Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 137 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 11-03-2024 04:54 AM
- Got Karma for How to merge two fields into one field?. 10-23-2024 09:31 AM
- Got Karma for Re: How to remove data from a bucket for a specified period of time?. 09-05-2024 08:26 AM
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-03-2014
09:30 AM
Is there an example that shows how to iterate the extraction of json objects using Splunk query language?
The spath command documentation shows an example but it is only for 2 key names
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Spath
I need to create a splunk query construct that iterates the json objects found in the following log event and then aggregate as follow:
Splunk main construct |stats sum(total) as total sum(Fails) as Fails sum(TimeOuts) as TimeOuts by client
Is there a way to do it in Splunk query language?
Json event:
[
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "hello.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "HYO.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
]
Thanks ,
Lp
... View more
- Tags:
- json
01-23-2014
11:32 AM
I have been able to index any type of valid json structure without any problem using the monitoring file stanza in the inputs.conf
... View more
01-23-2014
11:31 AM
it breaks at any position.
The work around I did to make it work was to write the results in a file. Then, I monitor file using a monitoring stanza in inputs.conf. I tried to apply the same config to the script stanza but no success. The config I used in monitoring the file is the following:
LINE_BREAKER = "(^)["
TRUNCATE = 0
SHOULD_LINEMERGE = false
I should be able to index the results correctly without doing the presented work around.
Any idea?
Thanks,
Lp
... View more
01-22-2014
05:36 AM
The event I presented in the original question is a valid Json.
... View more
01-17-2014
07:56 AM
I have a set of input scripts that are working as expected. The problem I am facing is that I need to index the results but the event is not broken correctly. This is an example of the result :
[
{
"a": "4620",
"b": "splunk",
"x": "0",
"d": "3.0",
"e": "50",
"f": "0",
"g": "41.0",
"_time": "2014-01-17T10:26:43.000-05:00",
"h": "abc",
"i": "4620",
"j": "0.00",
"k": "21.0",
"l": "6.00"
},
{
"a": "4620",
"b": "ABC",
"x": "0",
"d": "3.0",
"e": "50",
"f": "0",
"g": "41.0",
"_time": "2014-01-17T10:26:43.000-05:00",
"h": "abc",
"i": "4620",
"j": "0.00",
"k": "21.0",
"l": "6.00"
}
]
This is what I have in the inputs.conf:
[script:///opt/splunk/bin/scripts/splunk-sdk-python/examples/abc.py]
disabled = 0
index = main
interval = */5 * * * *
sourcetype = feed
... View more
12-16-2013
11:45 AM
Hi,
Is there a query to get the data found in this view?
http://yoursplunkserver:8000/manager/launcher/data/indexes
Thanks,
Lp
... View more
12-13-2013
06:00 AM
The license server keeps track of the license usage of each indexer. Therefore, the query will do its job either way.
... View more
12-13-2013
05:22 AM
Your observation is valid. However, the query is correct. If the query is executed from a master head server, the query will work. If the query is executed in the license server perse the query will work too.
... View more
12-13-2013
05:04 AM
1 Karma
The license count is per day. You can verify this with the following splunk query:
splunk_server=your_license_server index=_internal source="*license_usage.*" AND st=your_source_type | eval GB=b/1024/1024/1024 | bucket _time span=1d| stats sum(GB) as GB by _time st
Assuming that your splunk license server name is "a.com" and the source type is "tcp-raw" the query will be:
splunk_server=a.com index=_internal source="*license_usage.*" AND st=tcp-raw | eval GB=b/1024/1024/1024 | bucket _time span=1d| stats sum(GB) as GB by _time st
Select the dates you need.
Thanks,
Lp
... View more
11-21-2013
11:04 AM
Is there a query to measure the response time that Splunk takes to return results from REST API call?
The information should be in:
index=_internal
sourcetype=splunkd_access
source=/opt/splunk/var/log/splunk/splunkd_access.log
Thanks,
LP
... View more
- Tags:
- _internal
10-28-2013
10:01 AM
Thanks,
Lp
... View more
10-28-2013
09:38 AM
1 Karma
Hi,
I have a drill down table in sideviewutils. It is working without any problem. I need to modified the value of the clicked field if the value is let's say "X".
Example:
clicked_value="$row.fields.ProgramID$"
if clicked_value = "x" then click_value = "b" else clicked_value = $row.fields.ProgramID$;
Is this possible is sideviewutils?
