Activity Feed
- Got Karma for Re: Search a field for multiple values. 03-22-2024 10:26 AM
- Got Karma for Re: How to find earliest event based on Event code for once server?. 02-10-2021 12:38 PM
- Got Karma for Re: How do you set an input's conditional change to match a literal * with Simple XML?. 11-15-2020 03:03 PM
- Got Karma for identifying sourcetypes by index. 10-29-2020 07:40 AM
- Karma How to set the default value of a multiselect input box to the results of a search? for coleman07. 06-05-2020 12:48 AM
- Karma Re: How can I return specific results using head and tail commands? for maciep. 06-05-2020 12:48 AM
- Karma How to search a lookup table and return the matching term? for clv1clv1. 06-05-2020 12:48 AM
- Karma Re: How to search a lookup table and return the matching term? for gokadroid. 06-05-2020 12:48 AM
- Karma Re: How to replicate a Search Head Cluster's KV Store lookup data to an Indexer? for dwaddle. 06-05-2020 12:48 AM
- Got Karma for Re: Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data?. 06-05-2020 12:48 AM
- Karma Re: Method to rename field to value of another field for acharlieh. 06-05-2020 12:47 AM
- Karma Re: Distributed Search Environment: Do accelerated data models reside on the indexer or search head? for helge. 06-05-2020 12:47 AM
- Karma How extract data model fields using REST search? for Runals. 06-05-2020 12:47 AM
- Karma Re: Extract Data Model fields using REST search for reed_kelly. 06-05-2020 12:47 AM
- Karma How to re-run a relative time search on click of the submit button? for helenashton. 06-05-2020 12:47 AM
- Karma Re: How to re-run a relative time search on click of the submit button? for masonmorales. 06-05-2020 12:47 AM
- Karma Re: can I extract a field with a regexed dynamic fieldname? for MuS. 06-05-2020 12:47 AM
- Karma Re: Removing null columns from a table for pj. 06-05-2020 12:47 AM
- Karma Re: Getting error "Error in 'chart' command: The argument ' ' is invalid." when using "chart-count-over-by" clause in chart with post-process search for ishangajera. 06-05-2020 12:47 AM
- Karma Why are values for a dynamic checkbox not being populated by variables passed from 2 drop-downs? for vdevarayan. 06-05-2020 12:47 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 | |||
0 |
07-25-2019
05:10 AM
I was afraid of that. Would be nice if there were a second separator-like character, but I'll make do. Thank you for confirming.
... View more
07-23-2019
05:55 AM
What is the "safe" character set to use for field names, especially in lookups? By "safe" I mean "no need to quote-escape in a search." I know [a-zA-Z0-9_] works--is there anything else? Periods are sort of valid, but they can do funny things in evals. Basically I'm looking for a secondary separator character in addition to the underscore.
The only official Splunk doc I could find on the topic was the indexed field extraction doc (https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction), but I don't need to define these at index time or in the conf files.
... View more
Labels
- Labels:
-
index
04-04-2018
11:37 AM
That won't work. It just prepends the string sourcetype. I want the value of the sourcetype field.
... View more
04-02-2018
11:11 AM
I am collecting data from several sources into a lookup and would like to rename the various fields to indicate which source they came from--source1_name, source2_ip, and so on. Since I don't have control over how the original fields are named, I'd like to automatically rename them through foreach by prepending the sourcetype for each event to every fieldname in that event. However, I can't get it to work. I tried
foreach * [ rename <<FIELD>> as 'sourcetype'_<<FIELD>>]
but that takes the quoted string 'sourcetype' literally, rather than looking up the current event's value for sourcetype. Using angle brackets around sourcetype doesn't work either. Is it possible to automate this renaming, or am I going to have to handle each field manually?
... View more
06-14-2017
09:50 AM
4 Karma
There's something wacky about how the Splunk regex parser interprets backslashes. As a rule of thumb, to match a literal backslash you need one more than you think you do. This should work:
rex mode=sed field=foo "s/(\\\)/\1\1/g"
... View more
06-07-2017
08:54 AM
1 Karma
Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.
... View more
05-31-2017
04:46 AM
@wrangler2x: Yes, but I wanted to make the fields easily available for other users without telling them to run a rex in the middle of their search.
... View more
02-16-2017
09:14 AM
@xdp4: You've probably given up on this by now, but what exactly doesn't work--are the matching hosts in each search not joining together, or is there a count field in both the lookup and the live search that's breaking isnull, or something else? I got a working search very similar to the one you posted in your own answer, so fundamentally this technique is fine; it's likely a problem with your particular data set. Since the join field is IPs, it's probably not an issue of mismatching capitalization, but there might be stray newlines or something that's causing the join to break.
