Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ehudb
ehudb
Contributor
Member since:
09-16-2014
12-14-2022
Community Statistics
| Posts | 85 |
| Solutions | 17 |
| Karma Given | 26 |
| Karma Received | 23 |
| Member Since | 09-16-2014 |
Activity Feed
- Posted Re: trace and span in enterprise splunk on Splunk Search. 12-14-2022 07:36 AM
- Posted Re: trace and span in enterprise splunk on Splunk Search. 12-14-2022 12:05 AM
- Posted AWS S3 Input- Ingest .csv files that are not actually csv formatted- Is there a way to turn off CSV parsing ability? on Getting Data In. 11-30-2022 03:29 AM
- Tagged AWS S3 Input- Ingest .csv files that are not actually csv formatted- Is there a way to turn off CSV parsing ability? on Getting Data In. 11-30-2022 03:29 AM
- Tagged AWS S3 Input- Ingest .csv files that are not actually csv formatted- Is there a way to turn off CSV parsing ability? on Getting Data In. 11-30-2022 03:29 AM
- Posted Re: What is the best way to monitor webservice is up or down on Getting Data In. 08-14-2022 11:21 AM
- Got Karma for Re: How can I enable both Splunk server and Splunk Universal Forwarder at boot time?. 08-12-2022 03:00 AM
- Got Karma for Re: Why are Javascript files not loading after update to Splunk 6.5.0?. 03-16-2022 10:14 AM
- Got Karma for Re: I am able to extract a field with rex in a search, but why does it not appear in Interesting Fields when I save it as a field extraction?. 10-26-2020 07:20 PM
- Karma Re: Splunkweb referrer missing since 6.5.5 for niketn. 06-05-2020 12:49 AM
- Karma Re: Excel Export is not working for user role for lsw6875. 06-05-2020 12:49 AM
- Karma Re: get session key for included javascript app with logged in user for docwalter. 06-05-2020 12:48 AM
- Karma Request to port 8089 from 8000 for thibault28. 06-05-2020 12:48 AM
- Karma BUG WORKAROUND: can I reset a table to page 1 when populating search is (re)run? for gabriel_vasseur. 06-05-2020 12:48 AM
- Got Karma for Re: system uptime calculation. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect V3 - Automated / Programmatic creation of connections and inputs. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect V3 - Automated / Programmatic creation of connections and inputs. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect V3 - Automated / Programmatic creation of connections and inputs. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk DB Connect V3 - Automated / Programmatic creation of connections and inputs. 06-05-2020 12:48 AM
- Got Karma for Re: Can Splunk IT Service Intelligence (ITSI) send email alerts?. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-10-2017
03:43 AM
Try this approach for match syntax:
https://answers.splunk.com/answers/400053/condition-match-and-set-token-in-drilldown-not-wor-1.html
'click.value2' == "DIVERSOS"
... View more
02-09-2017
02:41 PM
1 Karma
BUG Fixed starting at 6.5.1:
http://docs.splunk.com/Documentation/Splunk/6.5.2/ReleaseNotes/6.5.1
"2016-10-25 SPL-129359, SPL-128210 Table Page not refreshed when refreshing search"
... View more
02-09-2017
02:37 PM
Try this solution:
https://answers.splunk.com/answers/400053/condition-match-and-set-token-in-drilldown-not-wor-1.html
... View more
02-09-2017
02:35 PM
It's not recommended to use a base search without statistics involved - stats\timechart\chart
The reason is the first search causes a Splunk job to retrieve all raw data from these events, while the second one only need few fields.
I recommend to use timechart in the first base search,, if that helps sum subsearches (as Splunk calls them: post-process)
If only one post process search can use that, consider running the searches directly in each panel without that base search.
Maybe an accelerated report or a summary index could help more to achieve better performance.
... View more
02-09-2017
02:27 PM
Formatting the time to human readable:
|convert ctime(start) |convert ctime(end)
Overall:
index=main sourcetype=app-gmr eventtype=start_job OR eventtype=end_job
| table _time ssnservice eventtype jobId JobExecID
| join jobId [ search index=main sourcetype=app-gmr INFO job read was already scheduled
| rex field=_raw "]: {} (?.) with id (?\d+) " ] | **stats earliest(_time) as start latest(_time) as end* by JobExecID
|convert ctime(start) |convert ctime(end)
... View more
02-09-2017
02:24 PM
I didn't see you pointed the props to use the transforms:
TRANSFORMS-audit_xml= audit_xml
[audit_xml]
KV_MODE = xml
TIME_PREFIX = iso8601=\"
BREAK_ONLY_BEFORE = \
TRANSFORMS-audit_xml= audit_xml
The following REGEX worked, tested at regex101.com:
event=\"stat\(2\)\".*uid=\"oracle\".*retval=\"-1\"
transforms:
[null_queue_filter]
REGEX = event=\"stat\(2\)\".*uid=\"oracle\".*retval=\"-1\"
DEST_KEY = queue
FORMAT = nullQueue
... View more
02-09-2017
02:15 PM
1 Karma
Have you considered using the documented changes?
http://docs.splunk.com/Documentation/Splunk/6.5.2/AdvancedDev/CustomizeLogin
... View more
02-09-2017
02:01 PM
Question1: Check out the precedence docs:
https://docs.splunk.com/Documentation/Splunk/6.5.1/Admin/Wheretofindtheconfigurationfiles
It seems like the precedence would be in your case : global > app > user .
Which means the global one will run eventually.
