Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About DEAD_BEEF
DEAD_BEEF
Builder
Member since:
08-14-2014
06-05-2020
Community Statistics
| Posts | 251 |
| Solutions | 11 |
| Karma Given | 158 |
| Karma Received | 54 |
| Member Since | 08-14-2014 |
Activity Feed
- Got Karma for Re: tstats timechart. 02-20-2025 02:50 PM
- Got Karma for Re: tstats timechart. 11-12-2024 09:32 AM
- Got Karma for Re: tstats timechart. 10-10-2024 11:57 AM
- Got Karma for Re: tstats timechart. 06-12-2024 04:54 AM
- Got Karma for Re: How to make visio icons appear correctly in Visio ?. 03-01-2022 02:31 AM
- Got Karma for Re: How to remove an indexer from the distributed management console?. 02-10-2022 07:27 AM
- Got Karma for Re: Why are my ulimits settings not being respected on ubuntu/debian after a server reboot?. 11-29-2021 03:35 AM
- Got Karma for Re: How to remove an indexer from the distributed management console?. 07-12-2021 10:48 AM
- Got Karma for Splunk ES 4.7.6 - How do we track active investigations via lookup?. 05-05-2021 04:43 PM
- Got Karma for Re: Splunk ES 4.7.6 - How do we track active investigations via lookup?. 05-05-2021 04:43 PM
- Got Karma for Re: Why aren't my IDS logs populating the Intrusion Detection data model?. 04-09-2021 07:46 AM
- Got Karma for Re: CIM datamodel mapping for PaloAlto threat (including URL Filtering) log. 03-11-2021 02:21 AM
- Got Karma for Re: tstats timechart. 01-07-2021 06:41 AM
- Got Karma for Re: tstats timechart. 01-04-2021 12:18 AM
- Got Karma for Re: How to remove an indexer from the distributed management console?. 09-08-2020 06:11 AM
- Got Karma for Re: How to include timestamp of most recent event in a comparison between current day and a prior period. 08-19-2020 10:45 PM
- Got Karma for Re: Why Splunk CIM does not apply tags but 'Search & Reporting' does?. 06-30-2020 07:49 AM
- Karma Re: Multi-site Indexer rolling restart - indexer fails to restart/timeout for maraman_splunk. 06-05-2020 12:51 AM
- Karma Re: Multi-site Indexer rolling restart - indexer fails to restart/timeout for hmallett. 06-05-2020 12:51 AM
- Karma Re: Multi-site Indexer rolling restart - indexer fails to restart/timeout for maraman_splunk. 06-05-2020 12:51 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-06-2019
05:03 PM
I have a dashboard where all the panels are running for the time period of yesterday. Rather than display the date range for each panel, I'd like to dynamically update the title of the dashboard to include the date range.
I found a few other posts on here that asked something similar but most required tying it to a time picker, which I am not using. Most of the panels are populated by reports. So after reading the various solutions, I thought I could make a dummy search and use the tokens in the title, but my syntax isn't quite working. I also tried getting it to work in the description but that doesn't seem to work either. Either/or would work for me as a solution.
current XML
<dashboard>
<label>$earliest_time$ to $latest_time$</label>
<description>$timelabel$</description>
<search>
<done>
<eval token="earliest_time">strftime(relative_time(now(), $job.request.earliest_time$), "%d %b %T")</eval>
<eval token="latest_time">strftime(relative_time(now(), $job.request.latest_time$), "%d %b %T")</eval>
</done>
<query>|tstats count where index=my_index</query>
<earliest>-1d@d</earliest>
<latest>@d</latest>
<progress>
<set token="timelabel">$result$</set>
</progress>
</search>
</dashboard>
... View more
01-04-2019
09:08 AM
I'd like to create an auditing like dashboard panel that shows the user, the name of the correlated rule, the action (creation, deletion, edit, enable/disable). I have looked around in the _* indexes and can't find it. Can someone point me in the right direction?
... View more
12-31-2018
03:51 PM
Note for future readers: if you are using charting.backgroundColor, then you keep the color code as #xxxxxx where x represents the hex values for your specific color.
... View more
12-31-2018
03:00 PM
2 Karma
Thank you @DalJeanis! Just needed to encode the "<" but otherwise it worked perfectly. First time for me using these tags, learning new SPL everyday.
... View more
12-31-2018
11:02 AM
Hi @DalJeanis I think I can break up the SPL query into individual searches to avoid using trellis. Can you give me an example of how to do it with a "normal chart"? Then I can try implementing it via <done> as you mentioned?
... View more
12-30-2018
07:36 PM
I have a simple timechart that looks at the _internal index for various hosts and makes a simple timechart span by hour. I trellis this by host so I get say 8 medium sized timecharts that show log counts over the last 3 days. Sometimes, some of these hosts go down and the value obviously goes to zero.
