About jdunlea

jdunlea · ‎10-21-2022

Yeah, I guess what I am getting at here is that this search is still just telling us what the OS knows in terms of how much storage is used. But that is not a guarantee that the storage is necessarily being consumed entirely by indexed data. I mean, it is quite possibly being consumed entirely be indexed data. What does your CMC tell you about the size of your indexed data on disk (the size of the data in the indexes themselves)?

jdunlea · ‎10-21-2022

It might also be possible for you to get rid of the first streamstats and just construct the table you need using stats, and then doing the second streamstats (as you can see in my suggestion above) to get the difference in the values.

jdunlea · ‎10-21-2022

I think part of your problem is that you are losing the reference to the "combination" field by doing your first timechart. You could try something like the following: (Note: I have not tested this as I do not have access to your data) eventtype=cacti:mirage host="onl-cacti-02" host_id=193 ldi IN("8835","8836","8837","8839","8840","8841","8846","8847","8848","8843","8844",) | reverse | eval combination=rrdn+"#"+name_cache | streamstats current=t window=2 global=f range(_time) as deltaTime range(rrdv) AS rrd_value_delta by combination | eval isTraffic = if(like(rrdn,"%traffic%"),1,0) | eval kpi = if(isTraffic==1,rrd_value_delta*8/deltaTime,rrd_value_delta/deltaTime) | bucket _time span=5m | stats last(kpi) as last_kpi by combination _time | sort combination _time | streamstats current=t window=2 range(last_kpi) as last_kpi_diff by combination | eval change_percent=(last_kpi/(last_kpi-last_kpi_diff))*100 | where change_percent>30 AND last_kpi_diff!=0

jdunlea · ‎10-21-2022

Were you ever seeing data in this index for any time range, using a normal search? I am wondering if you are encountering an access problem for the specific index, and that the tstats search is returning something as a result of a bug.

jdunlea · ‎10-20-2022

When you expand the time range for your regular (non-tstats) search, do you get any results? Like over a 24 hour or 7 day time range?

jdunlea · ‎10-20-2022

Are you trying to measure for a 30% difference for any one of the values? In other words: "If any of these values (combination) have a difference of >30%, then fire an alert"

jdunlea · ‎10-20-2022

Is the value for latest(_time) returning a time that is within your time range?

jdunlea · ‎10-20-2022

When you say that the "disk usage" is 95%, presumably this is total disk usage on the indexers as reported by the OS. What does the monitoring console tell you about the actual index sizes on disk? In other words, what is Splunk saying its storage usage is for the indexes (buckets)?

jdunlea · ‎10-14-2022

I would recommend breaking up your rex statement into a few different regexes. This way, you can anchor on the items that are closer to the data you want to extract. For example: | rex field=_raw "<TYPE regex here>" | rex field=_raw "<EType regex here>" | rex field=_raw "<TCode regex here>" etc. Alternatively you can construct 2 or 3 large regexes that can accommodate the different event structures you have, and in each regex, call the fields slightly different names. I.E. Regex 1 would extract TCode1, and regex 2 would extract TCode2. Then you can use the eval command with the coalesce function to merge these fields together later on to TCode. For example: | eval TCode=coalesce(Tcode1,TCode2)

jdunlea · ‎10-14-2022

If your dropdown is a non-static list of choices that come from a search query, how do you have a "respective panel" for each dropdown choice? If you have a respective panel for each dropdown choice, that implies that you know upfront how many dropdown options there can be.

jdunlea · ‎10-14-2022

You need to make sure that you have the same field name for "user" between both indexes. Assuming that the "user field" in both indexes is called "user", and assuming that you have fields extracted which are called "client" and "count_field" and "requestID" then something like the following should work: index=indexA "Received from client" OR ("request id:" "completed") | transaction startsWith="Received from client" endsWith="completed" requestID | stats values(client) as client values(user) as user by requestID | join type=outer user [| search index=indexB "has total sent items count" | stats sum(count_field) as count_total by user] The thing to watch out for here is that the count that is returned from index2 will essentially be a sum of the count for the user. Because there is no "requestID" present in Index2. So the count_field that is seen in the index2 is not directly tied to the requestID that is seen in index1.

