dashboard (FILTER Artefact is $artefact$ ). However the issue I'm facing is that the Artefact values can sometimes have a whitespace in their values e.g. "foo bar" and this is creating an issue when filtering as it just filters by foo instead of foo bar. Any help would be highly appreciated!
... View more
06-06-2021
11:08 PM
Hi all, I had a previous question that got solved here: https://community.splunk.com/t5/Getting-Data-In/Split-a-nested-json-array-with-key-value-pairs/m-p/554294#M91857 However, with a slight variation to the input json data, splunk is no longer separating out each object as an event (changed "Rows" into "Root" and "timestamp" into "Timestamp"). Similar to the question above, I have the following input data (this is nicely structured, whereas in the file it is instead one long line): {
"Root": [
{
"Timestamp": "03-06-2021 13:52:34",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "E"
},
{
"Timestamp": "03-06-2021 13:52:33",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "E"
},
{
"Timestamp": "03-06-2021 13:52:32",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "S"
},
{
"Timestamp": "03-06-2021 13:52:31",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Catridge": "UPP",
"CatridgeType": "Product",
"Environment": "S"
}
]
} The following props.config was used before, however no longer works with the new data: CHARSET=AUTO DATETIME_CONFIG= LINE_BREAKER=}(,){\"timestamp\" NO_BINARY_CHECK=true SEDCMD-a=s/{"Rows": \[//g SEDCMD-b=s/\]}//g SHOULD_LINEMERGE=false disabled=false pulldown_type=true category=Custom With the new input data, I've tried modifying the config file to produce the following, however one event is produced instead of separating each object into an event: CHARSET=AUTO DATETIME_CONFIG= LINE_BREAKER=}(,){\"Timestamp\" NO_BINARY_CHECK=true SEDCMD-a=s/{"Root": \[//g SEDCMD-b=s/\]}//g TRUNCATE=0 SHOULD_LINEMERGE=false disabled=false pulldown_type=true category=Custom Any help would be greatly appreciated.
... View more
Labels
- Labels:
-
JSON
-
props.conf
06-03-2021
05:07 PM
Thanks for the explanation! One more question @kamlesh_vaghela What are the impacts if this is a large json file. I've seen that I may potentially have to use the TRUNCATE=0 config line. Is that true/ is the correct solution to a large character size in in the json file?
... View more
06-03-2021
06:56 AM
Hi @kamlesh_vaghela , Sorry one more request, do you mind explaining how this actually works?
... View more
06-03-2021
06:49 AM
Thank you so much @kamlesh_vaghela , realised the problem was that the input file was formatted json with line breaks and not in raw form. Thats why it was giving splunk issues. Now its all working thanks!
... View more
06-03-2021
06:23 AM
Hi @kamlesh_vaghela Thanks for the help - however unfortunately it didn't work on my side. What I did was go on the web UI of splunk enterprise I've selected Settings > Source Types then edited my source type with the suggested field inputs. The remaining fields popped up by default when going to click save. I've gone through the web UI as when I edit the props.conf file located in Splunk/etc/system/local and hit save, it doesn't get reflected on the web instance of splunk even when I refresh the page, however when I make an update through the web UI, it is reflected in the file.
... View more
06-03-2021
12:26 AM
Hi all, Im trying to manually upload the following JSON file into splunk enterprise however its producing one event instead of creating 4, one for each timestamp. {
"Rows": [
{
"timestamp": "03-06-2021 13:52:34",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "E"
},
{
"timestamp": "03-06-2021 13:52:33",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "E"
},
{
"timestamp": "03-06-2021 13:52:32",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Environment": "S"
},
{
"timestamp": "03-06-2021 13:52:31",
"Region": "rcc",
"Hostname": "lx206",
"Version": "123",
"Catridge": "UPP",
"CatridgeType": "Product",
"Environment": "S"
}
]
} The following is my props.config file: [simpleOutputVersion2]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true
TIMESTAMP_FIELDS = Rows{}.timestamp
TIME_FORMAT = %d-%m-%Y %H:%M:%S The json input is a file and not an api reeponse. Also are there considerations I should make for truncation, adding a TRUNCATE=0 tag as well? Any help would be highly appreciated.
... View more
Labels
- Labels:
-
JSON
06-02-2021
08:33 PM
My props.configs file looks like this: [output_simplified1] DATETIME_CONFIG = INDEXED_EXTRACTIONS = JSON KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true category = Structured description = JavaScript Object Notation format. For more information, visit http://json.org/ disabled = false pulldown_type = true TIME_PREFIX = },"date_time": TIME_FORMAT = %d/%m/%Y What my goal here is to an event for each timestamp, thus 1 event capturing the following information: "SVP": {
"rcc": {
"application": {
"ICE13": {
"hostname": "218",
"domain": "rc",
"app_id": "13",
"version": "413",
"date_time": "29/05/2021"
} With the next event containing: "ICE1": {
"hostname": "lnxau2004st0218",
"domain": "rcc",
"app_id": "1",
"version": "413",
"date_time": "31/05/2021" with the Application, rcc and SVP upper level keys also attached. Essentially every object that has a data_time attribute, it should be turned its own independent event that should be able to be categorised based on the keys. E.g. Filtering based on "application" whilst within SVP.rcc Is this possible? Is it overcomplicating and consequently should the data structure be altered?
... View more
06-01-2021
11:33 PM
Hi all, I'm quite new to splunk. I've been testing the manual upload of the following json file to splunk enterprise. However, I'm getting the error "Failed to parse timestamp" so I'm guessing it's unable to read the timestamp that is available in the json file "date_time". Would anyone be able to help me with this issue, also I am unable to alter the config file (etc/...) so hopefully the solution can be done through the web UI. JSON input file: {
"SVP": {
"rcc": {
"application": {
"ICE13": {
"hostname": "218",
"domain": "rc",
"app_id": "13",
"version": "413",
"date_time": "29/05/2021"
},
"ICE1": {
"hostname": "lnxau2004st0218",
"domain": "rcc",
"app_id": "1",
"version": "413",
"date_time": "31/05/2021",
"UPP": {
"hostname": "218",
"domain": "rc",
"version": "null",
"date_time": "29/05/2021"
}
}
},
"utility": {
"ICE13": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "29/05/2021"
}
},
"ICE1": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "31/05/2021"
}
},
"ICE5": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "30/05/2021"
}
},
"ICE9": {
"Ctl.sh": {
"hostname": "218",
"domain": "rc",
"version": "144",
"date_time": "31/05/2021"
}
},
"ICE11": {
"Ctl.sh": {
"hostname": "219",
"domain": "rc",
"version": "140",
"date_time": "30/05/2021"
}
}
}
}
}
} Thanks for any and all help!
... View more
Labels
- Labels:
-
JSON
- « Previous
-
- 1
- 2
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-22-2021
01:02 PM
|
