Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About subtrakt
subtrakt
Contributor
Member since:
09-02-2012
06-05-2020
Community Statistics
| Posts | 136 |
| Solutions | 1 |
| Karma Given | 14 |
| Karma Received | 24 |
| Member Since | 09-02-2012 |
Activity Feed
- Got Karma for eval isnull. 11-02-2020 01:51 AM
- Got Karma for Sideview Utils: Is there a way to add an 'arg.earliest' param to the HTML module for a drilldown timerange token?. 06-05-2020 12:48 AM
- Got Karma for default search * being dispatched unintentionally. 06-05-2020 12:48 AM
- Karma Re: How to create a module that has a "+" symbol to expand and display inputlookup results under a chart panel? for sideview. 06-05-2020 12:47 AM
- Karma Re: How to write a search that automatically compares volume for this year against the same day of the week last year? for musskopf. 06-05-2020 12:47 AM
- Karma Re: Are there plans to get autorefresh and hidden post process nested in a hidden saved search module? for sideview. 06-05-2020 12:47 AM
- Karma Re: Query help with search using sum(count) and 2 subsearches using count for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How to convert epoch to local time? for ramdaspr. 06-05-2020 12:47 AM
- Karma Re: Rex Question for woodcock. 06-05-2020 12:47 AM
- Karma Re: If summary searches run every 5 minutes, can a non-summary search be merged with the summary to fill-in the most recent 5 minutes? for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Make one column in table module have hyperlinks but leave the rest non-link for sideview. 06-05-2020 12:47 AM
- Karma Re: Sideview Utils: How to redirect, but not dispatch a search? for sideview. 06-05-2020 12:47 AM
- Got Karma for How to write a search that automatically compares volume for this year against the same day of the week last year?. 06-05-2020 12:47 AM
- Got Karma for Sideview Utils: How to redirect, but not dispatch a search?. 06-05-2020 12:47 AM
- Got Karma for Sideview Utils: How to redirect, but not dispatch a search?. 06-05-2020 12:47 AM
- Got Karma for Re: When redirecting from a drilldown, why is testfield in redirect not correct on tables with multiple rows?. 06-05-2020 12:47 AM
- Got Karma for Query help with search using sum(count) and 2 subsearches using count. 06-05-2020 12:47 AM
- Got Karma for Are there plans to get autorefresh and hidden post process nested in a hidden saved search module?. 06-05-2020 12:47 AM
- Got Karma for How to write a search that automatically compares volume for this year against the same day of the week last year?. 06-05-2020 12:47 AM
- Got Karma for autorefreshmodule and hiddensavedsearches. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
06-16-2014
06:03 AM
Hi!
I have a timechart that run every ten minutes but the event volume is very high and sometimes the query won't complete in 10 minutes. The query is using an index also.
I'm open to any options. I just need to know percentage from about 6 different sources of traffic defined in a lookup "NAME" field.
Can timecharts rollover? I would think the chart could run a search once then constantly rollover into itself every 10 minutes instead of re-running the entire search again.
... | timechart span="2m" count by NAME
... View more
- Tags:
- timechart
06-15-2014
09:15 AM
Is stream stats counting by the search duration? If i choose 2 hours it will look for any urls counts > 10 over 2 hours? or is it looking at a smaller default bucket size if i do not specify it prior?
... View more
06-15-2014
09:04 AM
Hi -
Trying to sort by highest URL count, limit to 12(prevent "other" in the time-chart) and then time-chart. Thanks!
This doesn't seem to give me the desired results:
... | streamstats count by URL | accum URL | sort count limit=12 | timechart count span=2m by URL
Logic:
stream the stat counts by url
accumilate the streamed URL stats
sort by count
limit the count to 12 so "other" is not displayed on the timechart
create timechart
Another thing worth mentioning when i remove 'accum URL' and replace sort with | where count > n | it works but is not an automatic solution... I guess with "sort" i have to worry about rows being created and if >10000 rows are created i will have truncated results. Is that accurate?
This is what i'm using currently and it seems to be working -
... | streamstats count by URL | where count > 10 | timechart count span=2m by URL
... View more
- Tags:
- streamstats
- timechart
05-18-2014
04:52 PM
Thanks Martin. I added some filters to decrease the search results and it seems to be working fine now.
... View more
05-18-2014
02:04 PM
looks like on a 2 hour search the search is somehow dropping off data on the middle of the chart(1hour). i was thinking window=1 might have something to do with it.
... View more
05-18-2014
01:18 PM
Bravo! that is impressive! I'm going to have to do some research and learn what all this means.
... View more
05-18-2014
08:11 AM
That works if i'm trying to get the most-hit-URL. But if a single IP is causing noise - that would not be the goal of the chart. I was hoping i could do something like this - "...| eventstats dc(WEB_IP) as TEST2 by WEBURL| eval TEST1=WEBURL." ".TEST2 | timechart count limit=10 by TEST1 | sort - TEST2" and that would show the URLs with highest dc(WEB_IP) count.
