Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About POR160893
POR160893
Builder
Member since:
11-16-2021
06-19-2023
Community Statistics
| Posts | 288 |
| Solutions | 2 |
| Karma Given | 141 |
| Karma Received | 7 |
| Member Since | 11-16-2021 |
Activity Feed
- Got Karma for Export is disabled on panels- How do I enable?. 05-14-2025 09:09 AM
- Got Karma for Cannot open search on Splunk Dashboard Studio. 12-10-2023 07:59 AM
- Posted How to tend graph overlay on Dashboard Studio? on Dashboards & Visualizations. 06-15-2023 05:56 AM
- Posted Re: Alert not triggering when string value is empty on Other Usage. 06-12-2023 05:35 AM
- Posted Why is alert not triggering when string value is empty? on Other Usage. 06-12-2023 04:04 AM
- Posted How to calculate distinct count for present values and 7 days ago values for a given field? on Splunk Search. 06-08-2023 04:26 AM
- Posted How to write a query to check IP addresses in Subnets? on Splunk Search. 06-01-2023 02:52 AM
- Karma Re: Change textbook to search on multiple values for isoutamo. 05-30-2023 03:45 AM
- Posted Cannot open search on Splunk Dashboard Studio on Dashboards & Visualizations. 05-30-2023 01:52 AM
- Posted Change textbook to search on multiple values? on Splunk Search. 05-29-2023 05:55 AM
- Posted Re: Unable to search with String tokens against 2 fields on an lookup on Splunk Search. 05-25-2023 02:38 AM
- Posted Why am I unable to search with string tokens against two fields on an lookup? on Splunk Search. 05-25-2023 01:59 AM
- Posted How to combine two lookups? on Splunk Search. 05-23-2023 04:48 AM
- Posted Re: Join where a macro is used in the search on Dashboards & Visualizations. 05-15-2023 01:47 AM
- Posted How to join where a macro is used in the search? on Dashboards & Visualizations. 05-15-2023 12:50 AM
- Posted How to resolve Time Error Message in Python in Splunk? on Splunk Enterprise. 05-02-2023 05:03 AM
- Karma Re: Create a new Quarter field with specific conditions for rut. 04-27-2023 12:06 PM
- Karma Re: Create a new Quarter field with specific conditions for gcusello. 04-27-2023 12:06 PM
- Posted How to create a new Quarter field with specific conditions? on Splunk Search. 04-27-2023 03:41 AM
- Posted Re: Unable to change bar chart to ONLY show the number of events for just the previous business quarter on Splunk Search. 04-23-2023 05:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-11-2023
02:53 AM
Hi,
I am creating a dashboard where one of the queries is using the rex command. However, in the XML, I am getting the error "Unexpected cloase tage> at the end of the end of the query. The query is as follows: index="ABC" sourcetype=XYZ "Logout User:" | rex field=_raw "Logout User:\s+(?<user>\S+)" | top 10 user I know it is something to do with the rex command but not sure how to correct it .... can you please help?
Many thanks as always,
... View more
04-06-2023
10:10 AM
1 Karma
Perfect! Thank you so much for this information.
... View more
04-06-2023
03:57 AM
Hi,
I am doing statistical analysis on a number of indexes for time series forecasting.
On reading the following article, its gives a sample SPL query as follows: | gentimes start=”01/01/2018" increment=1h | eval _time=starttime, loc=0, scale=20 | normal loc=loc scale=scale | streamstats count as cnt | eval gen_normal = gen_normal + cnt | table _time, gen_normal | rename gen_normal as “Non-stationary time series (trend)” [Article is this: ]https://towardsdatascience.com/time-series-forecasting-with-splunk-part-i-intro-kalman-filter-46e4bff1abff The "normal" command is a cutom external command and I wanted to ask how and where I can get such statistical functions into Splunk? Many thanks as always,
... View more
Labels
04-03-2023
02:16 AM
Hi,
I am creating a dashboard where I need to use the density function to show anomalies as follows: | tstats count as total where index=dns by _time span=1h | fit DensityFunction total dist=norm show_density=true | bin total bins=100 | stats count avg("ProbabilityDensity(total)") as pd by total However, when using the ProbabilityDensity function within the machine learning app in Splunk, no results are outputted. In addition, I see no Probability Density macros "out-of-the-box" within the Machine Learning app either. What is the definition of this DensityFunction macro so I can create it or do I need to download this macro?