jdunlea · ‎10-13-2022

If you have a lot of events with "EVENT B" in your data, then you might be hitting the event limit for the subsearch (10k events). Therefore the subsearch will return only the first 10k events, which might only have a small number of IP addresses (if many events have the same IP address). Using dedup will make the result count much smaller and probably have less than 50k IP addresses, so the subsearch can return all of the IP addresses to the first search and then do the filtering. Side note: You might be able to do this using a single search (no subsearch) by doing something like the following (please note: you will need to create the event_flag field yourself using your own regex/match) index=prod-* sourcetype="kube:service" ("Event A" earliest=-24h latest=-4h) OR ("Event B" earliest=-24h latest=-0h) | eval event_flag=if(match(_raw,"Event A"),"Event_A","Event_B") | stats values(event_flag) as event_flag dc(event_flag) as event_count by IPAddress | search event_count=1 event_flag="Event_A"

jdunlea · ‎10-13-2022

You can do it using a match() statement within your case statement as follows: ...< original search > ... | eval action=case(Err="server timeout, try after sometime","Ignore",match(Err,"Web service error"),"follow-up",Err="Address element not found","Ignore") Hope this helps!

jdunlea · ‎10-12-2022

That will work too. However if there is a lot of data in the index, then it will mean you have to search double the data by expanding the time range from 1 day to 2 days. Additionally, it essentially means that you are "double searching" at least one day's worth of data. On the other hand, there are also technical constraints to using the subsearch and join method. Just worth noting the tradeoffs between both options.

jdunlea · ‎10-12-2022

The link below is to a similar question with a good answer that also contains helpful links to Splunk documentation that references best practices. This should have what you need. https://community.splunk.com/t5/Getting-Data-In/What-are-the-best-practices-for-defining-source-types/m-p/423052

jdunlea · ‎10-12-2022

You could try doing a concatenation of the fields in both the main alert, and also the summary index sub search and then compare those concatenated fields to determine if the results of the current alert were found in the summary index. (Also, side note; you may need to enter a hardcoded earliest and latest time in your summary index sub search to ensure that you are looking at the correct time range for the summary indexed data) You could try something like the following: index=preos host IN(*) *GPU*: PCISLOT* | rex field=_raw "log-inventory.sh\[(?<id>[^\]]+)\]\:\s*(?<gpu>[^\:]+)\:\s*(?<Hardware_Details>.*)" | rex field=_raw "GPU.*PCISLOT.*VBIOS\:\s(?<ios>[^\,]+)" | search gpu=GPU* | eval gpu_ios=gpu." : ".ios | stats latest(_time) AS _time latest(*) AS * BY host gpu | bucket _time span=1m | bucket _time span=1m | appendpipe [| top 1 ios BY _time host | rename ios AS common_ios | table _time common_ios host] | eventstats max(common_ios) AS common_ios values(gpu_ios) AS gpu_ios BY _time host | table _time host gpu ios common_ios gpu_ios | rename _time as time | eval time=strftime(time,"%Y-%m-%d %H:%M:%S") | rename ios AS VBIOS_Version common_ios as Common_VBIOS_Version gpu_ios as GPU_VBIOS | where LEN(gpu)>1 AND VBIOS_Version!=Common_VBIOS_Version | eval concat_field=host.gpu.VBIOS_Version | join type=outer concat_field [search index=summary summary_type=test | table gpu orig_host VBIOS_Version | eval concat_field=orig_host.gpu.VBIOS_Version | eval is_found_in_summary_index="true" | table concat_field is_found_in_summary_index]

jdunlea · ‎10-12-2022

Set your cron scheduled as follows for the scheduled report and it should work. 0 */1 1,2,3,4,5,26,27,28,29,30,31 * *

jdunlea · ‎10-12-2022

Agree with @bpick. You could add on something like the following to your search: ...< original search > ... | eval action=case(Err="server timeout, try after sometime","Ignore",Err="Web service error","follow-up",Err="Address element not found","Ignore") The challenge with the above is that you may need to create a case statement for many different values of the Err field, depending on what you want to set the Action field to. Alternatively, if there will only ever be two values for Action (I.E. "Follow-Up" and "Ignore"), then you could do something like the following and adjust it as needed. ... < original search > ... | eval Action=if(Err="Web service error" OR Err="Something else" OR Err="another thing","Follow-Up","Ignore") This will assign "Follow-Up" to the specific Err values that you call out, and then assign "Ignore" to everything else.

