Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About rjthibod
rjthibod
Champion
Member since:
09-19-2014
06-02-2025
Community Statistics
| Posts | 830 |
| Solutions | 136 |
| Karma Given | 103 |
| Karma Received | 376 |
| Member Since | 09-19-2014 |
Activity Feed
- Posted Re: Modal Text Message App for Splunk on All Apps and Add-ons. 06-02-2025 08:03 AM
- Karma Re: Modal Text Message App for Splunk for livehybrid. 06-02-2025 08:01 AM
- Got Karma for Re: Base search query for different dashboard panels. 02-05-2025 07:15 AM
- Got Karma for Re: How to change selected choice of dropdown from another dropdown?. 01-27-2025 08:23 AM
- Got Karma for Re: exclude a column from a timechart table. 01-08-2025 08:24 AM
- Got Karma for Re: Modify Input Width - XML. 04-05-2024 08:49 AM
- Got Karma for Re: Modify Input Width - XML. 08-24-2023 11:49 PM
- Got Karma for Re: Use timepicker earliest and latest as epoch time. 04-05-2023 02:27 AM
- Got Karma for Re: How to create panels with different background colors on same dashboard?. 03-01-2023 01:10 PM
- Got Karma for Should Metrics Indexes support overwriting events instead of duplicating events. 01-17-2023 12:05 PM
- Posted Re: Count number of values in multi-valued field on Splunk Search. 08-22-2022 10:02 AM
- Posted Re: Count number of values in multi-valued field on Splunk Search. 08-22-2022 04:01 AM
- Got Karma for Re: Count number of values in multi-valued field. 08-22-2022 03:40 AM
- Got Karma for Re: Drilldown conditionally based on the value of the selected element in a table?. 08-19-2022 04:53 AM
- Got Karma for Re: Base search query for different dashboard panels. 07-01-2022 08:04 AM
- Got Karma for Re: Base search query for different dashboard panels. 07-01-2022 08:03 AM
- Got Karma for Re: Count number of values in multi-valued field. 03-11-2022 06:20 PM
- Got Karma for Re: Base search query for different dashboard panels. 02-03-2022 06:36 AM
- Got Karma for Re: Set multiple tokens using "condition match". 01-03-2022 12:19 AM
- Got Karma for Re: How to send the "&" and the "=" character from a token in a link drilldown. 12-14-2021 06:11 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 8 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 9 | |||
| 1 | |||
| 0 |
12-01-2015
10:49 AM
Also worked for me, but must note that the sub-search only allows a max of 10,000 returned events. Had to run it a couple of times for my case.
... View more
11-23-2015
07:01 AM
I use the following eval after the pivot to convert the human readable times back to raw time values on 6.2.5 Splunk Enterprise and it works fine.
| pivot DataModel_AccessService perf count(TPS) AS "tps" sum(execTime) AS "execTime" SPLITROW _time AS _time PERIOD AUTO SPLITROW host AS hostname | eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%3N%z") | timechart sum(execTime)
It looks like Splunk Enterprise 6.3.1 fixes this issue. The time values are not automatically converted to human readable form on my 6.3.1 instance.
... View more
07-29-2015
09:08 AM
That does help some but it is incomplete. Some things are not mentioned there, e.g., rendered.
I would be most thankful if someone can point to a complete list.
... View more
07-29-2015
07:52 AM
1 Karma
I am trying to do some editing to table fields and chart legends after the page and or specific chart/table elements are redrawn. I am having a hard time getting my HTML and JS dashboard to trap certain events (e.g., load and resize), and I can't find any documentation on what events are going to be passed in the HTML and JS web framework.
Is there any documentation that describes what events are passed to specific elements, say Chart elements, or are supported in the SplunkJS Web Framework.
Ones I know of are:
click and click:*
rendered
valuechange
data
change
valueChange
search and search:*
Thank you
... View more
07-07-2015
08:03 AM
Layer8 from Logfiller (link to Splunk App) can monitor browser usage and browser wait times per URL. Works in physical systems and virtualized/hosted deployments (e.g., Citix, VMWare, RDP, etc.).
