Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About RVDowning
RVDowning
Contributor
Member since:
05-06-2011
06-05-2020
Community Statistics
| Posts | 133 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 34 |
| Member Since | 05-06-2011 |
Activity Feed
- Karma Re: Multiple drilldown from a chart to a table to a table for somesoni2. 06-05-2020 12:47 AM
- Got Karma for Is there a way to determine if transactions overlap?. 06-05-2020 12:47 AM
- Got Karma for How to exclude weekends (Saturday and Sunday) from a transaction search and and order the days chronologically?. 06-05-2020 12:47 AM
- Got Karma for Is there a timechart legend limit?. 06-05-2020 12:47 AM
- Got Karma for Can the same data returned from a search be used to populate both a table and a graph?. 06-05-2020 12:47 AM
- Got Karma for Can the same data returned from a search be used to populate both a table and a graph?. 06-05-2020 12:47 AM
- Got Karma for How to get chart and table on same row in dashboard html. 06-05-2020 12:47 AM
- Got Karma for Why is fieldformat for time not being honored in email alert when using metadata?. 06-05-2020 12:47 AM
- Got Karma for Filtering results in an inline drilldown to exclude unrelated events.. 06-05-2020 12:47 AM
- Got Karma for How to search the average number of transactions by hour by day?. 06-05-2020 12:47 AM
- Got Karma for How to search the average number of transactions by hour by day?. 06-05-2020 12:47 AM
- Got Karma for How to change the scale of the distinct count of a field on a timechart?. 06-05-2020 12:47 AM
- Got Karma for Table of count of specific user action by unique user. 06-05-2020 12:47 AM
- Got Karma for Re: Is there a way to determine if transactions overlap?. 06-05-2020 12:47 AM
- Got Karma for Re: strptime not returning correct results?. 06-05-2020 12:46 AM
- Got Karma for Changing path or purging data from /opt/splunk/var/run/splunk/dispatch. 06-05-2020 12:46 AM
- Got Karma for Re: Extract string using rex. 06-05-2020 12:46 AM
- Got Karma for Changing path or purging data from /opt/splunk/var/run/splunk/dispatch. 06-05-2020 12:46 AM
- Got Karma for Difference of fields with the same name in a transaction. 06-05-2020 12:46 AM
- Got Karma for Difference of fields with the same name in a transaction. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 2 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 |
11-12-2014
12:19 PM
1 Karma
Is there a way to determine if transactions overlap, and if so which transactions? If so, can any interesting things be determined such as frequency and duration of overlap, etc.
... View more
10-03-2014
01:18 PM
I redid everything using the web interface instead of editing the files directly and it worked for User admin and App search. And it worked in search. I then changed the permissions to make sharing global and it worked for a regular user logon in App search.
I tested it in a couple of dashboards and it seems to work for all users and perhaps all apps. But the props.conf and transforms.conf files are in the directory /opt/splunk/etc/apps/search/local. I don't understand how other apps are able to work when these conf files are in this directory. It seems to me that they should be in the directory listed in my original post, namely /opt/splunk/etc/system/local to be non app specific as opposed to being in the search app directory.
... View more
10-03-2014
12:46 PM
Changing the underscore to a hyphen made no difference.
... View more
10-03-2014
11:41 AM
I have a file: racf_username.csv located in /opt/splunk/etc/system/lookups which looks like;
racf,username
A123456,A Name
B123456, Another Name
.
.
As regards permissions, the table is updated nightly from a server and shows No Owner and the app being System.
Everyone can read but only admin can write.
In transforms.conf located in /opt/splunk/etc/system/local is the following:
[racf_username]
filename=racf_username.csv
max_matches=1
min_matches=1
default_match=Unknown
In props.conf located in /opt/splunk/etc/system/local is the following:
[sourcetype::MySourceType]
LOOKUP_racftousernames = racf_username racf OUTPUT username
However, a simple search such as:
sourcetype="MySourceType" | table racf, username does not display any usernames
If instead I use:
sourcetype="MySourceType" | lookup racf_username racf OUTPUT username | table racf, username
then everything works fine. I just don't get the automatically filled in username field.
Any idea how to get this to work automatically?
... View more
- Tags:
- lookup
09-26-2014
07:05 AM
Yep, it works fine. Thanks much. I'm on my first cup of caffeine too. 😉
... View more
09-26-2014
06:53 AM
That just gives me zeroes for dc(eval(racf / 10)). A "racf" is an alphanumeric ID. It is the count of these unique ids that I would like to divide by 10.