How do I make the background panel for that host colored red when any of the values is zero? In other words, I want to capture the attention of my users when any of the hosts have a time when there are no logs. If this isn't possible, I'd be open to other suggestions that would get a users attention. I already have alerts set up as well, but this dashboard is also important, and I want to make it easier to capture the user's attention.
| tstats count where index=_internal host=myhost00* by host_time prestats=t span=1h
| timechart span=1h count by host
Final working SPL. Since I have multiple hosts, I just broke them down into individual searches and removed the <panel> tags to make them look like one big panel.
<dashboard>
<label>Test Dashboard</label>
<row>
<panel>
<chart>
<search id="pre">
<query>| tstats count where index=_internal host=system1 BY host _time prestats=t span=1h
| timechart span=1h count AS mycount
</query>
<earliest>-48h@h</earliest>
<latest>@h</latest>
</search>
<option name="charting.backgroundColor">$myColorToken$</option>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">preview</option>
</chart>
</panel>
</row>
<search base="pre">
<query>| stats min(mycount) AS mincount</query>
<done>
<eval token="myColorToken">if($result.mincount$<=0,"red","white")</eval>
</done>
</search>
</dashboard>
... View more
12-28-2018
08:56 AM
@niketnilay yes, I ran this and while it's nice to click and then run in another panel, I needed the click itself to open a new browser window with a custom search. Nonetheless, my final solution involved using your match condition with a link to make it work as intended. Thank you for the assistance.
... View more
12-28-2018
08:53 AM
Here was the final solution, partially contributed by @niketnilay ( condition match ) and @p_gurav ( <link> )
<row>
<panel>
<title>New Window on Click</title>
<table>
<search>
<query>| loadjob savedsearch="dead_beef:my_app:Report_1"
| eval report="Report 1"
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:Report_2"
| eval report="Report 2"]
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:Report_3"
| eval report="Report 3"]
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:Report_4"
| eval report="Report 4"]
| rename report AS Report count AS Count
| table Report Count</query>
<earliest>-1d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<drilldown>
<condition match="$row.Report$=="Report 1"">
<link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=a earliest=-1d@d latest=@d</link>
</condition>
<condition match="$row.Report$=="Report 2"">
<link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=b earliest=-1d@d latest=@d</link>
</condition>
<condition match="$row.Report$=="Report 3"">
<link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=c earliest=-1d@d latest=@d</link>
</condition>
<condition match="$row.Report$=="Report 4"">
<link target="_blank">https://mysplunk.com/en-US/app/my_appp/search?q=search index=d earliest=-1d@d latest=@d</link>
</condition>
</drilldown>
</table>
</panel>
</row>
... View more
12-28-2018
08:40 AM
This helped as I learned about the <link> option from here which ended up being part of my solution.
... View more
12-27-2018
11:42 AM
Hi @niketnilay, I really appreciate the full example that you included! I added the drilldown syntax after the <option name=... but how do I make it "clickable" to run these searches when the user clicks that specific row? I see how when you match on the report name, you can specify the SPL query, but after i did that it is only setting the token. How do I get it to execute the search on click?
... View more
12-26-2018
11:09 AM
I have a table with 4 rows, each showing a single value result. This table is populated by loading four separate reports via the loadjob and appendpipe commands.
Is there a way that I can write a custom SPL query based on which row the user clicks on? I don't want to load the report. Instead, I'd like to use a specific search to run (so four different searches) depending on which row the user clicks on since the data that populates each report searches different indexes.
The row order is static since it loads specific reports and will always appear in this order. I am open to using CSS, HTML, JS, XML, whatever means is possible to implement this behavior if possible.
TABLE
Report Count
Report 1 22
Report 2 0
Report 3 10,037
Report 4 719
... View more
The issue was that since I was using stats in each report, I needed to add the results of each report via appendpipe as the documentation states, "The appendpipe command is used to append the output of transforming commands, such as chart, timechart, stats, and top." I have modified it using appendpipe and it works perfectly.
... View more
So ultimately, I was testing reports and they weren't always loading the results despite running the reports hourly. Since all my reports return a single value, I ended up listing all 8 reports with the use of repeated append to put them all in one table. I have scheduled this massive search to remedy the timeliness issues.
... View more
Okay, so some of the reports take a while to run so that's why I have them scheduled. Thanks to you clueing me into savedsearch that runs the search again so that wouldn't work for me. But, I did find the command loadjob which loads the results from a saved search. I tried it with only one of my searches and so far it just sits at "Finalizing results." but nothing happens. I'm going to clone one of the reports and just have it output a statistic table rather than a single value visual to see if that works.
My not working SPL
| loadjob savedsearch="dead_beef:my_custom_app:Saved Report One"
... View more
Yes, these are 8 separate saved searches/reports.
... View more
I have 8 separate reports that all return single value results (e.g.: 2500). Each of these reports searches different indexes or source types. How can I combine all the single value results from these 8 separate reports into a single 8-row table panel within a dashboard ?