... View more
07-02-2015
04:02 AM
It looks like I have run into this exact issue with post-process results on FF 31.7.0 ESR on 6.2.X. It consistently fails to load my dashboard unless I remove the input forms that rely on a base search.
... View more
06-30-2015
10:05 AM
This is the old, non-scalable answer for my very specific use case. Look at accepted answer for more useful, generic answer.
My solution in the comments of the original post did work, but it was extremely inefficient because gentimes is invoked so many times. Instead of massaging gentimes and map to work in an odd manner, I just wrote my own command.
Below is my python code for my new command that did what I wanted to do.
Assume the command is called tranexpand . It is invoked with fields span and fields where span is the size of the time buckets for the events parsed by the command and fields is a comma-separated list of fields that need to be maintained in the output data. An example invocation looks like tranexpand span=30m fields="field1,field2" . The command assumes the events being passed to it include fields starttime and endtime . These fields indicate the start and end time bucket for the event. For example, if a transaction/event ended at 8:15:12am and ended at 8:37:35am and the bucket size is 30 minutes, the starttime field would be the equivalent of 8:00:00am and the endtime field would be the equivalent of 8:30:00am.
import re
import splunk.Intersplunk
def getSpan(val):
if not val:
return None
match = re.findall("(\d+)([smhd])", val)
if len(match) > 0:
val = int(match[0][0])
units = match[0][1]
# don't do anything for units == 's', val doesn't need to change
if units == 'm':
val *= 60
elif units == 'h':
val *= 3600
elif units == 'd':
val *= (24 * 3600)
return val
return None
def generateNewEvents(results, settings):
try:
keywords, argvals = splunk.Intersplunk.getKeywordsAndOptions()
spanstr = argvals.get("span", None)
span = getSpan(spanstr)
fields = argvals.get("fields", None)
if not span:
return splunk.Intersplunk.generateErrorResults(
"generateNewEvents requires span=val[s|m|h|d]")
if not fields:
return splunk.Intersplunk.generateErrorResults(
"generateNewEvents requires comma separated" +
" field list wrapped in quotes: fields=\"A[,B[...]]\"")
fields = fields.split(',')
new_results = []
# for each result, add fields set to message
for r in results:
start = r.get("starttime", None)
end = r.get("lasttime", None)
if (start is not None) and (end is not None):
try:
start = int(float(start))
end = int(float(end)) + 1
for x in range(start, end, span):
new_event = {}
new_event['_time'] = str(x)
for y in fields:
new_event[y] = r.get(y, None)
new_results.append(new_event)
except:
pass
results = new_results
except Exception, e:
import traceback
stack = traceback.format_exc()
results = splunk.Intersplunk.generateErrorResults(
str(e) + ". Traceback: " + str(stack))
return results
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = generateNewEvents(results, settings)
splunk.Intersplunk.outputResults(results)
... View more
06-17-2015
03:28 AM
I am sorry but the streamstats command you provided does not produce a timestamp field when it doesn't exist. Just tested it to confirm.
Separately, I don't quite understand what you are trying to accomplish with that command. Please clarify. If it helps, look at the sample data I posted in the original question to demonstrate your intention.
... View more
06-17-2015
03:17 AM
Thank you, I have seen those before.
The need I am addressing here is not to build a gantt chart. l could do that with some JS with my original data. Instead, I need to count concurrent users across the specific field value in the data.
... View more
06-16-2015
04:53 AM
Playing around with what you provided seems to not quite get there. If you look at the original posting, I have added some sample data that should show the extent of the issue.
... View more
06-16-2015
04:16 AM
Can you confirm the streamstats command in your example? Are you sure you meant to use the field "timestamp" in the call to earliest ? That field does not yet exist at this point in the pipeline.
