Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About sanjay_shrestha
sanjay_shrestha
Contributor
Member since:
05-10-2013
08-10-2020
Community Statistics
| Posts | 85 |
| Solutions | 9 |
| Karma Given | 2 |
| Karma Received | 39 |
| Member Since | 05-10-2013 |
Activity Feed
- Got Karma for Re: Where do I edit/delete reports in Splunk App for Windows Infrastructure. 06-05-2020 12:47 AM
- Got Karma for Re: Mapping an index to an app. 06-05-2020 12:47 AM
- Got Karma for Re: How to combine my two searches in Splunk?. 06-05-2020 12:47 AM
- Got Karma for Re: Is it possible to monitor whether there are any files in a folder without indexing them?. 06-05-2020 12:47 AM
- Got Karma for Re: Is it possible to monitor whether there are any files in a folder without indexing them?. 06-05-2020 12:47 AM
- Got Karma for Re: Why can't I log into the dashboard using the same credentials to log in to my account?. 06-05-2020 12:47 AM
- Got Karma for Re: embed a graphic on a dashboard, splunk 6.2. 06-05-2020 12:47 AM
- Got Karma for Re: embed a graphic on a dashboard, splunk 6.2. 06-05-2020 12:47 AM
- Got Karma for Re: Where do I edit/delete reports in Splunk App for Windows Infrastructure. 06-05-2020 12:47 AM
- Got Karma for Re: Mapping an index to an app. 06-05-2020 12:47 AM
- Got Karma for Re: How to combine my two searches pulling data from two different indexes into one search?. 06-05-2020 12:47 AM
- Got Karma for Re: How to combine my two searches pulling data from two different indexes into one search?. 06-05-2020 12:47 AM
- Got Karma for Re: Bulk Update recipient email addresses for alerts.. 06-05-2020 12:47 AM
- Got Karma for Re: Sum a series of values based on the distinctness of another column. 06-05-2020 12:47 AM
- Got Karma for Re: Sum a series of values based on the distinctness of another column. 06-05-2020 12:47 AM
- Got Karma for Re: Is it possible to have Splunk send a report email based on an external trigger?. 06-05-2020 12:47 AM
- Got Karma for Re: Search first 10 results by sourcetype. 06-05-2020 12:47 AM
- Got Karma for Re: How to work with timepicker in splunk using Database as back end.?. 06-05-2020 12:47 AM
- Got Karma for Re: Mapping an index to an app. 06-05-2020 12:47 AM
- Got Karma for Re: Mapping an index to an app. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 4 | |||
| 0 | |||
| 0 | |||
| 1 |
02-05-2015
01:31 PM
Could you change the order as below:
TRANSFORMS-set = setnull, extractjson
From Document
the order of the transforms in props.conf matters. The null queue transform must come first; if it comes later, it will invalidate the previous transform and route all events to the null queue.
... View more
01-30-2015
05:47 PM
Yes. You can create a alert for a search query as below:
host=yourhost earliest=-5m latest=now|stats count
... View more
01-30-2015
04:41 PM
2 Karma
You can use:
chown -R group:user SPLUNK_HOME
... View more
01-30-2015
01:43 PM
I again created new data input but the issue remained same which means all the events earlier than Oct 22 is coming as today's date. That also means my guess about 100 days does not implies here.
We need to find out what is wrong with 10/21/2014 and earlier date. Most earliest date is 9/14/2014.
... View more
01-29-2015
07:26 PM
BS_TIMESTAMP is the first field in the query. I did try
output.timestamp = 1
output.timestamp.column = BS_TIMESTAMP
that but did not work.
Thanks,
Sanjay
Note: Since the broken timestamp is 100 or more days before today. So wonder if there is any configuration to is related to days.
... View more
01-29-2015
02:22 PM
You can try using createinapp option.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Outputlookup
... View more
01-29-2015
02:09 PM
Running your query to generate lookup fine under SampleApp might help.
... View more
01-29-2015
12:49 PM
Hi,
I have configured a Database Input as below:
[dbmon-tail://MIMAS/DI-MBT-LAB_ScanBadge]
host = plxs_a_sb
index = mbt-lab-database
output.format = kv
output.timestamp = 0
output.timestamp.format = YYYY-MM-DD HH24:MI:SS
query = select * from MBT_LAB_BadgeScan_Vw {{WHERE $rising_column$ > ?}}
sourcetype = DBConnect
tail.rising.column = BS_RISINGCOLUMN
All the events with date after October 22, 2014 are coming correctly, however rest of the events with the timestamp before that are coming as todays date but the time part is correct.
e.g.
_time BS_TIMESTAMP
1/29/15 11:19:21.000 PM "2014-09-17 23:19:21" WRONG
1/29/15 4:40:03.000 PM "2014-09-16 16:40:03" WRONG
....
...
1/28/15 7:38:17.000 PM "2015-01-28 19:38:17"
1/28/15 6:12:46.000 PM "2015-01-28 18:12:46"
I tried several combinations enabling timestamp, defining timestamp column etc... no luck.
Thanks,
Sanjay
... View more
04-02-2014
07:52 AM
4 Karma
Hi,
I created generic saved search and it is running fine individually as below
|savedsearch PausedTime_SS index_name=one_index
However, when I called them twice and append their results
|savedsearch PausedTime_SS index_name=one_index
|append [|savedsearch PausedTime_SS index_name=other_index]
I am getting following:
Error in 'SearchParser': Found circular dependency when expanding savedsearch=PausedTime_SS
Is it possible to append results from generic saved searches?
Thanks,
Sanjay
... View more
02-11-2014
09:49 AM
I was able to create using numerical values, however it would not be verbose. Is there a way to change labels or display reference matching table.
