Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About IRHM73
IRHM73
Motivator
Member since:
07-08-2015
06-05-2020
Community Statistics
| Posts | 554 |
| Solutions | 23 |
| Karma Given | 58 |
| Karma Received | 41 |
| Member Since | 07-08-2015 |
Activity Feed
- Got Karma for Re: Why am I unable to multiply two fields fields with my current search syntax?. 06-11-2024 10:44 AM
- Got Karma for Re: Append Non Matching Results to Lookup Table. 04-24-2022 05:14 PM
- Got Karma for Re: Stats Values and Count. 11-03-2021 12:34 PM
- Karma Re: Stats Count Eval If for cvssravan. 06-05-2020 12:50 AM
- Karma Re: Stats Count Eval If for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: Subtotals with Sum for woodcock. 06-05-2020 12:50 AM
- Karma Re: Can you help me incorporate my search into a summary Index? for ashajambagi. 06-05-2020 12:50 AM
- Got Karma for Use Timepicker Token With Field. 06-05-2020 12:50 AM
- Karma Re: Stats values Into timechart -- I can't get timechart to work for cmerriman. 06-05-2020 12:49 AM
- Karma Re: Replace First Two Digits for gcusello. 06-05-2020 12:49 AM
- Got Karma for How to display zero count in a stats table?. 06-05-2020 12:49 AM
- Got Karma for Transpose Multiple Column Headers. 06-05-2020 12:49 AM
- Got Karma for Re: Hide/Display Panels Using Multiselect. 06-05-2020 12:49 AM
- Got Karma for Hide/Display Panels Using Multiselect. 06-05-2020 12:49 AM
- Karma Re: How to Update a Lookup Table for DMohn. 06-05-2020 12:48 AM
- Karma Re: Different Results From Similar Queries for somesoni2. 06-05-2020 12:48 AM
- Karma Re: What configuration file contains app version numbers so I can propagate version numbers from GitHub to Splunk? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Why am I getting no results from my saved search with append when I extend the range on the dashboard time picker? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Extract Searches Performed for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Eval If Statement for dwaddle. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-13-2015
01:30 AM
Hi Tom, thank you very much for taking the time to reply to my post and for the guidance.
Many thanks and kind regards
Chris
... View more
08-13-2015
12:55 AM
Hi, I wonder whether someone could help me please.
I've put together the search below to create a Summary Index
tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | dedup detail.messageId | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
The problem I now have is trying to retrieve the results I know that I need to use "index=summary source="SA Tester" at the beginning of the query but despite several combinations I can't retrieve the results.
I've managed a very simple example of this, but this is more complicated than the tutorials I've been using.
I just wondered whether someone may be able to look at this and let me know where I'm going wrong.
Many thanks and kind regards
Chris
... View more
- Tags:
- summary-index
08-13-2015
12:06 AM
Hi, I wonder whether someone could help me please.
I'm using the search below to successfully produce a pie chart with desired results.
tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | dedup detail.messageId | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
Because this search takes a while to load I'm looking at making this more efficient by removing the dedup element of search, so I've changed this to:
tags.transactionName = "Send Email Alert" auditType="TxSucceeded" | eval shortForm='detail.formId'." " | eval shortForm = substr(shortForm, 1, 6) | sort 0 detail.messageId | **stats dc(detail.messageId)** | chart count by shortForm | eval pieSlice=shortForm + " " + count | fields pieSlice, count
The problem is, is that this no longer produces any results so I've clearly done something wrong.
I just wondered whether someone may be able to look at this please and let me know where I've gone wrong.
Many thanks and kindest regards
Chris
... View more
- Tags:
- dedup
- distinct_count
08-07-2015
03:45 AM
Hi thank you for your reply.
The issue which puzzles me, is that the Splunk documentation shows the following:
*Let's say you've been running the following search, with a time range of the past year:
eventtype=firewall | top src_ip
This search gives you the top source ips for the past year, but it takes forever to run because it scans across your entire index each time.
