Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About TaylorWhitt
TaylorWhitt
Path Finder
Member since:
11-05-2014
06-12-2024
Community Statistics
| Posts | 12 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 8 |
| Member Since | 11-05-2014 |
Activity Feed
- Karma Re: How to Report System Uptime/Downtime? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for Uptime Graph for Multiple Objects. 06-05-2020 12:47 AM
- Got Karma for Is it possible to get the first and last concurrent events by a field?. 06-05-2020 12:47 AM
- Got Karma for Is it possible to get the first and last concurrent events by a field?. 06-05-2020 12:47 AM
- Got Karma for Is it possible to get the first and last concurrent events by a field?. 06-05-2020 12:47 AM
- Got Karma for Is it possible to get the first and last concurrent events by a field?. 06-05-2020 12:47 AM
- Got Karma for Re: How to do a basic plot of network traffic by minute?. 06-05-2020 12:47 AM
- Got Karma for Re: How to do a basic plot of network traffic by minute?. 06-05-2020 12:47 AM
- Got Karma for Re: How to do a basic plot of network traffic by minute?. 06-05-2020 12:47 AM
- Posted Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Tagged Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Tagged Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Tagged Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Tagged Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Tagged Is it possible to get the first and last concurrent events by a field? on Splunk Search. 04-05-2015 11:06 PM
- Posted Re: How to do a basic plot of network traffic by minute? on Splunk Search. 02-09-2015 07:27 AM
- Posted Re: Advice on how to better search Splunk>answers on Splunk Search. 02-09-2015 07:14 AM
- Posted Re: My automatic lookup field is not searchable unless I pipe search for it. on Splunk Search. 02-07-2015 09:53 AM
- Posted Re: How do I create a table and timeline of active connections. (Uptime graph) on Dashboards & Visualizations. 02-07-2015 09:23 AM
- Posted Re: Can I change the "Splunk>" home button in the upper left corner to an icon of my choice? on All Apps and Add-ons. 02-07-2015 09:13 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 4 | |||
| 1 | |||
| 0 |
04-05-2015
11:06 PM
4 Karma
Is it possible to get the first and last concurrent events by a field? I'm trying to use this with NAT translations to determine how long each user uses the network at any one given time. Events occur with the following interesting information:
However, a translation is done for each session of a computer by port. I don't really care about the port information as I already have a search for it. I'm trying to get the first and last concurrent event in which the nat_inside_local_ip and nat_inside_global_ip match into a stats table. Here's what I got so far, but its returning translation times that overlap.
<search string> |
stats earliest(_time) as First latest(_time) as Last by nat_inside_local_ip,nat_inside_global_ip |
eval Length=floor((Last-First)/60)|
eval First=strftime(First, "%D %H%M") |
eval Last=strftime(Last, "%D %H%M") |
eval Length=Length+" Min"
I was thinking the localize/concurrency command(s), or a subsearch might help, but I'm rather new/self-taught to splunk. I wish there was the ability to do something like this:
stats earliest(_time) as First latest(_time) as Last by concurrent nat_inside_local_ip,nat_inside_global_ip
I also want to include some sort of span to trunicate concurrent events that are too far apart - but then again, beggars/choosers. Any ideas?
... View more
02-09-2015
07:27 AM
3 Karma
I think timechart is the way to go. Otherwise you may run into plotting issues with the date time field.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/ChartDisplayissues
You're not really asking how to plot it in a specific way, but the documentation is really useful. I would play around with the different values you can use.
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Timechart#Examples
... View more
02-09-2015
07:14 AM
I find this extremely ironic given what splunk is used for.... searching.
... View more
02-07-2015
09:53 AM
It sounds like you don't have a field extraction set up for bldg. The following documentation will explain why, a lot better than I can.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/WhenSplunkEnterpriseaddsfields
http://docs.splunk.com/Documentation/Splunk/6.2.1/Indexer/Indextimeversussearchtime
Default field extractions have to be common to every entry. By identifying the different sourcetype and index, is making the bldg field common to all entries. Then you're performing another search where your string would match.
I could be wrong, but I am going to guess there is an entry where bldg has a value with a space in it?