Many thanks,
... View more
03-31-2023
04:32 PM
Hi, I have the following query: | tstats count where index=dns earliest=-90d latest=now() groupby _time span=1d | fields _time count | rename _time as hour | eval hour=strftime(hour,"%Y-%m-%d %H:%M:%S") | fields hour count | fields - _* | eventstats avg(count) as avg_count | eval k=(pow(avg_count,2))/(var(count)-avg_count) | eval outlier=if(count>(avg_count+k*pow(avg_count,2)),1,0) | eval predicted_outlier=if(outlier=1,"anomaly","normal") | eval actual_outlier=if(day>relative_time(now(),"-7d"), "anomaly", "normal") | eval true_positives=if(predicted_outlier="anomaly" AND actual_outlier="anomaly", 1, 0) | eval false_positives=if(predicted_outlier="anomaly" AND actual_outlier="normal", 1, 0) | eval false_negatives=if(predicted_outlier="normal" AND actual_outlier="anomaly", 1, 0) | eval true_negatives=if(predicted_outlier="normal" AND actual_outlier="normal", 1, 0) | stats sum(true_positives) as TP, sum(false_positives) as FP, sum(false_negatives) as FN, sum(true_negatives) as TN | eval accuracy=(TP+TN)/(TP+FP+FN+TN) | eval precision=TP/(TP+FP) | eval recall=TP/(TP+FN) However, the this statement is not working as the var command does not work without stats and I cannot use stats in a command by itself as I want to apply this k formula for each daily count. Can you please help? Many thanks,
... View more
03-29-2023
06:28 AM
Hi,
I am trying to show the number of DNS logs per hour here on a graph with the upper and lower bound lines showing on the same plot. This is my current query:
| tstats count where index=dns groupby _time span=1h | eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| stats avg(count) as lambda | eval alpha=0.01 | eval lower=lambda/(2*n) | eval upper=lambda/(2*(1-alpha))
| timechart span=1h sum(count) as count, avg(lower) as lower, avg(upper) as upper
Currently, nothing is outputted:
Can you please help? Thanks
... View more
03-13-2023
03:32 AM
Hi, I have a query that is searching over 4 different indexes (AIBA, AIBC, AIBP, AIBX) as follows: index=AIB* "Windows" EventCode="*" | stats count as NumOfLogs by dvc_NodeName | sort - NumOfLogs | eval Host = dvc_NodeName | table Host , NumOfLogs, index However, I need one of the fields on the outputted table to be "Index" but nothing is currently outputted in my current query. Can you please help? Thanks as always!
... View more
Labels
- Labels:
-
panel
-
simple XML
-
table
-
token
03-02-2023
03:37 AM
I don't sadly, not permitted in my work
... View more
03-02-2023
02:36 AM
Hi, I have a timechart of number of events over a 7 day period and I need to run a Seasonal-Trend decomposition on the results. This is my current query: [BASE QUERY] | timechart span=1h count | streamstats window=24 avg(count) as hourly_avg_count | timechart span=1h stl hourly_avg_count as seasonal component=longterm However, I am getting the error: Unknown search command 'stl'. Can you please help? Many thanks!
... View more
Labels
- Labels:
-
data model
-
saved search
03-01-2023
07:08 AM
So, at the moment, your updated query gives me this: The above query is as follows: [BASE SEARCH] | timechart span=1q count | eval Quarter=strftime(_time,"%Y") . "Q" . ceil((tonumber(strftime(_time,"%m")))+1/3) | rename count as "Event Count" | fields Quarter, "Event Count" However, I need the individual days to be show WITH what ever quarter the day falls in.. So one timeline whose Year/Month/date and an overarching time to show what Quarter it falls. Is this possible?