What you need to do is create a summary index that is composed of the top source IPs from the "firewall" event type. You can use the following search to build that summary index. You would schedule it to run on a daily basis, collecting the top src_ip values for only the previous 24 hours each time. The results of each daily search are added to an index named "summary":
eventtype=firewall | sitop src_ip*
then
*Now, let's say you save this search with the name "Summary - firewall top src_ip" (all saved summary-index-populating searches should have names that identify them as such). After your summary index is populated with results, search and report against that summary index using a search that specifies the summary index and the name of the search that you used to populate it. For example, this is the search you would use to get the top source_ips over the past year:
index=summary search_name="summary - firewall top src_ip" |top src_ip*
So I've written my queries as such.
Many thanks and kind regards
Chris
... View more
08-07-2015
02:34 AM
Hi, I've looked into the situation again and although it was a scheduled report, I've now changed this and run the report immediately with the query: auditSource=nc detail.input=* | sitop detail.input but the dashboard doesn't up date.
My apologies for the stupid query, but I'm relatively new to using Splunk.
Many thanks and kind regards
Chris
... View more
08-07-2015
02:22 AM
Hi, many thanks for taking the time to reply to my post. I'll take a look at the this and get back to you.
... View more
08-07-2015
01:17 AM
Hi,
I wonder whether someone may be able to help me please.
I have successfully created a 'Summary Index' report and a dashboard which displays the results.
The problem I have is that the dashboard doesn't appear to be updating to show the latest search performed.
e.g. My first search came back with approx 34K returned results and this was correctly reflected in the dashboard. I then ran another search for a different time period within the report which returned approx 100K but these figures weren't reflected in the dashboard despite refreshing it.
This is my dashboard query:
<query>index=summary search_name="Test" | Stats count by detail.input</query>
Could someone perhaps explain why this may be please because I'm at a loss.
Many thanks and kind regards
Chris
... View more
08-04-2015
11:28 PM
Hi thank you for coming back to me. When I omit the fillnull from the second query the number of events are still greater than the initial query and the count significantly reduced.
However If I changed the latter query to auditSource=tc auditType=TCStarted NOT [search auditSource=tc auditType=TCCompleted | table detail.nino] | iplocation tags.clientIP | fillnull value="Country Not Found" | stats dc(detail.nino) By Country which is now working perfectly.
Kind regards
Chris
... View more
08-03-2015
11:39 PM
Hi,
I wonder whether someone may be able to help me please.
I'm using the search below to successfully produce a given group of stats:
auditSource=ts auditType=RenewalStarted NOT [search auditSource=ts auditType=RenewalCompleted | table detail.nino] |
iplocation tags.clientIP |dedup detail.nino | fillnull value="Country Not Found" Country | stats count by Country
Because I know that the dedup command can be resource intensive, I've tried changing this by using the stats dc command as below:
auditSource=ts auditType=RenewalStarted NOT [search auditSource=ts auditType=RenewalCompleted | table detail.nino] |
iplocation tags.clientIP | fillnull value="Country Not Found" Country | stats dc(detail.nino) By Country
The problem I have is that although I'm using the same date period, the search is not returning the same set of results.
I just wondered whether someone may be able to look at this please and offer some guidance on where I may have gone wrong.
Many thanks and kind regards
Chris
... View more
07-31-2015
12:47 AM
Hi All, I've gone through the query @pwmcity provided, but unfortunately I couldn't get the figures to match those coming out of the dedup query.
So I continued to work on this, and managed to get this to work by using:
| stats distinct_count(detail.ipAddress) AS "Registrations"
I hope this helps.
Kind Regards
Chris
... View more
07-30-2015
01:25 AM
Hi @tom_frotscher, thank you for taking the time to reply to my post and for pointing out the error over the eventId.
Kind regards
Chris
... View more
07-30-2015
01:24 AM
1 Karma
Hi @pwmcity, many thanks for taking the time to reply to my post and for the solution. Kind regards. Chris
... View more
07-29-2015
11:52 PM
Hi
I wonder whether someone can help me please.