... View more
02-07-2015
09:23 AM
For the people following this, it only took me 3 months.. I installed the cisco IOS app, which created the "state_to" field. Using the Area visualization and Multi-series mode format, the following search got me basically what I wanted.
state_to=* | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down) | concurrency duration=duration | timechart max(concurrency) as UpDown by neighbor fixedrange=F span=5m
link text
... View more
02-07-2015
09:13 AM
I don't have the rights to my server to verify this, but I believe the file you're looking for is: $/etc/apps/framework/server/apps/homefx/templates/navbar.html
I'm sure if you uploaded a picture, and replaced the html code to reference the picture it would work... but again, I don't have rights to verify.... and I don't know html coding... I don't know why I answered this, but good luck!
... View more
02-07-2015
07:11 AM
It's not "exactly" what I was asking for, but I was unaware of the multi-series mode under format. Using the Area visualization and Multi-series mode format, the following search got me basically what I wanted.
state_to=* | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down) | concurrency duration=duration | timechart max(concurrency) as UpDown by neighbor fixedrange=F span=5m
(hope this picture works)
I have tunnels that go up and down constantly. I didn't want anything to be drawn if the tunnel was down, but I wanted it to be easily recognizable if it was up, for the duration of it being up. At times, I have 20 tunnels up at one time, so this may not be great for when that happens... but if my boss doesn't like it, he can send me to training.
I appreciate your help.
... View more
02-03-2015
04:51 PM
1 Karma
I've searchs Splunk Answers and I have gotten two search strings, where if combined, would give me the results I would like.
The field values that I can get out of my search are like the following:
neighbor=D state_to=Down
neighbor=B state_to=Up
neighbor=D state_to=Up
neighbor=A state_to=Up
neighbor=B state_to=Down
neighbor=C state_to=Up
neighbor=A state_to=Down
neighbor=B state_to=Up
neighbor=A state_to=Up
Where capital letters are referencing an IP address.
* | eval upordown=if(state_to="Up ",+1,-1)| streamstats sum(upordown) as concurrency by neighbor | timechart max(concurrency) by neighbor
This one provides a graph for multiple interfaces with a color-coded key to the right that I can hover over, but shows unnecessary values. I honestly just want a line for each interface like a sparkline, but... more appealing.
src_ip="IPADDRESS" | transaction Uptime startswith=(state_to=Up) endswith=(state_to=Down) | concurrency duration=duration | timechart avg(concurrency) as UpDown
this is perfect for a specific interface, but like the top one I want it to show multiple interfaces. I've been staring at this for 2x 12 hour shifts now, but I am not familiar with splunk's language and commands.
I was thinking of having a search just get a table of all interfaces at searchtime and (somehow) use the row number as the value for the graph line of each interface (that way each one is a separate line) and somehow cram all that in with the other two strings so if the interface is "Up", be the value of the row number and if it is down, multiply the filldown value by 0. I haven't gotten a search with filldown to work yet either hence why I didn't include it in the code above.
Can anyone help? I have a good feeling this is possible, I think I have just been staring at this too long.
... View more
12-24-2014
07:02 PM
I don't know much about Splunk or how to write commands, but if your event_y fires, couldn't you multiply total_x by 0?
... View more
11-07-2014
02:54 AM
Something else you could do is use event neighbor discovery, as part of the Embedded Event Manager (EEM).
http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_06.html#wp1181238
Sorry I can't elaborate, I haven't used it personally, but apparently you can do quite a bit with it.
... View more
11-05-2014
11:59 PM
My site has customers that connect periodically throughout the day. I am trying to build a table/array for the uptime of said customer on view that I monitor throughout the day and then a timechart search for the connected customers. The customers don't normally stay connected for longer than 24 hours but the message that is generated when someone connects is:
%BGP-5-ADJCHANGE: neighbor [IP address] Up
%BGP-5-ADJCHANGE: neighbor [IP address] Down BGP Notification sent
I have field extractions where neighbor=[IP address] and state_to=up/down
I got kind of close for the table (it's usable) with:
ADJCHANGE | contingency neighbor state_to
... but I don't know how to filter the results to only show the ones where the count of state_to Up>Down
As for the timeline, I am stuck. I am trying to have a line graph with who connected (uptime) throughout the day/week. I simply don't understand which command I need to use as I've never coded something before (I'm just a network plumber). I'm pretty certain I need what I have below, but for the timeline/(sparkline?) portion of the command, I'm stuck. It graphs the sparkline but only graphs the events (syslog), not the duration between the events. Which again, is usable but not what I want.
ADJCHANGE | transaction neighbor startswith=(state_to="Up") endswith=(state_to="Down") | makecontinuous _time span=10m | stats sparkline count, sum(duration) by neighbor | sort sum(duration) desc
What I have so far
... View more
