Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About vrmandadi
vrmandadi
Builder
Member since:
08-14-2015
Thursday
Community Statistics
| Posts | 561 |
| Solutions | 5 |
| Karma Given | 52 |
| Karma Received | 25 |
| Member Since | 08-14-2015 |
Activity Feed
- Posted How create an alert to compare yesterday and today and show the difference for a value? on Alerting. Thursday
- Posted Re: Create an alert if count is greater than or less than a particular number on Alerting. Thursday
- Posted Re: Create an alert if count is greater than or less than a particular number on Alerting. Wednesday
- Posted How to create an alert if count is greater than or less than a particular number? on Alerting. Tuesday
- Posted Help with props.conf to break events on Getting Data In. 2 weeks ago
- Posted Re: How to omit consecutive same results and remove it? on Splunk Search. 4 weeks ago
- Posted Re: How to omit consecutive same results and remove it? on Splunk Search. 4 weeks ago
- Got Karma for HIGH CPU USAGE ON HEAVY FORWARDER WHERE AWS ADD ON IS INSTALLED. a month ago
- Got Karma for Re: "Other" in timechart. 04-14-2022 11:36 AM
- Posted Re: How to omit consecutive same results and remove it? on Splunk Search. 04-14-2022 08:04 AM
- Posted Re: How to omit consecutive same results and remove it? on Splunk Search. 04-13-2022 08:21 AM
- Posted Re: How to omit consecutive same results and remove it? on Splunk Search. 04-12-2022 05:09 PM
- Posted How to omit consecutive same results and remove it? on Splunk Search. 04-12-2022 12:53 PM
- Posted Re: How to make another field date and time field before and after indexing on Splunk Search. 04-07-2022 09:29 AM
- Karma Re: How to make another field date and time field before and after indexing for mayurr98. 04-07-2022 09:29 AM
- Posted Re: How to make another field date and time field before and after indexing on Splunk Search. 04-06-2022 07:01 PM
- Posted Re: How to make another field date and time field before and after indexing on Splunk Search. 04-06-2022 03:12 PM
- Posted How to make another field date and time field before and after indexing on Splunk Search. 04-06-2022 01:20 PM
- Posted Re: How to merge events and show in tabular format? on Splunk Search. 04-06-2022 01:11 PM
- Karma Re: How to merge events and show in tabular format? for richgalloway. 04-06-2022 01:11 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
Thursday
I am trying to create an alert which will compare yesterday and today for a particular field and show what is the difference.
I want to count the total for field called "id" for today and compare the count with yesterday and show the count difference and the id's which are different .
... View more
Labels
- Labels:
-
alert condition
-
other
Wednesday
Yep.That is correct..So just use count!=500 ...is that the only thing needed
... View more
Tuesday
I am trying to create an alert based on stats count value...I want to alert if count is less than or greater than 500
... View more
- Tags:
- alert
- splunk-search
Labels
- Labels:
-
other
2 weeks ago
I am trying to work on props.conf to parse and break correctly.I am pushing data using CURL commands but it is sending 50 logs in one event.It worked through UI but failing when sent from CURL commands.I want to break it into individual events .Only the first event start with "{"sourcetype": "json","event": {"
AND ends with "last_updated" (EXAMPLE:"last_updated": "2022-03-24T02:35:41.148727Z" },) .Rest of the events START WITH ID and end with last_updated....There are lot of nested ID in the event which I did not post but the syntax should be something that will break after last_updated
I want the events to BREAK AFTER THE "last_updated" followed by closed flower brackets and the new event should start from
NOTE:ONLY THE first event start is different ..rest all events start with id and end with last_updated.
I tried BREAK_ONLY_BEFORE=\"\w*\"\:\s\"\d*\-\d*\-\d*\w\d*\:\d*\:\d*\.\d*\w\" ... but its not breaking correctly
{ "id":
Following are the sample events that I want to break
Event1:
{"sourcetype": "json","event": {
.
.
.
.
.
},
"created": "2022-02-07",
"last_updated": "2022-03-24T02:35:41.083145Z"
Event 2:
{
"id": 150749,
"name": "no hostname 1660322000234",
.
.
.
.
.
"created": "2022-02-07",
"last_updated": "2022-03-24T02:35:41.148727Z"
}
I used the below props...it worked uploading sample file via GUI but when I used this sourcetype in CURL through HEC it is not breaking.
[ Netbox ] CHARSET=UTF-8 DATETIME_CONFIG=CURRENT LINE_BREAKER=([\r\n]+)\s+{ MUST_BREAK_BEFORE=\"\w*\"\:\s\"\d*\-\d*\-\d*\w\d*\:\d*\:\d*\.\d*\w\" NO_BINARY_CHECK=true SHOULD_LINEMERGE=false category=Custom disabled=false pulldown_type=true
CURL:
curl -k http://10.xx.xx.xx:8088/services/collector/event -H 'Authorization: Splunk <TOKEN>' -d '{"sourcetype": "Netbox","event": '"$SITEINFO"'}'
... View more
Labels
- Labels:
-
other
4 weeks ago
Hello , Thank you so very much for following up on this and please sincerely accept my apologies if any confusion is created .Let me put it in correct way. in the example you posted 1. compare row1 with row2...if same then omit row2 else keep row2. 2. Next.Compare row1 with row 3(if row2 is omitted..else compare row2 with row3) ..if same omit row3...if different keep. 3.keep comparing . Hope this is clear
... View more
04-14-2022
08:04 AM
Sorry for that .. I am trying to do a comparison for each row.For instance , compare row 1 with row 2...if both are same then omit row2 ...then compare row 1 with row3 ..if different i want that row...then compare row3 with row 4 if they are same then omit row4 and then the list goes on...The tough part I am facing is..dedup removes duplicates irrespective of what order they come in ...what I am looking is compare each row ..in this way if you see row1 data same as row 3 but row 2 is different .