Question2: I don't think you can run any configuration that was overridden by another, since it will always load one time any line in a stanze.
... View more
02-09-2017
01:52 PM
2 Karma
According to this doc:
http://docs.splunk.com/Documentation/ITSI/2.4.1/User/CreateCorrelationSearch
ITSI saves the alerts as a correlation search.
You can find the corresponding correlation search to your multiKPIAlert and add an email action there.
... View more
02-09-2017
01:37 PM
Try this:
|stats earliest(_time) as start latest(_time) as end by JobExecID
... View more
02-09-2017
01:35 PM
I think you would need to setup an audit in the SQL server first, like described here:
http://solutioncenter.apexsql.com/auditing-select-statements-on-sql-server/
It will create an audit DB and you can read that DB with DB Connect.
Than you can either index that data or query directly from the DB using DB Connect, and alert from it.
... View more
02-09-2017
07:16 AM
Try to view the table in the pivot, and click "open in search"
Then inspect the search details and look in search.log
You will find the |tstats that was running in the background
... View more
02-09-2017
07:07 AM
didn't work, but what do you get as a result?
... View more
02-09-2017
06:39 AM
What do you mean values doesn't work?
What result you get for:
| tstats xxxx_summaries_only values(All_Performance.Memory.swap_used) AS swap_used FROM datamodel=COY_Performance WHERE nodename="All_Performance.Memory" AND All_Performance.dest="hostname-11"
... View more
02-09-2017
04:00 AM
1 Karma
Try this one:
|appendpipe [stats sum(amount) as total_debit by dr_account |rename dr_account as account]
|appendpipe [stats sum(amount) as total_credit by cr_account |rename cr_account as account]
|stats values(total*) as total* by account
|eval balance=total_debit-total_credit
Result:
account total_credit total_debit balance
--------------------------------------------------
111111 4250000 5500000 1250000
222222 1500000 11070000 9570000
333333 1000000 3000000 2000000
444444 1250000
555555 14070000
... View more
02-09-2017
03:11 AM
1 Karma
Assuming uptime values makes sense: for this example first two lines have the same starting time.
And timestamp is recognized as _time field,
If the source looks like this:
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
_time uptime
--------------------------------
2016-01-15 02:05:34 1231
2016-01-15 02:45:32 3629
2016-01-16 06:03:15 93253
Then the following query will calculate the precentage of uptime and downtime
|makeresults |eval a="time=15-01-2016 02:05:34.00, uptime=1231 BR
time=15-01-2016 02:45:32.00, uptime=3629 BR
time=16-01-2016 06:03:15.00, uptime=93253" |table a
|makemv delim="BR" a |mvexpand a |rename a as _raw |extract |eval _time=strptime(time,"%d-%m-%Y %H:%M:%S") |table _time uptime
|eval start=_time-uptime,end=_time |eval startc=start,endc=end
|convert ctime(*c) |sort - _time |dedup start |reverse | streamstats values(end) as before_end window=1 current=f |eval downtime=start-before_end |stats sum(uptime) as uptime sum(downtime) as downtime
|eval overall=uptime+downtime |eval uptime=(uptime/overall)*100,downtime=(downtime/overall)*100 |table uptime downtime
Result:
uptime downtime
95.08 4.92
... View more
02-08-2017
03:17 PM
It would help if you will post some examples to the uptime and date range fields
... View more
So you have 3 contacts in the email attribute, but only 2 of 3 are getting that mail?
It seems like your mail server and configuration are fine, but there a problem with the address itself.
Try to enter only the one that is missing and hit 'Test PDF'
If he still doesn't get it, his email address or mail server is rejecting that address.
... View more
02-08-2017
03:07 PM
Try using values() instead of avg(), to check what values are extracting.
Maybe that field configuration in the datamodel was supposed to be a number but was configured as a string?
... View more
02-08-2017
03:03 PM
You can try to create HTML panel in a Splunk dashboard and embed a cognos iframe.
Create Cognos iframe:
http://www.ibm.com/developerworks/data/library/cognos/development/how_to/page536.html
Put ifreame in Splunk Dashboard:
https://answers.splunk.com/answers/213337/is-it-possible-to-display-an-external-web-page-in.html
... View more
02-06-2017
12:41 PM
Hi
Not sure if that was a typo, but your quote used
" //# sourceURL = lifecycle.js" instead of " //# sourceURL = life.js"
... View more
02-04-2017
11:54 PM
You can refer to my answer below, it will add the js back to the browser debugger.
... View more
02-04-2017
05:36 AM
Hi Philippe, add the line as the last line of your js file.
If your js file is named myjscode.js, and you are adding it to your xml dashboard with:
<form script="myjscode.js">
, add as the last line inside the js file:
// # sourceURL = myjscode.js
... View more
02-01-2017
02:22 AM
8 Karma
It does load with eval() function.
However, I found a great workaround, add this to the end of the js file:
//# sourceURL=filename.js
(change filename.js to yourfile name)
The js will be viewed in the browser debugging console under "(no-domain)" and you can use breakpoints, editing, like you used to before 6.5.
Another possible approach: load the js files using one central file.
1. Create a file named load.js
load.js contents:
require([
"/static/app/search/file1.js",
"/static/app/search/file2.js"
])
2 . Use file1.js and file2.js for your real code.
They will be available in the debugger under sources in app/search (like they used to before 6.5 version)
... View more
01-20-2017
11:42 AM
Ok I understand the range is |fromip-toip"
I will post new answer according to this
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-14-2022
11:56 AM
|
Karma from
Karma given to