I'm using the code below to run a search which works fine.
index=main detail.statusCode=200 | dedup detail.ipAddress | stats count(eventId) | rename count(eventId) AS "Registrations"
But I'm told, and I'm not sure whether this is correct, that dedup is quite labour intensive for Splunk to remove duplicate entries, so I changed the code to:
index=main detail.statusCode=200 | stats dc(detail.ipAddress) | stats count(eventId) | rename count(eventId) AS "Registrations"
The problem I have is that although the parameters for the two are exactly the same, I retrieve more events for the second search, but I have no idea why. The figure shown for the 1st search also returns a stats count of 74, whereas the second returns 0
Could someone tell me please? By default ,does 'stats dc' return another set of records?
Many thanks and kind regards
Chris
... View more
07-23-2015
10:24 PM
Hi @somesoni2, thank you very much for taking the time to reply to my post and for the clear explanation.
Once again many thanks and kind regards
Chris
... View more
07-23-2015
10:23 PM
2 Karma
Hi @ohlafi, I really appreciate you taking the time to reply to my post with a good explanation. Very much appreciated.
Kind Regards
Chris
... View more
07-23-2015
10:22 PM
Hi @richgalloway, thank you for taking the time to reply to my post and for the simple explanation. A great help!
Kind regards
Chris
... View more
07-23-2015
04:20 AM
1 Karma
Hi, I wonder whether someone could help me please.
I've been presented with the following search, and although as a beginner I understand most of it, I'm having difficulty in working out the intention of the NOT search element.
auditSource=ts detail.cofcEventType=* NOT [search auditSource=ts auditType=RenewalCompleted]| stats count by auditType
I've trawled through the Splunk documentation many times and a host of posts, but I'm still none the wiser.
I just wondered whether someone may be able to advise me on what the author of the search is trying to achieve and the reason behind using the 'NOT search' operators.
Many thanks and kind regards
Chris
... View more
07-21-2015
10:17 PM
Hi @bmacias84, many thanks for the confirmation.
Kind Regards
Chris
... View more
07-21-2015
05:45 AM
Hi,
I just wonder whether someone may be able to help me please.
I'm trying to put together a Post Process - Base Search with similar format to that below:
<search id="baseSearch">
<query>index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-30d</earliest>
<latest>now</latest>
</search>
<search base="baseSearch">
<query> index=_internal source=*splunkd.log | stats count by component, log_level</query>
<earliest>-1d</earliest>
<latest>now</latest>
</search>
Could someone tell me please, does the date period in the 'Base' search carry forward to the 'Post Process' search, or can they be different as shown in my example above.
Many thanks and kind regards
Chris
... View more
07-20-2015
09:59 PM
Hi @landen99 thank you veyr much.
Kind Regards
Chris
... View more
07-20-2015
03:17 AM
Hi @jeffland, many thanks and kind regards
Chris
... View more
07-20-2015
01:04 AM
1 Karma
Hi,
I wonder whether someone may be able to help me please.
I want to build a TagCLoud dashboard which I know will require the use of Javascript & CSS files for which I have a copy of both from the tutorials.
I just wondered whether someone may be able to provide just a simple step by step guide how to load both the js and css into Splunk and how I can edit these whilst in Splunk.
You can probably tell I'm new to Splunk having only had this a couple of weeks, and the Splunk guidance I've read doesn't really help from a beginners perspective.
Many thanks and kind regards
Chris
... View more
07-20-2015
12:41 AM
Thank you @Icrielaa, your code worked great.
Many thanks and kind regards
Chris
... View more
07-19-2015
10:15 PM
Hi, I have had a look at my raw data today and found that there was an error with the capitalisation of the 'Postcode' field, it should have been 'PostCode', so I've now been able to get the expression to work.
I just want to thank all that have contributed and despite their frusrations, their help.
Many thanks and kind regards
Chris
... View more
07-17-2015
06:18 AM
Hi @landen99, thank you for taking the time to reply to my post and come back to me with this.
Unfortuanetly, this doesn't extract the data and the 'address1' variable is blank.
Many thanks and kind regards
Chris
... View more