... View more
06-16-2015
04:05 AM
I appreciate your help and the suggestions.
The comment about table versus fields is correct, thank you for that.
The transactions cannot be generated using stats . Also, that is not the bottleneck in my testing, it is always gentimes
Your suggestion for changing gentimes is not helping speed it up. In fact, if I trim it down to just run gentimes start=$start$ end=$end$ increment=15m , it still takes nearly a second for each invocation (see comment above)
I am still testing out your suggested approach. Will come back with results in a bit.
... View more
06-15-2015
07:27 PM
Basically, distil the data down to show unique user count per resource per time bucket. The trick is each time bucket can have multiple complete transactions for a single resource from the same user. I can't really change that fact.
... View more
06-15-2015
07:22 PM
Sorry, I hope this can help.
The following is what a segment of events looks like when the transactions have been made
start end FieldName UniqueID
1434283638.50 1434283944.90 Resource_AA USER_YY
1434284009.43 1434284172.20 Resource_AA USER_YY
1434284178.02 1434284240.24 Resource_AA USER_YY
1434353495.28 1434353616.58 Resource_BB USER_XX
1434353671.64 1434353753.25 Resource_BB USER_XX
1434353833.93 1434353872.11 Resource_BB USER_ZZ
1434353852.65 1434353868.99 Resource_AA USER_ZZ
1434353861.75 1434353884.71 Resource_BB USER_ZZ
1434353852.60 1434353931.20 Resource_AA USER_ZZ
1434353902.17 1434353915.57 Resource_BB USER_ZZ
1434353907.88 1434354047.3 Resource_AA USER_ZZ
1434354040.52 1434354077.74 Resource_BB USER_XX
This is what that series of data should look after the call to 'dedup'
start end FieldName UniqueID
06/14/2015:13:00:00 06/14/2015:13:00:00 Resource_AA USER_YY
06/14/2015:13:00:00 06/14/2015:13:15:00 Resource_AA USER_YY
06/14/2015:13:15:00 06/14/2015:13:15:00 Resource_AA USER_YY
06/15/2015:08:30:00 06/15/2015:08:30:00 Resource_BB USER_XX
06/15/2015:08:30:00 06/15/2015:08:30:00 Resource_BB USER_ZZ
06/15/2015:08:30:00 06/15/2015:08:30:00 Resource_AA USER_ZZ
This is what the end result would look like (the unique user count for each resource in a given time bucket)
_time Resource_AA Resource_BB
06/14/2015:13:00:00 1 0
06/14/2015:13:15:00 1 0
06/14/2015:08:30:00 1 2
... View more
06-15-2015
06:46 PM
Looked at search.log and I see error messages like the one below every time it says it invokes 'gentimes'. After this message appears, the time until the next cycle is almost a second as seen below.
06-16-2015 02:32:57.375 INFO DispatchThread - Error reading runtime settings: File :C:\Program Files\Splunk\var\run\splunk\dispatch\subsearch___search3_1434418371.2490_1434418377.5\runtime.csv does not exist
06-16-2015 02:32:57.375 INFO DispatchThread - Disk quota = 10485760000
06-16-2015 02:32:58.281 INFO script - Invoked script gentimes with 213 input bytes (0 events). Returned 2 output bytes in 891 ms.
... View more
06-15-2015
10:29 AM
1 Karma
The objective is take events that indicate user activity, breakdown the data into segments of time, and then figure out what segments/bins should be marked to indicate that user activity took place during that time. Here is an example of the data I am looking at
Start | End | Field_Name | Unique_Visitor_ID
a1 | a1 | AAA | ZZZ
a1 | a2 | AAA | YYY
a2 | a2 | AAA | YYY
a3 | a4 | AAA | ZZZ
a4 | a4 | AAA | ZZZ
a5 | a6 | AAA | YYY
a6 | a6 | AAA | ZZZ
In the table above, "Start" and "End" values indicate the start and end time segments that define a window of time where user "Unique_Visitor_ID" was using resource "Field_Name". Think of it kind of like the specification of a Gantt Chart, where "Start" and "End" define the range of time windows during which a user was accessing a resource.
