Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About lpolo
lpolo
Motivator
Member since:
05-10-2011
08-03-2021
Community Statistics
| Posts | 376 |
| Solutions | 17 |
| Karma Given | 73 |
| Karma Received | 137 |
| Member Since | 05-10-2011 |
Activity Feed
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 11-03-2024 04:54 AM
- Got Karma for How to merge two fields into one field?. 10-23-2024 09:31 AM
- Got Karma for Re: How to remove data from a bucket for a specified period of time?. 09-05-2024 08:26 AM
- Got Karma for Part 1: How to extract a json portion of an event then use spath to extract key=value pairs. 07-25-2023 01:43 AM
- Got Karma for How to merge two fields into one field?. 03-14-2023 09:50 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 01-16-2023 05:13 PM
- Got Karma for Re: Filter values after timechart. 06-10-2022 08:59 AM
- Got Karma for How to merge two fields into one field?. 01-10-2022 05:59 AM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 09-23-2021 06:18 AM
- Posted How to implement this Prometheus Query using Splunk Query Language on Splunk Enterprise. 08-03-2021 11:37 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 08-02-2021 08:59 AM
- Posted Re: Source log events not forwarded after log rotation on Splunk Enterprise. 07-26-2021 05:15 AM
- Posted Source log events not forwarded after log rotation on Splunk Enterprise. 07-23-2021 01:25 PM
- Got Karma for Re: How to limit my search to return only the top 10 results based on the following search queries ?. 02-08-2021 08:28 AM
- Posted Re: top 1000 by appiD on Splunk Enterprise. 07-15-2020 03:24 PM
- Posted top 1000 by appiD on Splunk Enterprise. 07-15-2020 12:41 PM
- Posted Re: Top n plus others on Splunk Enterprise. 07-06-2020 01:04 PM
- Posted Top n plus others on Splunk Enterprise. 07-06-2020 11:54 AM
- Karma Re: Regex that covers both cases for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Regex that covers both cases for javiergn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-28-2013
05:38 AM
The following regex will work, if and only if, there is not any new line in the event:
rex " [^>]+)>(? .+?) "
Therefore, I was able to make it work by trimming the event before the regular expression as follow:
| rex field=_raw mode=sed "s/[\r\n]//g"
| rex " [^>]+)>(? .+?) "
Then, the extracted field "response" can be processed by spath search command.
Regards,
Lp
... View more
03-28-2013
05:24 AM
The following regex will work, if and only if, there is not any new line in the event:
rex "<tvsquery id=(?<id>[^>]+)>(?<response>.+?)</tvsquery>"
Therefore, I was able to make it work by trimming the event before the regular expression as follow:
| rex field=_raw mode=sed "s/[\r\n]//g"
| rex "<tvsquery id=(?<id>[^>]+)>(?<response>.+?)</tvsquery>"
Then, the extracted field "response" can be processed by spath search command.
Regards,
Lp
... View more
03-27-2013
05:27 AM
It worked. Thanks for the example...
Lp
... View more
03-26-2013
09:05 AM
In the new version of side view Utils TabSwitcher was replaced by the Tabs module and the Switcher module. I could not find any example where the searches of each tab are independent and not driven by Tabs.name.$selectedTab$.
Can anyone share an example?
Thanks,
Lp
... View more
03-26-2013
06:13 AM
I would explore the mvexpand command. More information:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Mvexpand
... View more
03-22-2013
04:40 AM
It worked.
Thanks,
Lp
... View more
03-22-2013
04:12 AM
1 Karma
You can use the perc()x(field) function. More information:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonStatsFunctions
Example:
Let's say that your field OK="Message ok". Then, you could use the perc(x)(field) function as follow:
earliest=-1d@d latest=@d index=main sourcetype=messages|stats perc95(ok)
earliest=-7d@d latest=@d index=main sourcetype=messages|timechart span=d perc95(ok)
... View more
03-21-2013
07:27 AM
This approach should work. However, I am still unable to make the regex work in my environment.
... View more
03-21-2013
05:03 AM
I tried but It does not work. The regex does not return any value. what do you suggest?
Thanks,
Lp
... View more
03-20-2013
08:43 AM
I have the following log event but I have not been able to use spath to extract the json key=value pairs if the json portion contains arrays. Event example:
2013-03-12 10:37:10,205 <tvsquery id=58b6bf4d-948b-416b-8d17-cedcbc1059ec>{
"start" : 1,
"returned" : 1,
"count" : 1,
"entities" : [ {
"houses" : {
"callers" : "IM",
"placeid" : 5041447014850446107,
"number" : 14,
"sourceid" : 5625
},
"entitytype" : "house/street",
"title" : [ {
"default" : "No Place"
} ]
} ]
}</tvsquery>
The following answer solved the problem if the json protion does not contain any array:
http://splunk-base.splunk.com/answers/79029/part-1-how-to-extract-a-json-portion-of-an-event-then-use-spath-to-extract-keyvalue-pairs
I having a hard time to make it work.
Any help please!
Thanks,
Lp
... View more
03-20-2013
08:17 AM
The regular expression behaves if an only if there is not any json array like the presented example.
It partially solves the problem.
... View more
03-20-2013
07:05 AM
I have the panel presented below that is doing the drill down. However, the variable I want to pass to the drill search "$row.LastQuery$" is not being updated. Also, splunk UI modifies the search by adding at the end of my search "|search Date="03/19/2013". The value of Date seems to be the period of the first search. How can I fix the panel so the variable is correctly replaced and the search is not modified ?
