Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rodrigorenie
rodrigorenie
Explorer
Member since:
10-27-2014
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 5 |
| Member Since | 10-27-2014 |
Activity Feed
- Got Karma for How to find the time difference between the current and previous event per field?. 12-21-2020 04:30 PM
- Got Karma for How to distinctively count concurrent users when event has userid, logindate, logoutdate. 06-05-2020 12:51 AM
- Karma Re: How to find the time difference between the current and previous event per field? for aweitzman. 06-05-2020 12:47 AM
- Karma Re: How to find the time difference between the current and previous event per field? for aweitzman. 06-05-2020 12:47 AM
- Karma Re: How can I rename column names after a transpose based on a field? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for How to create charts for each host dynamically in a dashboard using simple xml?. 06-05-2020 12:47 AM
- Got Karma for How to find the time difference between the current and previous event per field?. 06-05-2020 12:47 AM
- Got Karma for Re: How can I rename column names after a transpose based on a field?. 06-05-2020 12:47 AM
- Posted Re: How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-20-2020 07:51 AM
- Posted Re: How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-17-2020 10:55 AM
- Posted How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-17-2020 07:54 AM
- Tagged How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-17-2020 07:54 AM
- Tagged How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-17-2020 07:54 AM
- Tagged How to distinctively count concurrent users when event has userid, logindate, logoutdate on Splunk Enterprise. 03-17-2020 07:54 AM
- Posted Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
- Tagged Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
- Tagged Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
- Tagged Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
- Tagged Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
- Tagged Set token inside using Simple XML on Dashboards & Visualizations. 05-11-2015 07:23 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 2 |
03-20-2020
07:51 AM
I was able to solve this by creating a range of dates between logindate and logoutdate and turning that field into the new _time field:
mysearch
| eval logindate = strptime(logindate, "%d/%m/%Y %H:%M:%S") | bin span=1m logindate
| eval logoutdate = strptime(logoutdate, "%d/%m/%Y %H:%M:%S") | bin span=1m logoutdate
| eval range = mvrange(logindate, logoutdate, "1m")
| field - _time
| rename range as _time
| timechart span=5m limit=10 otherstr=Outros distinct_count(userid)
First I had to convert the fields logindate and logoutdate to proper datetime, and then I used the bin command just to snap logindate and logoutdate back to their earliest minute, but that's optional.
I used mvrange to create a multivalued field of dates wich range between logindate and logoutdate every 1 minute. Then I got rid of the original _time field and replaced it with the range field.
After that, a simple timechart will do the trick.
... View more
03-17-2020
10:55 AM
I was looking at the answer you posted, and noticed a main difference: a already have the logindate and logoutdate fields in every event, so could I replace everything from the beginning up until before the table command with just eval duration = logoutdate - logindate ?
Also, how does appending the gentimes result to the table logindate, duration garantees that I will be able to count distinct users?
This log is from an Application which is licensed by Concurrent Users and the same user logged in several times during the same period does not count as multiple concurrent user.
... View more
03-17-2020
07:54 AM
1 Karma
Hi everyone, I have the following event format:
_time logindate logoutdate userid
2019-07-25 09:41:21 25/07/2019 09:41:21 25/07/2019 13:47:52 USER1
2019-07-25 09:41:02 25/07/2019 09:41:02 25/07/2019 11:43:17 USER2
2019-07-25 09:39:56 25/07/2019 09:39:56 25/07/2019 13:01:17 USER4
2019-07-25 09:39:45 25/07/2019 09:39:45 25/07/2019 11:39:58 USER3
2019-07-25 09:39:15 25/07/2019 09:39:15 25/07/2019 10:32:34 USER2
2019-07-25 09:38:04 25/07/2019 09:38:04 25/07/2019 11:39:07 USER1
logindate and _time have the same value, because splunk considered the logindate field as the event _time automatically.
What I need to accomplish is to count distinctively the number of users that were logged in at the same time. I have studied the concurrency command, but I don't think it solves my problem since I need to count distinct users.
I was able to solve this in SQL (where these values are acctualy stored) by creating an auxliary table with just timestamps ranging from the earliest logindate to the latest logout date, incremented by the hour and then inner joining that table to data table whenever the timestamp from the dummy table was between logindate and logoutdate.
Could I accomplish something similar or better in Splunk?
... View more
05-11-2015
07:23 AM
Hello everyone.
Is there a way to set a token when I click a link defined in a html panel? I tried this but it doesn't work:
<dashboard>
<label>token</label>
<row>
<panel>
<html>
<div style="text-align: center;">
<h1>teste 123</h1>
<a href="#mytoken=somevalue">Click here to show panel</a>
</div>
</html>
<html depends="$mytoken$">
<h1>hidden html</h1>
</html>
</panel>
</row>
</dashboard>
... View more
02-02-2015
04:30 AM
1 Karma
Hello everyone.
I have a very simple search which I use to create a 100% Stack Bar showing the availability of a specific host:
host=myhostname index=availability sourcetype="avail" | stats avg(unavail) AS Unavailability, avg(avail) AS Availability by host
I know I could just replace the "myhostname" with "*" and create one graph with several host entries displaying their availability, but what I'd like to do is create one graph for each host on a Dashboard dynamically, that is, if a new server starts to send logs do splunk, this dashboard will automatically create a new graph containing it's availability.