What we want to do is create a plot where we know how many users were using each resource during each time segment. The trick is that each event in the table can span multiple time segments, and each event is generated from a grouping of events into a transaction.
I have been able to generate a query to populate the chart like I want, but it is extremely inefficient due to how a combination of 'map' and 'gentimes' are being used. Any help on simplifying this would be extremely appreciated.
Here is the end of the query where I try to produce a chart-able result after forming the table above. Basically, put all start and end segments in increments of 15 minutes, and then run through a map/gentimes command that will break up all of the transaction events that span multiple segments into individual events that cover only a single segment.
GENERATE_TRANSACTION_TABLE
| fields start end FieldName UniqueID
| bin start span=15m
| bin end span=15m
| stats max(end) as lasttime by UniqueID FieldName start
| stats min(start) as starttime by UniqueID FieldName lasttime
| stats values(UniqueID) as UniqueID by starttime lasttime FieldName (<-- filter and group like events)
| eval starttime=strftime(starttime, "%m/%d/%Y:%H:%M:%S")
| eval lasttime=lasttime+1 (<-- this is a workaround to make gentimes work for events with same start and end)
| eval lasttime=strftime(lasttime, "%m/%d/%Y:%H:%M:%S")
| map maxsearches=1000
search="gentimes start=$starttime$ end=$lasttime$ increment=15m
| eval FieldName=$FieldName$
| eval UniqueID=$UniqueID$"
| fields starttime FieldName UniqueID
| dedup starttime FieldName UniqueID
| makemv delim=" " UniqueID
| mvexpand UniqueID
| rename starttime as _time
| timechart span=15m dc(UniqueID) as Count by FieldName
Here is some example data to show the challenge. Assume this is what comes out of the transaction process.
Start End Field_Name Unique_Visitor_ID
1434355312 1434355421 AAA ZZZ
1434355534 1434357109 AAA ZZZ
1434357201 1434358920 AAA ZZZ
1434362435 1434378784 BBB YYY
This is what the same data looks like after assigning time buckets with a span of 30 minutes
Start End Field_Name Unique_Visitor_ID
06/15/2015:09:00:00 06/15/2015:09:00:00 AAA ZZZ
06/15/2015:09:00:00 06/15/2015:09:30:00 AAA ZZZ
06/15/2015:09:30:00 06/15/2015:10:00:00 AAA ZZZ
06/15/2015:11:00:00 06/15/2015:15:30:00 BBB YYY
This is what the end result would look like after calling timechart .
_time AAA BBB
06/15/2015:09:00:00 1 0
06/15/2015:09:30:00 1 0
06/15/2015:10:00:00 1 0
06/15/2015:10:30:00 0 0
06/15/2015:11:00:00 0 1
06/15/2015:11:30:00 0 1
06/15/2015:12:00:00 0 1
06/15/2015:12:30:00 0 1
06/15/2015:13:00:00 0 1
06/15/2015:13:30:00 0 1
06/15/2015:14:00:00 0 1
06/15/2015:14:30:00 0 1
06/15/2015:15:00:00 0 1
06/15/2015:15:30:00 0 1
06/15/2015:16:00:00 0 0
... View more
06-11-2015
07:38 AM
Unfortunately, you lose more than the tailing event. You lose the whole sequence of events that would make up the transaction for the last group. I get around this by manually marking the last occurring event as "newTransaction" (as you have it). Doing this seems to make everything work well.
... View more
06-11-2015
05:12 AM
My experience thus far says you are correct.
... View more
06-11-2015
04:59 AM
Yes, that should work too and matches closer with what I put in my final version.
One thing to note that is the very last grouping of events is dropped unless you mark the last event (chronologically) with newTransaction=TRUE
... View more
06-09-2015
03:03 AM
2 Karma
Well, I think I may have discovered my own answer by chance.