<module name="HiddenSearch" layoutPanel="panel_row5_col3" autoRun="True">
<param name="search">earliest=-1d@d latest=@d splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily NOT TotalSearches AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="groupLabel">Top N - Yesterday</param>
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N Searches - Yesterday</H1>]]></param>
</module>
<module name="Paginator">
<param name="entityName">results</param>
<param name="maxPages">20</param>
<param name="count">10</param>
<module name="SimpleResultsTable">
<param name="drilldown">row</param>
<module name="HiddenSearch">
<param name="search">earliest=-31d@d latest=@d splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily NOT TotalSearches AND rank AND LastQuery="$row.LastQuery$"|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<module name="ConvertToDrilldownSearch">
<module name="JobProgressIndicator" />
<module name="SimpleResultsHeader">
<param name="headerFormat">Velocity</param>
<param name="entityName">events</param>
</module>
<module name="Paginator">
<param name="entityName">events</param>
<param name="maxPages">10</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">False</param>
<param name="drilldown">none</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
</module>
Thanks,
Lp
... View more
03-20-2013
04:12 AM
Thanks,
Lp
... View more
03-19-2013
07:09 AM
I have the following data set :
Date rank LastQuery count percent
03/18/2013 1 THE 51870 2.641512
03/18/2013 2 SEX 12562 0.639728
03/18/2013 3 BIBLE 11629 0.592214
03/18/2013 4 TWILIGHT 10622 0.540932
03/18/2013 5 THE+BIBLE 10136 0.516182
03/18/2013 6 HOUSE 6611 0.336669
I need help to create a drill down by the selected LastQuery using the following query:
Example:User clicked on LastQuery=HOUSE. This query should be used by the drill down:
splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank AND LastQuery=HOUSE|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent
This is my xml panel. It works fine. I just need to include the drill down.
<module name="HiddenSearch" layoutPanel="panel_row5_col1" autoRun="True">
<module name="StaticContentSample">
<param name="text"><![CDATA[<H1>Top N</H1>]]></param>
</module>
<param name="earliest">-1d@d</param>
<param name="groupLabel">Vespa - Combined Top N Distinct Searches - Yesterday</param>
<param name="search">splunk_server=io-splunk-03.example.com index="si_top_n" Sampling_Rate=Daily AND rank|sort + rank|eval Date=strftime(_time, "%m/%d/%Y") |table Date rank LastQuery count percent</param>
<param name="latest">@d</param>
<module name="ViewstateAdapter">
<param name="suppressionList">
<item>displayRowNumbers</item>
<item>drilldown</item>
<item>count</item>
</param>
<module name="HiddenFieldPicker">
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="entityName">results</param>
<param name="count">10</param>
<module name="EnablePreview">
<param name="display">False</param>
<param name="enable">True</param>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
<param name="displayRowNumbers">true</param>
<param name="count">10</param>
<param name="allowTransformedFieldSelect">True</param>
<module name="Gimp"/>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
Thanks,
Lp
... View more
03-18-2013
04:20 AM
This should work for you:
index="your_index_name" sourcetype="your_source_type_name" AND AuthProfile|eval user=firstname+""+lastname|stats dc(user) as Distinct_User
... View more
03-13-2013
06:59 AM
I took a different approach to solve the problem. I extracted the json portion of the log event using a regex. Then, I was able to use spath without any problem.
Thanks,
Lp
... View more
03-12-2013
11:10 AM
I reviewed my props.conf and I removed
KV_MODE = json from the related sourcetype. Then, reload props.conf and I ran the query with your recommendation. It seems to be working. I need to validate the result set.
Thanks,
Lp
... View more
03-12-2013
10:44 AM
It did not work. It continues to fail if the extracted json field contains multiple arrays and objects. I made sure that max_match=value was not greater that the number of objects.
Could you kindly see the log example I posted in case 114699?
thanks,LP
... View more
03-12-2013
10:17 AM
what do you recommend?
... View more
03-12-2013
10:13 AM
Thanks for the observation. I corrected this problem as you recommended. And I was able to extract the json portion of the event and use spath. However, I am facing the same issue I had at the beginning: if the extracted json field contains multiple arrays and objects both regex fail to extract json portion of the event.
... View more
03-12-2013
08:16 AM
I tried using the regex in a more complex json field but it fails. It worked for the simple json presented in the example.
... View more
03-12-2013
08:03 AM
Thanks, It worked.
... View more
03-12-2013
07:15 AM
2 Karma
I have the following log event but I have not been able to use spath to extract the json key=value pairs.
2013-03-12 10:37:10,205 <tvsquery id=58b6bf4d-948b-416b-8d17-cedcbc1059ec>{
"start" : 1,
"returned" : 0,
"count" : 0
}</tvsquery>
Therefore, I tried to extract the json portion with this regex and then use spath:
|rex field=_raw " [^>]+)>(? .+?) "|spath input=response
But I having a hard time to make it work.
How can I extract the json portion of the event and then use spath to extract the key=value pairs?
Thanks,
Lp
... View more
03-12-2013
04:38 AM
These apps. might help you:
http://splunk-base.splunk.com/apps/22314/splunk-for-unix-and-linux
http://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Drillfordetails
If the views found in these apps do not satisfy what you are looking for, you may want to create your own views. More information:
http://docs.splunk.com/Documentation/Splunk/5.0.2/Viz/Overviewofdashboards
Lp
... View more
03-11-2013
09:01 AM
This is another example:
http://splunk-base.splunk.com/apps/52761/multidimensional-search
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-03-2021
02:58 PM
|
Karma given to