... View more
04-13-2022
08:21 AM
My search index=* | stats values(SN) as SN by _time gives the following output 2022-04-07 12:41:17 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-04-04 10:16:34 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-03-22 07:52:24 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-22 07:36:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-18 06:31:18 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-03-14 13:11:15 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-09 06:42:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 2022-03-02 09:38:12 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-02-28 21:40:30 1334821000038 1334821000073 1334821000330 1334821000337 1334821000343 1334821000346 1334821000419 1334821000466 The output that I am looking at is search that compares results and output;s non-consecutive results like below.The date 2022-03-09 06:42:36 has less number of values so that is also considered different... Since its comparing and not removing duplicates dedup is not worki 2022-04-07 12:41:17 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-03-22 07:52:24 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-22 07:36:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-18 06:31:18 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-03-14 13:11:15 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-09 06:42:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 2022-03-02 09:38:12 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-02-28 21:40:30 1334821000038 1334821000073 1334821000330 1334821000337 1334821000343 1334821000346 1334821000419 1334821000466
... View more
04-12-2022
05:09 PM
Sorry if I was not clear on what I am expecting ..The tabular format that I showed is output of . | stats values(SN) as abc by _time . This search gives the tabular format output I showed .From that result I want to compare each cell of field "abc" with the next event and if there is a no difference then it should omit it and again it should compare with third one if its different it stays and now the third one should match with the next one and the list goes on
... View more
04-12-2022
12:53 PM
Hello Splunkers, I have a query where I did a |stats values(abc) as abc command over time .I got the below results . I want the abc column to omit the consecutive same results .I basically want to compare the results with the above one and show only which are different and count of it is different. You can see below 2022-04-07 12:41:17 and 2022-04-04 10:16:34 have the same "abc " value .I want to omit the second one and then compare with the 3rd result which is different so keep that and then compare the 3rd value with 4th and continue that way..Also show the one which have less count like 2022-03-07 11:48:46 .I tried dedup but it did not work..Any suggestions? 2022-04-07 12:41:17 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-04-04 10:16:34 1334821020002 1334821020007 1334821020011 1334821020024 1334821020027 1334821020043 1334821020053 1334821020075 2022-03-22 07:52:24 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-22 07:36:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-18 06:31:18 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-14 13:11:15 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-09 06:42:36 1335221020082 1335221020268 1335221020282 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 2022-03-07 11:48:46 1335221020591 1335221020597 1335221020619 1335221020721 1335221020848 Thanks in Advance
... View more
04-07-2022
09:29 AM
Thank you that worked
... View more
04-06-2022
07:01 PM
@mayurr98 Thank you very much for your reply . it did not work on the below source. /admin/logs/su0051/inventory/02-22-2022-070801-all-v4.fru /admin/logs/laaaa0016/inventory/11-16-2021-145102-all.fru
... View more
04-06-2022
03:12 PM
Thank you for your reply.But I am not sure how to do the eval on it.Can you please help me on it and also the regex part...I can do regex but I am not sure how to add " :" for the time
... View more
04-06-2022
01:20 PM
Hello Splunkers, I have data where the index time is different from the actual file.The source has the correct date and time.I want splunk to use it as index time and if that is not possible I want to extract date and time from the source field ,create new field and use that as date and time field.Below is the example of the source file. Source: /admin/logs/abc/inventory/04-04-2022-101634-all-b5.xxx 1. I want splunk to take 04-04-2022-101634 and use it as indexed time like 04-04-2022 -10:16:34(dd-mm-yyyy-hh:mm:ss) . I want the props.conf 2. Also if the data is indexed without using the source file .I want to extract teh date and time from the source and create and new field called correct_time as use as _time Thanks in Advance
... View more
Labels
- Labels:
-
regex
04-06-2022
01:11 PM
Thank you..I did some tweaking and it helped
... View more
04-04-2022
03:21 PM
The three sample events have the same host..I am trying to merge them based on same host
... View more
04-04-2022
10:39 AM
Hello Splunkers ,
I am trying to see if I can merge the following events and show in a tabular format
sample event 1:
3/31/22 6:54:29.000 AM
GB ( ID 5 ) : BSN: 15730946 , BON: 699-01 , BOAA: 01 , GP N: 1395 , GSN : 920-000
Sample event 2:
3/31/22 6:54:29.000 AM
CPU ( ID 0 ) : BSN: 55506204BC , BON: 555.06901.0004 , BOAA: 01 , QP N: 16646 , Q SN: 001
Sample event 3:
3/31/22 6:54:29.000 AM
CHASN : 166066
I want to merge all events which are coming from same host and same time and show in a tabular format. if there is no value for a particular field it should show UNKNOWN
time host CHASN GPN GSN QPN QSN
3/31/22 6:54:29.000 AM ABC 166066 1395 920-000 16646 001
... View more
- Tags:
- splunk-search
03-01-2022
08:23 AM
Thank you .So I just copy etc/apps folder from one of the search head in a SITE and then place that app in etc/shcluster/apps folder and then do a deploy?
... View more
03-01-2022
07:27 AM
Hello @gcusello ...thank you for your reply . I am trying to migrate all the contents(KO,Dashboards,reports) from a search head cluster in a data center to a search head cluster which is in a totally different data center
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
Thursday
|
Karma given to
