Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About sbsbb
sbsbb
Builder
Member since:
11-05-2012
06-05-2020
Community Statistics
| Posts | 212 |
| Solutions | 5 |
| Karma Given | 40 |
| Karma Received | 45 |
| Member Since | 11-05-2012 |
Activity Feed
- Got Karma for Re: Join - how do I fillnull on a join?. 07-21-2021 03:47 AM
- Karma Re: Is it possible to export data to other formats from the standard export function in splunk web? for aweitzman. 06-05-2020 12:47 AM
- Got Karma for Why am I unable to select and edit elements in Sideview Utils using Chrome browser?. 06-05-2020 12:47 AM
- Karma how to add html in popup window for john. 06-05-2020 12:46 AM
- Karma splunk pricing estimate for orrick. 06-05-2020 12:46 AM
- Karma Can splunk do this? search command -> mvexpand -> with more than one multi value field for lpolo. 06-05-2020 12:46 AM
- Karma Can I define multiple searchTemplate in one view? for philip_wong. 06-05-2020 12:46 AM
- Karma How to bulk delete alerts for responsys_cm. 06-05-2020 12:46 AM
- Karma Create multiple eval fields with wilcards? for jweinstein. 06-05-2020 12:46 AM
- Karma Re: Create multiple eval fields with wilcards? for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: How to see if a search module is working, how to debug ? for sideview. 06-05-2020 12:46 AM
- Karma Re: What is the best way to get list of index in my splunk for Ayn. 06-05-2020 12:46 AM
- Karma Re: splunk pricing estimate for derrierdominiqu. 06-05-2020 12:46 AM
- Karma Re: How to control the width of a panel for sideview. 06-05-2020 12:46 AM
- Karma Re: Fraud detection - how to compare last weeks average count with todays count and send Alert if to far apart for jtrucks. 06-05-2020 12:46 AM
- Karma Re: Does writing to summary index count towards indexing license? for Ayn. 06-05-2020 12:46 AM
- Karma Re: D3 sankey chart without using Django framework for martin_mueller. 06-05-2020 12:46 AM
- Karma Indexing a NetFlow logic - log file. for chimbudp. 06-05-2020 12:46 AM
- Karma Re: Indexing a NetFlow logic - log file. for Ayn. 06-05-2020 12:46 AM
- Karma Re: time.sleep not working in modular input ? for Simon. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 |
12-14-2013
04:21 AM
I modified the helloworld in the python modular input example, to poll a website, and calculate the latency.
I don't understand why it is not working when I add a time.sleep, without, it is workint !!?
def do_run():
config = get_input_config()
#TODO , poll for data and print output to STD OUT
while True :
try:
interval=float(config['interval'])
#time.sleep(interval)
start_timer = time.time()
resp = urllib2.urlopen(config['url'])
content = resp.read()
latency = time.time() - start_timer
print_xml_single_instance_mode( "time=" + str(start_timer) + " latency=" + str(round(latency,2)) + " interval=" + str(interval) )
assert (resp.code == 200), 'Bad HTTP Response'
#assert ('Example Web Page' in content), 'Failed Content Verification'
except RuntimeError,e:
logging.error("Looks like an error: %s" % str(e))
sys.exit(2)
... View more
12-04-2013
05:33 AM
2 Karma
Is it possible to use a defined lookup, within a custom python command ?
If not, is it possible to access directly the csv file from the lookup, in order to process to a kind of lookup in the function ?
... View more
12-04-2013
01:58 AM
I experience the same problem under 5.0.6
Splunkd in complaining not being able to acces splunkd.log, but is writing in it...
... View more
12-02-2013
09:13 AM
If I have a bit field set to 3, that means that I have the bit 1 and 2 set. That why I need a function to check what bits are set
... View more
12-02-2013
08:49 AM
Of course you input is different, than the example... you have ? in place of :
(?P rule_.)|(?P . )\?(?P .)|(?P . )\?(?P .*)"
... View more
12-02-2013
07:40 AM
Thats not really the issue here... I want to know how to use report acceleration, how nice the display is, is not that important, I can handle this later
... View more
12-02-2013
07:37 AM
1 Karma
For making my tries with splunk regex, I use the program Kodos, that use the same synthax...
I would suggest you something like (I'm not good at regex, but mostly achieve what I want 😉
| rex max_match=0 "(?P<Rule>.*)\|(?P<Alert1>.*):(?P<Alert2>.*)\|(?P<Denied1>.*):(?P<Denied2>.*)"
If the number of Rules between the pipes is unknown, than I would try first to extract AlertString, DeniedString, and then extract the Rules as Multivalue Field you could mvexpand :
| rex max_match=0 "(?P<Rule>.*)\|(?P<AlertString>.*)\|(?P<DeniedString>.*)
| rex max_match=0 field=AlertString "(?P<AlertRules>[regex to split Rules])"
| rex max_match=0 field=AlertString "(?P<DeniedRules>[regex to split Rules])"
| mvexpand AlertRules | fields - AlertString
| mvexpand DeniedRules | fields - DeniedString
| table *
... View more
12-02-2013
06:26 AM
I'd like to take some eval function as example for building custom skripts, but I can't find them ?
... View more
12-02-2013
05:38 AM
I'm not sure to understand,
I've tried
|stats count | eval bitfield=3 | eval numfield=log(bitfield,2)+1
and I get numfield=2.58
I would need something like numfield=(1;2)..
