cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kiddsupreme
Explorer
Member since: ‎04-08-2018
‎10-09-2022
Community Statistics
Posts 13
Solutions 0
Karma Given 2
Karma Received 9
Member Since ‎04-08-2018
Activity Feed
View All

How to dynamically change table contents based on ...

by in Splunk Search
‎10-06-2022 08:23 AM
‎10-06-2022 08:23 AM
Not sure if I am putting this in the correct area; my apologies ahead of time. I wanted to know if it would be possible to have Splunk dynamically populate a table based on incoming log messages. The log messages for new alerts and cleared alerts are essentially the same, save for one "field" that shows either "NEW" or "CLEARED". ##Example of New Alert Log Message##  2022-10-06 05:58:31 AlarmNotification = NEW AlarmID = STRING: "123456789" AlarmType = INTEGER: 1 ObjectInstance = STRING: "Router1" EventTime = STRING: "2022-10-6,5:58:31.7,-7:0" SpecificProblem = STRING: "LinkDown" Severity = INTEGER: 2   ##Example of Clear Alert Log Message##   2022-10-06 05:58:35 AlarmNotification = CLEARED AlarmID = STRING: "123456789" AlarmType = INTEGER: 1 ObjectInstance = STRING: "Router1" EventTime = STRING: "2022-10-6,5:58:35.5,-7:0" SpecificProblem = STRING: "LinkDown" Severity = INTEGER: 2   ----------------------------------- My idea was anytime a new alert comes in, a table with the various fields is generated; I can already do that today. However, what I am not sure about is if a subsequent "clear" log message comes in where everything matches (with the exception of the AlarmNotification and EventTime), it would dynamically REMOVE that table row entry.   So the general idea is show the alerts when they come in, but if a cleared alert message that comes in with a later date and time would "delete" that row from the table.   Any and all suggestions are welcomed. Thank you in advance. ... View more
Labels

Re: How to utilize Google API key for Maps+

by in All Apps and Add-ons
‎05-19-2020 12:52 AM
‎05-19-2020 12:52 AM
Format Menu -> Google Places -> API Key User This was what I was looking for. I had everything else in place; just didn't know where to put the API Key User. Thanks for the assistance on this. I appreciate it. ... View more

Re: How to utilize Google API key for Maps+

by in All Apps and Add-ons
‎05-15-2020 09:32 AM
‎05-15-2020 09:32 AM
I read that as well; however, I find the documentation lacking. What information goes where? At the very least, is there an example of what information goes where? ... View more

How to utilize Google API key for Maps+

by in All Apps and Add-ons
‎05-15-2020 03:35 AM
‎05-15-2020 03:35 AM
This may be a simple question, but I have been unable to find an answer as of yet. I need to know how to use a Google API key in Maps+. Currently, when I try to do something like Street View, I get a pop-up saying : API Key Failure Failed to get API key for user: , realm: undefined - Verify credentials and try again. I have a API key; I just need to know where to put the information so I can get it to work. Any assistance would be appreciated. ... View more

Re: Referencing token value in Panel Title

by in Dashboards & Visualizations
‎04-12-2018 11:14 AM
5 Karma
‎04-12-2018 11:14 AM
5 Karma
You have got to be kidding me. So when I was doing the editing, I would switch back and forth between UI and Source. When I would look, it would show the literal variable name. But when I clicked Save, all of the sudden it was showing properly. My apologies folks, I should have taken... one...more...step ... View more

Re: Filter out a subset of items based on another ...

by in Splunk Search
‎04-12-2018 11:11 AM
‎04-12-2018 11:11 AM
Not sure I follow in regards to the $token_drilldown$ variable. I've never used drilldown because as far as I know, its based on you clicking on something to go down further. I just want to utilize a dropdown menu with those values. If you can go into more detail, maybe it would make sense; right now, I'm not seeing it. ... View more

Filter out a subset of items based on another valu...

by in Splunk Search
‎04-11-2018 05:21 PM
‎04-11-2018 05:21 PM
Hello again, So lets say I have a CSV file that looks like the following: node_code region_code SAN AMERICAS JPN APAC NYC AMERICAS CHN APAC FRA EMEA NUR EMEA And lets say my search is the following: <query>errorcode=$errorcode_tok$ | dedup em_event_alert | eval dv_node=upper(dv_node) | rex field=dv_node "(?P&lt;testnode&gt;\w{3})" | stats count by testnode</query> And just for reference: Field Definitions - dv_node = The string that holds the hostname of devices - em_event_alert = A unique alert ID # What I'm trying to do is create a dropdown with a list of Regions. So in this example, if the user selects AMERICAS from the dropdown, I want to filter the search results to only display those corresponding items... in our case, SAN & NYC would be the values displayed. As you can see in the search, it queries for the selected errorcode (don't worry, I already have that functionality figured out), dedup's, and then it takes the hostname, and makes the whole thing uppercase. Finally, we strip out just the first 3 letters (that's how I am able to match it up to the node_code field in the CSV). But I can't seem to determine how to start to create that search query. Any ideas would definitely be appreciated. Thanks in advance. ... View more