And I need to do this using Simple XML (if possible), my access to our Splunk server is currently limited. So far, I found the "depends" property which I can use with the "chart" element, which means that this chart will only be displayed if the tokens in the "depends" property actually exists, but I could figure out a way to use it.
Any ideas?
Thanks!
... View more
11-28-2014
01:20 PM
1 Karma
yeap! Worked perfectly! Didn't know about the untable command, thank you!!
... View more
11-28-2014
05:11 AM
Hello Everyone.
I have a search that uses streamstat to create a field called "answer" and "frequency" for each resulting event. Each of these events has another field, called "app", which is the applicaction that generated that event. I also use "dedup" command to get only the last event generated by each application, resulting in something like this:
app=APP1;anwser=123;freq=159
app=APP2;anwser=456;freq=77
app=APP3;anwser=789;freq=44
app=APP4;anwser=112;freq=332
I want to create a simple table that has as columns the name of the application (from the "app" field) and as values (lines) of the table, the answer and the freq, like this:
APP1 APP2 APP3 APP4
answer 123 456 789 112
freq 159 77 44 332
What I've done so far is this:
mysearch | table answer,frequency | transpose |
rename "row 1" as APP1, "row 2" as APP2, "row 3" as APP3, "row 4" as APP4
Which does the trick, but would be perfect if I could rename the automatically created rows by the transpose command with the values of the "app" field.
Is it possible to do that or is there a better way to create such table?
Thanks!
... View more
11-26-2014
12:07 PM
Thanks for your answer, but I've tried that before and this search gives me the following result:
11/26/14 12:00:00 host='host1';app='app1';answer=90.00;answer_avg=80
11/26/14 11:50:00 host='host1';app='app2';answer=5.00;answer_avg=5.6
11/26/14 11:40:00 host='host1';app='app3';answer=10.00;answer_avg=11
11/26/14 11:30:00 host='host1';app='app1';answer=80.00;answer_avg=80;delay=1800
11/26/14 11:20:00 host='host1';app='app2';answer=4.00;answer_avg=5.6;delay=1800
11/26/14 11:10:00 host='host1';app='app3';answer=12.00;answer_avg=11;delay=1800
11/26/14 11:00:00 host='host1';app='app1';answer=70.00;answer_avg=80;delay=1800
11/26/14 10:50:00 host='host1';app='app2';answer=8.00;answer_avg=5.6;delay=1800
11/26/14 10:40:00 host='host1';app='app3';answer=11.00;answer_avg=11;delay=1800
I.E., the delay of the first event for each app is calculated only on the second event.
... View more
11-26-2014
10:09 AM
2 Karma
Hello everyone.
I'm using "eventstats" to generate the average of a certain field in every event that Splunk collects, something like this:
host=host1 index=itcam app=* | eventstats avg(answer) as answer_avg by app
The result is something like this:
11/26/14 12:00:00 host='host1';app='app1';answer=90.00;answer_avg=80
11/26/14 11:50:00 host='host1';app='app2';answer=5.00;answer_avg=5.6
11/26/14 11:40:00 host='host1';app='app3';answer=10.00;answer_avg=11
11/26/14 11:30:00 host='host1';app='app1';answer=80.00;answer_avg=80
11/26/14 11:20:00 host='host1';app='app2';answer=4.00;answer_avg=5.6
11/26/14 11:10:00 host='host1';app='app3';answer=12.00;answer_avg=11
11/26/14 11:00:00 host='host1';app='app1';answer=70.00;answer_avg=80
11/26/14 10:50:00 host='host1';app='app2';answer=8.00;answer_avg=5.6
11/26/14 10:40:00 host='host1';app='app3';answer=11.00;answer_avg=11
Which works great, because I have the average answer per "app" field in every event.
What I need to do now is calculate how long the current event took to occur based on the previous event, also separated by the "app" field.
For example, in the above result, latest event is from "app1", which ocurred at "12:00". The previous event of "app1" ocurred at "11:30", which means that the latest event from "app1" (at 12:00) took 30 minutes since the last one (at 11:30).
I would like to create a field, called "delay" (for example) in every event, including the latest one, with the time difference in seconds (or minutes) between an event and it's predecessor PER APP, resulting in something like this:
11/26/14 12:00:00 host='host1';app='app1';answer=90.00;answer_avg=80;delay=1800
11/26/14 11:50:00 host='host1';app='app2';answer=5.00;answer_avg=5.6;delay=1800
11/26/14 11:40:00 host='host1';app='app3';answer=10.00;answer_avg=11;delay=1800
11/26/14 11:30:00 host='host1';app='app1';answer=80.00;answer_avg=80;delay=1800
11/26/14 11:20:00 host='host1';app='app2';answer=4.00;answer_avg=5.6;delay=1800
11/26/14 11:10:00 host='host1';app='app3';answer=12.00;answer_avg=11;delay=1800
11/26/14 11:00:00 host='host1';app='app1';answer=70.00;answer_avg=80;delay=1800
11/26/14 10:50:00 host='host1';app='app2';answer=8.00;answer_avg=5.6;delay=1800
11/26/14 10:40:00 host='host1';app='app3';answer=11.00;answer_avg=11;delay=1800
In this poor example, every app took exactly 30 minutes (or 1800 seconds) to execute.
Thanks in advance!!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