Report 1 - 25
Report 2 - 47
...
Report 8 - 2719
Dashboard Panel
Summary of Reports
(report name or custom text) - 25
Report 2 - 47
Report 3 - 209273
...
Report 8 - 2719
FINAL WORKING QUERY
Turns out, I needed appendpipe instead of append since all my reports use a stats count for the final single-value result.
| loadjob savedsearch="dead_beef:my_app:report_1"
| eval report="1. Report 1"
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:report_2"
| eval report="2. Report 2"]
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:report_3"
| eval report="3. Report 3"]
| appendpipe
[| loadjob savedsearch="dead_beef:my_app:report_4"
| eval report="4. Report 4"]
| rename report AS Report count AS Count
| table Report Count
... View more
12-14-2018
11:42 AM
Why it wouldn't work with -d vs -1d is a mystery. Thank you, this worked perfectly, thank you!
... View more
12-14-2018
10:44 AM
I have a single value dashboard panel that counts the number of hosts by IP address. I am listing the time range of the search in the title of the panel using $earliest_d$ and $latest_d$ tokens. For some unknown reason, only $latest_d$ is working and displaying the end time of the search. I am going in circles trying to figure out why the earliest time field isn't loading as expected.
<form>
<label>Test</label>
<fieldset submitButton="false" autoRun="true"></fieldset>
<row>
<panel>
<title>Unique Devices</title>
<single>
<title>$earliest_d$ - $latest_d$</title>
<search>
<done>
<eval token="earliest_d">strftime(relative_time(now(), $job.request.earliest_time$), "%d %b %T")</eval>
<eval token="latest_d">strftime(relative_time(now(), $job.request.latest_time$), "%d %b %T")</eval>
</done>
<query>| tstats dc(host) AS Hosts where (index=a* OR index=b*)</query>
<earliest>-d@d</earliest>
<latest>@d</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="numberPrecision">0</option>
<option name="rangeColors">["0x65a637","0x65a637"]</option>
<option name="rangeValues">[0]</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="underLabel">Unique Hosts</option>
<option name="unitPosition">after</option>
<option name="useColors">1</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
</form>
... View more
It does not produce a time field. It just produces various stats panels within the dashboard. When you say "keep the _time field" I can say that none of the panels change or alter _time.
... View more
I have 4 panels on a dashboard. These panels are populated via scheduled reports. They each have their own timerange that they cover. Is it possible to add a time input on the dashboard and let users change this such that the panels re-run with the newly selected time range? That is, I want to keep the default time range of the scheduled report, but allow users to select a new time range and then the panels within the dashboard rerun and present results based on the newly selected time range. I tried messing around with it and don't see how I can override the report's time range by putting a new Time input in that panel.
... View more
12-02-2018
01:09 PM
It worked and looks better than the trellis! Thank you so much for all the assistance.
... View more
12-02-2018
12:20 PM
Alright, so two single-value panels wouldn't stack vertically (at least not by default, maybe doable in XML?). So, what I did was take your query and then trellis by Type and that made two single-values on one panel. Looks much better than the plain table and the click for each one is working as intended. Good thinking! Thanks again for all the help.
... View more
12-02-2018
12:02 PM
Hey @whrg! I like the idea of using two single-value panels. I'll try messing around with that and see if I can get it to work. The big thing is the existing layout of panels on the dashboard.
Currently there are 4 panels in 1 row across my dashboard (the named/blank) being #2.
[1] [2] [3] [4]
If I can break up the named/blank into two single values BUT display them such that they take up the same spaces "stacked vertically" as [2] then it would be perfect, visually nicer, and make the drilldown simpler.
I'll try a bit and post back.
... View more
12-02-2018
10:48 AM
A statistics table within my dashboard counts the total number of hosts who have a hostname (Named) and total number of blanks (Blank).
I enabled the drill-down and when you click on either value, it just opens the existing query that shows all hosts, those with and without hostnames. I want to set it so that if the user clicks on the values under Named or Blank, then it only searches for those. I'm trying to do it via tokens, but I'm not sure how to pass the column name (Named or Blank) to append to the custom drilldown query | search $clicked_column$
sample data
host hostname
1.1.1.1 host-1.com
2.2.2.2
3.3.3.3 host-3.com
4.4.4.4 host-4.com
5.5.5.5
SPL
| tstats count where index=network by host
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| stats count(eval(isnull(hostname))) AS Blank count(eval(isnotnull(hostname))) AS Named
output
Named Blank
3 2
desired click on 3 (Named column)
host hostname
1.1.1.1 host-1.com
3.3.3.3 host-3.com
4.4.4.4 host-4.com
desired click on 2 (Blank column)
host hostname
2.2.2.2
5.5.5.5
... View more
12-02-2018
09:23 AM
1 Karma
Exactly what I was looking for. I didn't think of using the value from stats and passing it to eventstats. Thank you!!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
Karma given to