... View more
09-26-2014
06:43 AM
Thanks for the suggestion, but the end user would totally freak. 🙂 But they could follow a simple division by 10, so when the mouseover showed 26.2 they would know it was 262.
... View more
09-26-2014
06:34 AM
1 Karma
I have the following line:
timechart span=1d sum(TypeAErrors) , sum(TypeBErrors), dc(racf) as "Unique Ids"
but the dc(racf) is much larger than the other items displayed on the graph. I would ideally like dc(racf) / 10 so that it will scale more appropriately on the Y axis compared to the other two displayed items. But, I can't find any syntax that allows me to do this. Any ideas?
... View more
09-19-2014
12:04 PM
1 Karma
I would like to create a table similar to the following:
Of Reports Created Users %
>10 23 3
10 4 1
9 3 0
8 3 0
.
.
.
1 433 57
The search is only: sourcetype="xyz" host=MA* Mthd="CreateReport"
So, want to know how many users created 1 report, 2 reports, ...., 10 reports, and more than 10.
... View more
09-09-2014
11:56 AM
Most helpful, thanks much.
... View more
09-05-2014
01:00 PM
Probably not often, but why would the frequency really matter?
... View more
09-05-2014
08:56 AM
What is the best way to index a file (user application file) or two for a one time analysis? Should I create a new index, use a new source type, copy the file(s) into a directory on the server and then use the Web based data upload?
Then just delete everything afterwards?
... View more
09-04-2014
11:04 AM
Ok, worked it out. Seems I had forgotten the semicolon in the < and >:
... View more
08-20-2014
11:05 AM
Thanks much! That did the trick.
... View more
08-20-2014
10:02 AM
Probably simple unless advanced is needed, and so far the requirements don't seem to require advanced.
... View more
08-20-2014
09:39 AM
2 Karma
Can the same data returned from a search be used to populate both a table and a graph?
... View more
08-14-2014
07:02 AM
| transaction host startswith=eval(match(_raw,"START]") OR match(_raw,"STARTED]"))
endswith=eval(match(_raw,"END]") OR match(_raw,"ENDED]") OR match(_raw,"unhandled"))
| where NOT match(_raw, "END]") and NOT match(_raw, "ENDED]")
This will pair the unhandled exception with the first START or STARTED of perhaps several that had no corresponding END or ENDED.
... View more
08-14-2014
06:39 AM
It IS a rather involved ending expression. I might have something like.
Start
Start
Start
Exception
In this case the exception should be associated with the third Start, not with the first. (This example is obviously simplified.) Transactions that are appropriately paired with Start/End records are pruned out, leaving start-of-transaction and unhandled exceptions.
If I could read the data backwards I would be able to associate the correct Exception with the correct Start.
... View more
08-14-2014
06:28 AM
I know how to reverse displayed data, but that is of no use to me. I simply need to access the data in a "backwards" direction.
... View more
08-14-2014
06:09 AM
I have an odd situation where the "endswith" transaction is not always being written out by the application so that it can later be paired up with the "startswith" transaction. That means that a given "startswith" transaction is being married up with the wrong unhandled exception.
I can get around the problem if I can read the data backwards. That way I could ensure that I would create a correct transaction with an "endswith" and "startswith" pair. This pair would be ignored and what would be left would be an unhandled exception paired with the correct beginning of the transaction. To do this I need to be able to read the data backwards. Can this be done?
... View more
08-11-2014
11:23 AM
I have a form with date, chart, table and event data, with each passing data to the next. How do I clear the screen of old values when the user selects a new date? At the moment, the old chart values remain as well as the old table and event data. If the user selects a new date, the chart will refresh, but the table and event data will still display data from the previous search.
... View more
08-11-2014
11:18 AM
That did the trick. Thanks much for your help!
... View more
08-07-2014
12:49 PM
It kinda works, but I still have one problem. The date displays in the row as 1407423288 instead of 2014-08-07 10:54:48, and that first format seems to be needed for date comparison purposes. I don't really want a "garbage" column to appear. Is there a way to hide that column but still pass that date through?
I am also unable to do comparisons on the 2014-08-07 10:54:48. If I try I get the error: The operator at 'T10:51:53.000-04:00' is invalid.
... View more
08-07-2014
11:16 AM
I don't see the runanywhere sample. There is no link.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
Karma from