... View more
02-11-2014
08:29 AM
Hi,
Here is my data looks like:
project status
p1 s1
p2 s3
p3
p4 s1
p5 s2
I would like to create a bar chart as below:
Thanks,
Sanjay
... View more
- Tags:
- barchart
02-07-2014
07:54 AM
1 Karma
Your search looks good to me. It would be helpful to create summary index in the situation when query is taking longer than desired time and populate that with savedsearch in regular interval.
... View more
02-06-2014
07:45 AM
If it is possible then using time range criteria (earliest, latest) might help to expedite search.
... View more
02-05-2014
05:19 PM
Events are looked like:
2/4/2014 00:00:01 –Something else
2/4/2014 04:00:01 – Restarted
2/4/2014 05:59:59 - Something else
2/4/2014 08:59:59 - Something else
2/4/2014 10:00:01 – Paused
2/4/2014 13:59:59 - Something else
2/4/2014 13:59:59 - Something else
2/4/2014 14:00:01 – Restarted
2/4/2014 15:59:59 - Something else
2/4/2014 16:59:59 - Something else
2/4/2014 17:00:01 – Paused
2/4/2014 18:59:59 - Something else
2/4/2014 19:59:59 - Something else
2/4/2014 20:00:01 – Restarted
2/4/2014 23:59:59 - Something else
2/5/2014 00:00:01 –Something else
2/5/2014 04:00:01 – Paused
2/5/2014 05:59:59 - Something else
2/5/2014 08:59:59 - Something else
2/5/2014 13:59:59 - Something else
2/5/2014 13:59:59 - Something else
2/5/2014 14:00:01 – Restarted
2/5/2014 15:59:59 - Something else
2/5/2014 16:59:59 - Something else
2/5/2014 17:00:01 – Paused
2/5/2014 18:59:59 - Something else
2/5/2014 19:59:59 - Something else
2/5/2014 20:00:01 – Restarted
2/5/2014 23:59:59 - Something else
And I am trying to get total paused time by Day.
So, my results would be:
2/4/2014 – 7h
2/5/2014 – 13 h
I tried following but could not get by Day, events with different days are overlapping.
index=my_index earliest=-2d ("Paused" OR "Restarted")| eval Day=strftime(_time,"%Y-%m-%d")| transaction startswith="Paused" endswith="Restarted" | stats sum(duration) as PausedTime by Day
... View more
- Tags:
- transaction
01-30-2014
01:37 PM
1 Karma
Hi,
I created generic saved search and it is running fine individually as below
|savedsearch PausedTime_SS index_name=one_index
However, when I called them twice and joined them with common field
|savedsearch PausedTime_SS index_name=one_index
|join Day [|savedsearch PausedTime_SS index_name=other_index]
I am getting following:
Error in 'SearchParser': Found circular dependency when expanding savedsearch=PausedTime_SS
Is it possible to join same saved searches?
Thanks,
Sanjay
... View more
- Tags:
- join
- savedsearch
12-12-2013
07:45 AM
Following query has been used to calculate duration for individual source (input files) for last 5 days:
index="my_index" earliest=-5d latest=now| transaction source maxevents=-1 | eval day=strftime(_time,"%m/%d/%Y")| sort - day sourcetype| table day,sourcetype,source,duration
Only transaction by source is used, hoping it would capture all the input files which have unique file name, thus separating its sourcetype and date.
Basically, just need to display duration per individual source file per sourcetype per day.
Thanks,
Sanjay
... View more
- Tags:
- transaction
10-14-2013
02:46 PM
Would it be better practice, if data is deleted every time before running the saved search and run the search with out time range?
... View more
10-14-2013
01:05 PM
There are 2 data sources A & B with common field common_field.
Source A
Common_Field A1-Field A2-Field
C1 A1 A2
Source B
Common_Field B1-Field B2-Field
C1 B1 B2
In the resulting summary index, I would like to have data as:
Common_Field A1-Field A2-Field B1-Field B2-Field
C1 A1 A2 B1 B2
I created saved search as follows :
SourceType=”A” OR SourceType=”B”| stats values (A1),values(A2), values(B1),values(B2) by common_field.
It is scheduled to run once every 5 min.
if there are correlated events at the time of search execution, it works fine.
Common_Field A1-Field A2-Field B1-Field B2-Field
C1 A1 A2 B1 B2
However, if there are only events from source A at the time of execution, then we get
Common_Field A1-Field A2-Field B1-Field B2-Field
C1 A1 A2
This is OK until subsequent execution of saved search.
After few minutes (in another execution of search), data from source B gets populated, then this row did not get updated. Those fields are still blank.
Common_Field A1-Field A2-Field B1-Field B2-Field
C1 A1 A2 Need to update Need to update
Is there a way to update events?
Thanks,
Sanjay
... View more
08-14-2013
03:36 PM
Finally, I was able to search utilizing lookups created by Admin. Following modifications were done in ..../splunk/etc/apps/dbx/metadata/default.meta file.
[]
access = read : [ * ], write : [ admin ] -->> read [ admin] was changed to read [ * ]
### Manager ###
[manager/dblookups]
access = read : [ * ], write : [ admin ] -->> read [ admin] was changed to read [ * ]
export = system
... View more
08-14-2013
10:17 AM
I think you are right. I do not see database lookups when logged in as new user.
... View more
08-14-2013
09:32 AM
I only created Database lookups and Automatic lookups, did not create any lookup file manually.
Manager>Lookups>Lookup table files > does not have any configuration items. It is empty.
Thanks,
Sanjay
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-10-2020
10:53 AM
|
Karma from
| User | Karma Count |
|---|---|
| 1 | |
| 1 | |
| 4 | |
| 1 | |
| 1 |