Also, since you're searching all indexes for the past day, it might be as simple as the subsearch timing out before it can return any data. Running a live search over index=* just to see what hosts are reporting in gives me the heebie jeebies. If you're on a moderately recent version of Splunk, try this instead: | tstats count where index=* by host.
... View more
01-13-2017
10:20 AM
When Splunk says "missing a search command before [some character]", it means the parser got to that character and didn't understand what came next. You could either paste the search into a text editor and manually find character #57, or you could just look for all such characters in your search and try to determine if any of them could be confusing the parser.
In this case, the issue is likely your regex's character set: [-a-zA-Z0-9...]. Even though it's supposed to be legal to lead off the character set with an unescaped hyphen, Splunk does not properly recognize it. You'll need to escape it with a backslash.
... View more
12-06-2016
08:59 AM
I still want the user to be able to drill down on the value in a clicked section of the pie chart. The problem is that there is no way to click on all sections at once.
... View more
12-02-2016
01:46 PM
I have a conditional drilldown from a simple XML pie chart that opens a chart in a new panel based on which pie slice I clicked. I've been asked to also make it possible to drill down on all values--basically setting the token to a star. Is there a way to do that from the chart itself? Or do I need to do something hacky like add an input dropdown to my panel that will toggle between a star drilldown and a per-slice drilldown?
... View more
10-19-2016
06:35 AM
Thanks for confirming.
... View more
10-19-2016
05:30 AM
No results. So they'd all come in with the sourcetype of the monitor? And there's nothing else it would be doing?
... View more
10-19-2016
05:13 AM
I'd like to turn off a couple modular inputs on a universal forwarder, such as WinPrintMon. Two questions:
1) If there are no inputs.conf settings involving WinPrintMon other than the stanza definition in etc/system/default, does that mean it's not in use? Or is the input doing secret hidden things behind the scenes that might break if I turned it off?
2) If I didn't have access to the forwarder conf files, would there be a way to tell from the search interface whether a particular piece of data was sent via one of these inputs?
... View more
09-16-2016
05:42 AM
3 Karma
Try condition match="match(value, & quot; \ \ *& quot;)" but without all the interior whitespace. (I added that so the characters would post verbatim.)
... View more
09-16-2016
04:42 AM
1 Karma
It doesn't look like you need another answer here, but be aware that as of 6.2, there is an mvdedup command that does exactly what you need: eval contract=mvdedup(contract). See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions.
... View more
07-26-2016
05:06 AM
@Georgin: It doesn't have to be quoted unless the value itself contains separators. E.g. field=0 OR field=1 is fine, but you would have to use quotes for field="My String With Spaces".
... View more
07-06-2016
06:10 AM
I have a monthly scheduled search whose data I loadjob into a dashboard. I'd like to display the timeframe on the dashboard for the most recent run of the search, so users know whether they're looking at the most current data--not when it was supposed to run, but when it actually ran. Is there a rest search command or something to access the earliest/latest data for the most recent run of a scheduled search?
... View more
04-07-2016
06:42 AM
This is for JS and CSS specifically, so I don't think there's an endpoint for those components. I'll see if I can hack the POSt headers.
... View more
04-06-2016
11:39 AM
Is there a Splunkish way (via curl or rest or something) to do the equivalent of clicking the bump button on the _bump page? It seems silly to write a script that has to generate the button click directly from that page.
... View more
04-05-2016
07:49 AM
Thanks, this is helpful.
... View more
04-05-2016
07:20 AM
Just to double-check, the files don't need to appear on the indexers at all? Does it hurt anything if they're there (i.e. cause extra load)?
... View more
03-29-2016
07:30 AM
Yeah, I kind of figured there wasn't any magic. We have the same problem with average, that we're calculating an average of averages, but I knew about that one. I don't think running any daily search over the raw data will fly, but I'll see if people are okay with the reduced accuracy of the p* values over the hourly data. Thanks.
... View more
03-29-2016
05:39 AM
Hello,
I have some data for which I calculate hourly avg/max/stdev into a summary index, then calculate daily summary rollups of the same stats based on the hourly rollups. (Running daily rollups directly on the raw data is infeasible because the data set is too large.)
I've been asked to add p95 to these rollups as well. Syntactically it's easy to add p95(value) to my rollups, but mathematically I wondered what this actually calculates. The hourly rollup has the 95th percentile value from the raw data, but what would the daily rollup contain--the 95th percentile of those 24 hourly p95 values? Or does it do some kind of magic and approximate the 95th percentile from the (rolled up and invisible) raw values? Basically, how close to the "true" raw p95 value is a p95 that's based on hourly summary data?
... View more
12-01-2015
05:25 AM
The label at the top of the column in the job inspector says Duration (seconds), so it's in seconds. The number you're reporting is so ridiculously large that I suspect it's not real--maybe there's a time discrepancy somewhere on one of your indexers or your SH/storage or something.
... View more