Referencing token value in Panel Title

by in Dashboards & Visualizations
‎04-11-2018 02:36 PM
2 Karma
‎04-11-2018 02:36 PM
2 Karma
First, a quick look at my existing code: <form> <label>Alert Status</label> <fieldset submitButton="false" autoRun="true"> <input type="dropdown" token="errorcode_tok" searchWhenChanged="true"> <label>KPI Selector</label> <default>%BGP-5-ADJCHANGE:</default> <choice value="%BGP-5-ADJCHANGE:">%BGP-5-ADJCHANGE:</choice> <choice value="%BGP_SESSION-5-ADJCHANGE:">%BGP_SESSION-5-ADJCHANGE:</choice> <choice value="%BGP-5-FLAP:">%BGP-5-FLAP:</choice> <choice value="%OSPF-5-ADJCHANGE:">%OSPF-5-ADJCHANGE: </choice> <choice value="%OSPF-5-ADJCHG:">%OSPF-5-ADJCHG:</choice> <choice value="%PM-4-ERR_DISABLE:">%PM-4-ERR_DISABLE:</choice> <choice value="%PM-SP-4-ERR_DISABLE:">%PM-SP-4-ERR_DISABLE:</choice> <choice value="%SPANTREE-2-ROOTGUARD_BLOCK:">%SPANTREE-2-ROOTGUARD_BLOCK:</choice> <choice value="%C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD:">%C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD::</choice> <choice value="%C6K_POWER-SP-1-PD_HW_FAULTY:">%C6K_POWER-SP-1-PD_HW_FAULTY:</choice> </input> <input type="time" token="TimeRangePkr" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-8h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Total Active BGP Events</title> <viz type="horseshoe_meter_app.horseshoe_meter"> <search> <query>[search errorcode=$errorcode_tok$ dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search errorcode=$errorcode_tok$ dv_severity="Clear" state=Closed | fields dv_number ] | dedup dv_number | stats count(eval(dv_node)) as TOTAL</query> <earliest>rt</earliest> <latest>rt</latest> <sampleRatio>1</sampleRatio> </search> Pretty straight forward, right? So why when I do this: <title>$errorcode_tok$</title> The title displays $errorcode_tok$ .... literally. Am I missing something on why it doesn't seem to be replacing the reference to the dropdown selection? Thanks in advance. ... View more

Re: Hide a panel when the results of a search retu...

by in Dashboards & Visualizations
‎04-11-2018 12:39 PM
1 Karma
‎04-11-2018 12:39 PM
1 Karma
Okay, apparently I didn't have my XML quite lined up... once I fixed that, the command worked as well. ... View more

Re: Hide a panel when the results of a search retu...

by in Dashboards & Visualizations
‎04-11-2018 11:39 AM
1 Karma
‎04-11-2018 11:39 AM
1 Karma
Thank you; that is working perfectly. I did however need to remove the after the because Splunk's error message reads: "Unexpected close tag". Once I removed that tag, it worked as expected. I appreciate not only the solution, but your detailed explanation; it definitely helped me visualize how it works. Thanks again! ... View more

Hide a panel when the results of a search return

by in Dashboards & Visualizations
‎04-10-2018 03:59 PM
‎04-10-2018 03:59 PM
Hello, I'm sure I am missing something simple, but thought I should ask. I am running a search that does the following: Fields - dv_node = The string that holds the hostname of devices - dv_number = A unique alert ID # - state = a value of "Processed" when opened and a value of "Closed" when closed - dv_severity = Clear means the alert has closed The first part of the search grabs the alerts that are active. The second part of the search grabs the alerts that are closed. If it finds a match between the dv_number of an ACTIVE alert in the 1st search & the dv_number of a CLOSED alert in the 2nd search, eliminate that dv_number from the final count. This is because the logs we process may have many entries along the way, but there should be at LEAST 1 ACTIVE entry and 1 CLOSED entry in the logs (Since, if something alarms, it has to eventually clear right?). At this point, the only thing that should be showing up are active items. At this point, we run a dedup to eliminate those "many entries along the way" log. Basically, lets ignore everything that came after that initial alert, until a matching closed event is found. Finally, do a count by dv_node to get a # of active entries per hostname. <panel> <title>Active Events (Last 5 minutes)</title> <table> <search> <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ] | dedup dv_number | stats count by dv_node</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>2m</refresh> <refreshType>delay</refreshType> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> I went ahead and tried adjusting it to the following: <panel> <title>Active Events (Last 5 minutes)</title> <table> <search> <query>[search dv_severity NOT "Clear" state=Processed | fields dv_number ] NOT [search dv_severity="Clear" state=Closed | fields dv_number ] | dedup dv_number | stats count by dv_node</query> <earliest>-5m</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> <refresh>2m</refresh> <refreshType>delay</refreshType> <progress> <condition match="'job.resultCount' == 0"> <set token="panel_show">false</set> </condition> <condition> <unset token="panel_show"/> </condition> </progress> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> Now with all the preamble out of the way, this is what I'm trying to accomplish: If the ACTIVE events are found to be 0, can I make the panel disappear? Essentially, I only want the panel to "appear" on screen when it finds an ACTIVE alert. However, when I run my dashboard I still see the panel, with the "No Results Found". I hope that makes sense. Thanks in advance. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎10-09-2022 09:17 AM
Karma from
Karma given to
View All