jdunlea · ‎10-12-2022

The reason that we are using _time for bin is because this allows us to use the first stats command in a similar way that the timechart works, BUT without losing the field called my_count. Timechart is very similar to running "stats" with "by _time" at the end. Hence, I wanted to use a "stats" with "by _time", to create a similar result set. But in order to do that, I needed to use "bin" with _time first before replacing the timechart with the stats command. The main thing you need to think about is, regardless of what you are putting in your query, you need to look at the fields that are produced in the RESULTS at each step of the query. Only the fields that are produced/outputted after each phase of the query will be available to the next phase of the query. So, in your example, you were using timechart. And if you just ran that part of the search and checked the statistics table of the results, you would see that there is no field called "my_count". Which means that the field called "my_count" will not be available for the next part of the search (which is your last stats command). So the reason that I used _time with bin, is to replace your timechart command with a stats command, which preserves the my_count field to be used in the next part of the search (which is your last stats command). I hope that helps!

jdunlea · ‎10-12-2022

The issue with your first example is that when you use timechart, you lose the field reference for my_count because it gets wrapped up in the split by field (my_foobar). Essentially, if you use timechart before the last stats, you will notice when you view the data in statistics mode, the field called "my_count" does not exist as a "usable field" for the next part of the search. Instead, if you swap out the timechart for another stats, you can do what you are wanting. See below: earliest=-7d@d latest=-0d@d index=prod "<b>ERROR:</b>" | rex "foo:\ (?<my_foo>[^\ ]*)" | rex "bar:\ (?<my_bar>[^\<]*)" | eval my_foo = coalesce(my_foo,"-") | eval my_bar = coalesce(my_bar, "-") | rex mode=sed field=my_bar "s/[\d]{2,50}/*/g" | strcat my_foo " - " my_bar my_foobar | bin _time span=1d | stats count as my_count by _time my_foobar | stats avg(my_count) This should give you output.

Posts	89
Solutions	12
Karma Given	5
Karma Received	29
Member Since	‎12-15-2014

Online Status	Offline
Date Last Visited	‎10-27-2022 04:45 PM

How to sort apps in UI by the "label" value in app...

How to map every event which has a lat and long fi...

Why is pan and zoom not working in Google Chrome f...

How to map data locally on a map

Mobile Access Server or Splunk add-on for Mobile A...

In my Splunk 6.3.3 search head cluster, why is an ...

Send emailed results to an email address IN the re...

LDAPsearch is not showing latest group membership

Is _time in UTC or local time?

Is there a way to run multiple searches one after ...

Re: Why are the indexers disk usage more than the ...

Re: Need Help with a search where I am using strea...

Re: Need Help with a search where I am using strea...

Re: With tstats command I can see the results in s...

Re: With tstats command I can see the results in s...

Re: Need Help with a search where I am using strea...

Re: With tstats command I can see the results in s...

Re: Why are the indexers disk usage more than the ...

Re: Field Extraction with Dynamic Data Structure (...

Re: Token Value Change Based on Dropdown?

Re: Combining results from 2 indexes?

Re: Why is search not working properly on duplicat...

Re: How to evaluate and add if condition on stats ...

Re: How to create an alert by comparing with previ...

Re: Any splunk best practices for field extraction...

Re: How to create an alert by comparing with previ...

Re: How to set a report hourly for time frame betw...

Re: How to evaluate and add if condition on stats ...

Re: Averaging by Field over Time- How to make moni...

Re: Averaging by Field over Time