Thanks,
Lp
... View more
- Tags:
- sideview-utils
10-24-2013
04:54 AM
1 Karma
To learn about the Splunk query language you can start with this online book:
http://www.splunk.com/goto/book
You may try this:
Assuming that the event sample is indexed in the main index:
index=main EventCode=0 EventIdentifier=0 EventType=3 SourceName="some value"|eventstats latest(_time) as ltime by host | where _time=ltime|table host TimeGenerated RecordNumber ComputerName Message
... View more
10-23-2013
06:52 AM
Since your question does not have any specific log event example use the following after your splunk query construct:
include your splunk query construct that identifies your deploy error events here| eventstats latest(_time) as ltime by host | where _time=ltime
The result set should be the last event "deployment error" found in each host.
Thanks,
Lp
... View more
09-11-2013
11:35 AM
1 Karma
You may try TRUNCATE = 0. Details:
TRUNCATE =
* Change the default maximum line length (in bytes).
* Although this is in bytes, line length is rounded down when this would
otherwise land mid-character for multi-byte characters.
* Set to 0 if you never want truncation (very long lines are, however, often a sign of
garbage data).
* Defaults to 10000 bytes.
... View more
09-09-2013
10:43 AM
Try this approach:
1-. Convert your earliest time to epoch time. Example: Assuming that this is your earliest time format "2013-08-25T18:42Z", you could converted to epoch time as follow in Splunk:
|eval earliest_epoch=strptime(earliest,"%Y-%m-%dT%H:%M")
2) Then, add 86400 seconds to the converted epoch time.
|eval latest=earliest_epoch+86400
... View more
08-29-2013
11:38 AM
1) you need to make sure that index=_internal has all the data to create the 90 days report you need.
2) SLA is your Splunk license in GB. Example below shows SLA=502. It means 502GB per day.
3) splunk_server should be your master license server or the splunk instance that you would like to trend in case you do not have a master license server.
4) This query should do what you need:
splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-90d@d latest=@d | eval GB=b/1024/1024/1024 | timechart span=1d sum(GB) as GB | eval SLA=502|eval %_License_used=GB*100/SLA
Since there is not a summary index to make it faster you need to create one. This is another approach using a schedule search to populate a summary index that will allow you to trend the license usage by source type, host and total license usage in a daily basis:
1) Create an index to be used by the search presented next.
2) create a scheduled search to run daily. the query of the scheduled search is the following:
splunk_server=your_splunk_license_server_host index=_internal source="*license_usage.*" earliest=-1d@d latest=@d | eval GB=b/1024/1024/1024 | stats sum(GB) as GB by h st|sort - GB
3) In the schedule search configuration select the index you created.
4) Then, back fill the summary index in case you need to.
5) Finally, You could use these queries to get trends by sourcetype, host and total license usage:
License usage trend:
index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index |
timechart span=1d sum(GB) as GB |
eval License="502"|
eval Exceeded=if(License>GB,"0",GB-License)|
eval Date=strftime(_time, "%m/%d/%Y")|
table Date GB License Exceeded|
rename GB as "License Volume Used (GB)"|
rename Exceeded as "License Volume Exceeded by (GB)"|
rename License as "Max. License Volume (GB)"|sort - Date
Trend by source type:
index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index |
timechart span=1d sum(GB) as GB by st
Trend by host:
index=your_sumary_index splunk_server=your_splunk_server_that_has_the_summary_index |
timechart span=1d sum(GB) as GB by h
Thanks,
Lp
... View more
08-29-2013
08:48 AM
dedup will not do what you need.
... View more
08-29-2013
08:33 AM
Take a look at the question presented in URL:
http://answers.splunk.com/answers/78181/type-of-visitor-new-or-returning-can-be-done-with-single-splunk-query
It might help you.
Or you may do this:
<search> | timechart span=1d dc(LYC_USERNAME) as ucount
In this example it will calculate the number of unique LYC_USERNAME found in a day. For example: If the time period of the search is the last 7 days, the result set will be the unique number of users found per day within these 7 days. You can modify the value of span as you need it (e.g, 1d, 1h, 6h).
Thanks,
Lp
... View more
08-14-2013
12:01 PM
Faced the same issue. The only way, it worked was to setting the permission of the saved search as everyone with read/write enabled. Give it a try, it will work.
Lp
... View more
08-05-2013
10:44 AM
I found it:
http://splunk-base.splunk.com/answers/43907/change-default-limit-of-100-results-using-java-sdk
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma given to