... View more
12-02-2013
02:15 AM
I have a field in the logs, that is a Bit-field.
Is there a way, a function to translate those field in a human readable mvfield ?
Here is a bitfield translation example :
1 test1
2 test2
4 test3
8 test4
What I would like, is a way to translate "3" in "test1,test2)
I would enjoy a | bitlookup bittranslation.csv bitfield
But I guess I would have seen it already, if there were one 😉
... View more
11-25-2013
01:47 AM
1 Karma
I have a report acceleration on :
... | timchart span=1s c by index,sourcetype
I would like to use it to make a report with following elements :
- timechart as is, but only over the current day
- | stats sum(c) for the current day
if I use a hiddensavedsearch, I guess I would load all the results and not only those from the current day...
If I put a timepicker in front of it, I get an error.
... View more
11-14-2013
11:24 PM
I'm under splunk 5, and having a lot of scheduled Job, simply making heavy spath and rex jobs, to store my Data in kv, instead of xml, because otherwise searching is to slow...
At the moment, I use summmary_index, which have some drawbacks
- if something happens during search, summary_index is not complete
- I can't specify the sourcetype
- ...
It seems to me, that the new accelaration, seems to be stable and offer a more robust way to prepare Data, but I've seen that you need a | stats, timechart to use it ?
Is there a way to use acceleration anyway for splitting xml files ?
Otherwise is there a better way to do this in Splunk 6 than with summery_index ?
... View more
11-08-2013
12:01 AM
I'm sorry I've forgotten the screenshot... take a look at the results...
... View more
11-07-2013
11:26 PM
I'm trying to compare the lastTime from a metadata search, with a relative time to now...
Unfortunatly the comparison doesn't work, I don't understand why
| metadata type=sources | search source=*kivdv.business.msg.* source=*dfi.in.log | eval now=relative_time(now(),"-60d@d") | eval last_gt_now=if(lastTime > now,"true","false") | convert ctime(lastTime),ctime(now) | table lastTime,now,last_gt_now,source
See screenshot, last_gt_now is always true !
... View more
10-18-2013
01:08 AM
1 Karma
In Fact it is because of the limitation of spath from 5000 characters, I have 10000...
for me it is really a problem don't being able to overwrite this setting as user... like "spath limit=10000"
... View more
10-17-2013
04:24 AM
Hi have a query, that try to get all the fields from an xml doc.
For some reason, spath seems to ignore some of the fields, in the example below, this is the case with field LinienText under Splunk 5.0.2 :
... View more
09-05-2013
04:37 AM
I know pretty well how subsearch work, that doesn't help, but maybe is return what I'm searching for
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Return
I think change subsearch order like Kristian suggested + return function should do the job
... View more
09-05-2013
04:28 AM
Splunk seems to be missing some "fields in(value1,value2...)" function....
... View more
09-05-2013
12:16 AM
Thanks, I've change the module type, and try to open a case via our provider for 1)
... View more
09-04-2013
06:31 AM
1 Karma
I use a HiddenSavedSearch. The search is run by the scheduler, and returns results, but the View is complaining it can't find the view.
When its the case, its impossible to change anything in the Sideview editor, everything is like frozen.
... View more
09-02-2013
10:23 PM
I'm not sure if this is bringing me further, where did you pass the fieldname to the second search part ?
If one of the search is returning "system1" as result, I have to read the content of the "system1" field in the second part...
... View more
09-02-2013
06:04 AM
I have a first search, that return "system1"
Then I want to use that value, to get the appropriate value out of a subsearch timechart :
first restult :
system
system1
second result :
system1 system2 system3
_time 1 2 3
_time 4 5 4
_time 4 4 4
How could I do that ?
is there a way to put the first result in a parameter, that could be used in the subsearch as fieldname ?
index=myfirstquery | table system | subsearch [ _time=$_time$ | eval myValue=fieldName[$system$]]
... View more
08-29-2013
12:17 AM
Could you post an extract of your "source" Data, and en example of what you want as result ?
... View more
08-28-2013
01:14 AM
I've no spaces, the table above is an example, thats the results I get from splunk :
index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-1h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner | rename * as *_avg, _time as _time | appendcols [search index=summary_kihub source="summary_cus5_vdv_dfi_msg_business" earliest=-2h@h S_plattform=i_kihub | timechart span=1m c(S_FahrtID.FahrtBezeichner) by S_partner]
So I think we are not speeking about the same thing , are we ?
... View more
08-28-2013
12:56 AM
If I'm undestanding the need, I think I had the same Problem, and I made the following :
(I use Sideview-Utils)
I've made links in a HTML Module :
- one where the user see the results in a search window, without having to start the search again
- one where he can start and modify the search
<module name="HTML">
<param name="html"><![CDATA[
<a href="flashtimeline?q=| loadjob $results.sid$">view raw search results</a><br>
<a href="flashtimeline?q=$search$&earliest=$search.timeRange.earliest$&latest=$search.timeRange.latest$">run the search again in Splunk's default search page</a>
]]></param>
</module>
In this example I didn't took the postprocess, but it should be simple to add $prostprocess$ to $search$, having both in the url string
I had some troubles, so you can also see my related post :
http://answers.splunk.com/answers/99680/use-query-foo-in-html-module-error-with-whitespace
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