... View more
03-01-2023
06:25 AM
When I used your suggestion as follows: [BASE SEARCH] | timechart span=1q count | eval Quarter=strftime(_time,"%Y") . "Q" . ceil(tonumber(strftime(_time,"%m"))+1)/3) | rename count as "Event Count" | fields Quarter, "Event Count", I receive the following error: Error in 'eval' command: The expression is malformed. What can I do?
... View more
03-01-2023
04:28 AM
Hi,
I have a timechart and the timeline on the X-axis must be in terms of quarters, i.e. like FY24Q1, FY24 Q2 etc. Currently, this is my query: (BASE SEARCH) | timechart span=1q count | eval Quarter=strftime(_time,"%Y") . "Q" . ceil((strftime(_time,"%m")+1)/3) | rename count as "Event Count" | fields Quarter, "Event Count"
However, I am receiving the following error: Error in 'eval' command: Type checking failed. '+' only takes two strings or two numbers. What can I do to solve this? Thanks as always!
... View more
02-28-2023
06:57 AM
Finally, that worked. Here is the final query that works: index=servicenow sourcetype="snow:change_request" assignment_group_name="SECURITY-NETWORK-L3" description="Security: Firewall Policy Push - Non-Critical" OR description="Security: Firewall Policy Push - Critical firewalls like Ecomm/Extranet/L EMC internet DMZs" status="Open" | table _time, description, number, status | dedup number | appendcols [| inputlookup user_identities.csv | where L7MgrName="ABC" | where NOT match(businessemail,"(?i)dellteam") | eval copy=mvrange(0,3) | mvexpand copy | eval rnd=random() | sort 0 rnd | fields - copy rnd] | eval employee_name=businessemail | where isnotnull(_time) | table _time, description, number, status, employee_name Thank you for all your help and Karma will be granted :)))
... View more
02-28-2023
06:32 AM
I just added the WHERE conditon you suggested just now but now getting no employee_name: The query I just ran: index=servicenow sourcetype="snow:change_request" assignment_group_name="SECURITY-NETWORK-L3" description="Security: Firewall Policy Push - Non-Critical" OR description="Security: Firewall Policy Push - Critical firewalls like Ecomm/Extranet/L EMC internet DMZs" status="Open" | where isnotnull(_time) | table _time, description, number, status | dedup number | appendcols [| inputlookup user_identities.csv | where L7MgrName="ABC" | where NOT match(businessemail,"(?i)dellteam") | eval copy=mvrange(0,3) | mvexpand copy | eval rnd=random() | sort 0 rnd | fields - copy rnd] | eval employee_name=businessemail | table _time, description, number, status, employee_name
... View more
02-28-2023
06:00 AM
Hi, This works somewhat but if the number of tasks is less than the number of employeees (like in the screenshot below), the tasks in question should just be assigned different employees without listing employees without any tasks associated with them.
... View more
02-28-2023
05:30 AM
Here is the query: index=servicenow sourcetype="snow:change_request" assignment_group_name="SECURITY-NETWORK-L3" description="Security: Firewall Policy Push - Non-Critical" OR description="Security: Firewall Policy Push - Critical firewalls like Ecomm/Extranet/L EMC internet DMZs" status="Open" | table _time, description, number, status | dedup number | appendcols [| inputlookup user_identities.csv | where L7MgrName="ABC" | where NOT match(businessemail,"(?i)dellteam") | eventstats values(businessemail) as businessemail] | eval employee_name=mvindex(businessemail,random()%mvcount(businessemail)) | table _time, description, number, status, employee_name As for the requirement of the 3 tasks, the stakeholder only provided me with that specification within the last 10 minutes. No employee email should appear more than 3 times beside different tasks.