... View more
05-17-2014
05:13 PM
Unfortunately, that came back with an empty chart. Now that i think about it, If i could sort the timechart by the highest dc(WEB_IP) count and set the timechart for useother=f that would be the best option. I put "timechart... | sort WEB_IP" but it didn't seem to reflect the low end of the spectrum when i did "| sort -WEB_IP" and the high end of the spectrum when i did "| sort WEB_IP"
... View more
05-17-2014
04:30 PM
above is my first guess but eventstats doesn't count that way apparently.
... View more
05-17-2014
04:30 PM
That works beautifully thanks somesoni2! To add to this and reduce noise, does anyone know how to show only URLS with > 10 500s in the search range? ... | eventstats dc(WEB_IP) as TEST2 by WEBURL | where WEBURL > 10
... View more
05-17-2014
01:14 PM
Hi,
Here's my query -
... 500 | stats dc(WEB_IP) as TEST2 | eval TEST1=WEBURL." ".TEST2 | timechart count by TEST1
Seems simple but i am not having any luck getting the timechart to work.
The end result will be a chart that shows URLs [WEBURL] experiencing 500 errors and
in the chart legend [TEST1], the URL will be displayed and a count beside it that shows how many different IPs [dc(WEB_IP)] have experienced a 500.
... View more
04-20-2014
04:40 PM
This suggestion is great - however, when drilling down I've been struggling with "PARSER: Applying intentions failed Drilldown error: unable to drill down from append
Here's the current CISCO query i'm using...
...| eval Time=_time | convert ctime(Time) | rex "(?i)^([^:]:){8}(? . )$" | eval HOSTMESSAGE=host+CISCO_MESSAGE | timechart span=2m count by HOSTMESSAGE limit=12 | appendpipe [stats count | eval NoResult="" | where count=0 | fields - count]
... View more
04-13-2014
10:35 AM
I have a dashboard with many panels. If i used the 'field' command for for the underlying queries, would that help save Splunk resources?
Or does Splunk already know what field to use when it see's 'timechart count by ' and then ignores the rest of the fields???
... View more
04-08-2014
05:34 AM
It is still coming back as NULL for messages that are not defined in the lookup. the field after "isnull" in parentheses is supposed to be the field that could come back as null correct?
... View more
04-07-2014
06:48 PM
2 Karma
Hi!
Anyone know why i'm still getting NULL in my timechart?
The lookup "existing" has two columns "ticket|host_message". host_message column matches the eval expression host+CISCO_MESSAGE below... I **can get the host+message+ticket number to show up in the timechart with the following query - however if the results do not match host_message in the lookup, hostTICKET comes back null.** I want null to simply be host_message without the ticket because it does not exist on the lookup.
index=net | rex "(?i)^([^:]*:){8}(?<CISCO_LOG>.*)$" | eval host_message=host+CISCO_LOG | lookup existing host_message | eval hostTICKET=if(isnull(hostTICKET),host_message+" "+TICKET,host_message) | timechart count by hostTICKET
... View more
03-30-2014
04:32 PM
HI!
What's the easiest way to create a time-chart and stats table with same query so I can create a dashboard, have a chart on the left, and stats table beside it without creating a seperate search?
Once I introduce the stats command, the time-chart comes back with no results.
Thanks!
... View more
03-30-2014
03:25 PM
It Works! Nice and easy! Can I change it to use different fields? or can the xml use regex? See, right now the actual click-to is two fields combined for chart illustration purposes - field1 is digits field2 is descriptions. I just need the first field with the digits. A simple \d+ in regex would get me what i need
... View more
03-29-2014
09:57 AM
Hi,
I have a dashboard with time-charts... I'm trying to take the "App#" fields values that the time-chart is sourced from and would like to inject the value to the end of the URL below once the bar on the chart is clicked... Is this possible without sideview util?
TestURL:
http:/www.blah.com/app.php?app=<App#>
Panel XML
Error_Application_#
Error_Application_#
column
stacked
bottom
... View more
03-24-2014
07:52 AM
Thanks, is there a way to do it without sideview?
... View more
03-23-2014
06:56 AM
1 Karma
Hi,
In a dashboard, what's the simplest way to make every link including timechart drill-down open a new tab?
Thanks!
... View more
03-08-2014
06:05 AM
Hello,
I have a dashboard that displays around 30 saved searches. I have it set to load all the saved searches when the dashboard is loaded and refresh every 600 seconds - performance is fair.
To increase performance, I'm debating on scheduling the saved searches but don't want to create too much overhead when the dashboard is not in use. Would using dashboard inline searches be a better option?
Thanks!
... View more
02-23-2014
03:01 PM
I'm trying to avoid "no results found. inspect" message when my query returns 0 value. I just want an empty chart to keep my dashboard uniform. I've checked online for a solution but everything but i've tried doesn't work.
Here is where I'm at but it is still showing the "no results found. inspect"
MESSAGE=* | append [|eval MESSAGE="Test" | eval MESSAGE=0 | where count==0] | stats c(MESSAGE) | timechart count by MESSAGE
... View more
02-21-2014
12:53 PM
Hi Everyone - I'm trying to reduce noise on some of my reports. Certain messages with "unreadable" are coming in and I only want them on the report if the the count is > 5. At the same time, I don't want to ignore everything else that is < 5 that does not include "unreadable"...
Here's what i thought made sense.
stats dc(MESSAGE) | where MESSAGE="unreadable" > 5
... View more
- « Previous
- Next »