The key was making a new field that indicates the transition or change in the field am I most interested in. This is probably too brittle for a general solution, but it does work when you are interested in a specific field changing.
MY_SEARCH
| streamstats global=f window=2 dc(field3) as marker
| transaction field1 field2 field3 endswith="marker=2"
| sort + _time
... View more
06-08-2015
12:16 PM
I am sorry if I was unclear, but that does not keep things in sequence. That just groups all events in raw form for the combinations of field1, field2, and field3.
I need the groupings to be like buckets where a bucket is made up of all events for the unique combination of field1, field2, and field3 and those events happened in succession. So Group all events for unique combination of field1, field2, and field3, but you stop the current group whenever a new event is encountered and one of the fields changes. You will see in my example that the transaction groups 1 and 4 have the same values for field1, field2, and field3, but they are in distinct groups because events at Time 3 and Time 4 happened in between them when looking at chronological order.
... View more
06-08-2015
07:19 AM
1 Karma
I am working with time-series data, and I want to groups events based on the same values in three fields: field1, field2, and field3. All events are timestamped.
I want to group the events into transactions where field1, field2, and field3 are the same and all of the events are in chronological order. I don't want events that occur out of chronoglogical order to be in the same transaction. Also, there is no way to know a maximum amount of time between any of the events.
For example, imagine the event sequence looks like the following if you put it into a table.
Time | field1 | field2 | field3
0 | a | b | c
1 | a | b | c
2 | a | b | c
3 | a | b | z
4 | a | b | y
5 | a | b | c
6 | a | b | c
The desired transaction behavior I am trying to achieve would turn the events above into the following transactions
Transaction | Duration | field1 | field2 | field3
1 | 2 - 0 | a | b | c
2 | 3 - 3 | a | b | z
3 | 4 - 4 | a | b | y
4 | 6 - 5 | a | b | c
... View more
05-26-2015
04:45 AM
A new version (3.0.8) of the Layer8 App for Splunk is now live. There are a number of improvements to the data filtering that allow for quicker and more flexible data filtering that help with pinpointing Citrix-specific data.
Now, almost all input fields accept wildcards, and the Session field lists options to select all RDP and ICA session types.
... View more
05-14-2015
11:05 AM
I really needed to tackle the same kind of problem. I have tried a couple different ways. Both of the ones below seem to work, but the method you want to use probably depends on your Splunk setup and how efficient things need to be. Neither of the two methods below have been instrumented to a great degree to see which is the optimal solution.
Method 1: use 'appendpipe' to sort the aggregate values and filter the original events data based on a ranking of the top 10 aggregates.
The splunk query would look like this.
index=YOUR_PERFMON_INDEX sourcetype=YOUR_CPU_SOURCETYPE
| bin _time span=1h
| stats sum(CPU) as cpu by _time host
| eventstats sum(cpu) as agg_cpu by host
| appendpipe run_in_preview=f
[ fields - _time CPU
| dedup host sortby -agg_cpu
| head 10
| fields host
| mvcombine host
| rename host as filter
| eval _time = 0]
| sort + _time
| filldown filter
| WHERE like(filter, host)
| fields - filter
| timechart sum(cpu) by host
Method 2: use a subsearch in the initial search that calculates the top 10 aggregate Hosts and filters the first search to include just those. The splunk query would look like this.
index=YOUR_PERFMON_INDEX sourcetype=YOUR_CPU_SOURCETYPE
[ search index=YOUR_PERFMON_INDEX sourcetype=YOUR_CPU_SOURCETYPE
| stats sum(CPU) as cpu by host
| sort 10 desc cpu
| fields host]
| bin _time span=1h
| stats sum(CPU) as cpu by _time host
| timechart sum(cpu) by host
... View more
04-02-2015
10:09 AM
I too would like to know the answer to this question.
... View more
- « Previous
- Next »
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-02-2025
08:01 AM
|
Karma given to