... View more
02-28-2023
05:11 AM
Your query solves the issue 99% .... the only issue is some tasks have no employee assigned to them. An employee can be assigned a maximum of 3 tasks. Otherwise, the remainder tasks can be unassigned. This is what your previous query gave me: Can you help? Also, thank you so so much for your help so far on this btw, greatly appreciated and karma has been given to all your replies 🙂
... View more
02-28-2023
04:48 AM
I am currently receiving this where there are some tasks that have not been assigned any employee: The query for this screenshot is as follows: index=servicenow sourcetype="snow:change_request" assignment_group_name="SECURITY-NETWORK-L3" description="Security: Firewall Policy Push - Non-Critical" OR description="Security: Firewall Policy Push - Critical firewalls like Ecomm/Extranet/L EMC internet DMZs" status="Open" | table _time, description, number, status | dedup number | appendcols [| inputlookup user_identities.csv | where L7MgrName="ABC" | eval rnd=random() | sort rnd] | sort rnd | eval employee_name=businessemail | where NOT employee_name="*dellteam*" | table _time, description, number, status, employee_name Also, no email should contain "delteam", regardless of capilitalization of any letter in this string.
... View more
02-28-2023
04:06 AM
"businessemail" is the name of the field with the employee names nd comes from the inputlookup. If there are more employees than tasks only a random selection of employees will get a task each. If there are more tasks than employees, each employee will get an even amount of random tasks. Like, there should not be the scenerio that if there are say 10 tasks and all get assigned to 1 random employee. That is the logic I need.
... View more
02-28-2023
03:46 AM
Hey, At the moment, my query is not outputting any employee names after using the random function: What am I doing wrong?
... View more
02-28-2023
01:52 AM
Hi,
I have a query where I am first getting 3 fields from an index ("A", "B", "C") describing tasks to be completed and then adjoining a separate lookup containing employee names. I need to use a random function to randomly assign a task to random employees. So, if there are 10 tasks a 5 employees, each employees would randomly get 2 tasks OR say you have 2 tasks and 5 employees, 2 of these 5 employees would randomly get one of these 2 tasks Here is my current query: index="XYZ" | table "A", "B", "C" | appendcols [| inputlookup "DEF"] | eval rnd = random() Can you please help?
... View more
02-21-2023
03:16 PM
I am running the following query: index="ABCi" sourcetype=DEF | timechart span=1h count | fields - _time | streamstats current=t diff(count) as count_diff | stats avg(count_diff) BUT, I am receiving the following error: Error in 'streamstats' command: The argument 'diff(count)' is invalid. Can you please help? Thanks
... View more
02-20-2023
08:01 AM
1 Karma
Hi,
I have a dashboard in Dashboard Studio but I am unable to use the magnifying glass to see the search in View mode. The dashboard has Read and Write permissions for everyone, so do not know what may be the problem.
Can you please help?
Thanks
... View more
02-10-2023
07:55 AM
Sadly, it did not solve my issue as my current query where count is set outputs no fields. The query is as such: index="akamai" sourcetype=akamaisiem | timechart span=1d count(httpMessage.requestId) as count | bin _time span=15m | eval HourOfDay=strftime(_time, "%H") | eval BucketMinuteOfHour=strftime(_time, "%M") | eval DayOfWeek=strftime(_time, "%A") | stats avg(count) as avg stdev(count) as stdev by HourOfDay BucketMinuteOfHour DayOfWeek source | eval lowerBound=(avg-stdev*exact(2)), upperBound=(avg+stdev*exact(2)) | fields lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source | table lowerBound,upperBound,HourOfDay,BucketMinuteOfHour,DayOfWeek,source Let me know what you think or where I went wrong please?
... View more
02-10-2023
07:47 AM
OK. So, the count is supposed to be the number of HTTP requests for a given day. So, I set the count variable with the following then: | timechart span=1d count(httpMessage.requestId) as count Thanks!
... View more
