Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About daviduslan
daviduslan
Path Finder
Member since:
03-18-2014
06-05-2020
Community Statistics
| Posts | 23 |
| Solutions | 2 |
| Karma Given | 16 |
| Karma Received | 4 |
| Member Since | 03-18-2014 |
Activity Feed
- Karma Splunk 6.5.0: Why is an embedded iframe in my dashboard not displaying? for jackhamm25. 06-05-2020 12:48 AM
- Karma Re: Splunk 6.5.0: Why is an embedded iframe in my dashboard not displaying? for worshamn. 06-05-2020 12:48 AM
- Karma Is it possible to change the black Splunk Menu Bar? Which file do I need to alter? I would like to change the Splunk logo. for ashnet16. 06-05-2020 12:47 AM
- Karma Re: how to hide options like message, setting,activity from the first page for kenvanderheyden. 06-05-2020 12:47 AM
- Karma Re: How would I dynamically adjust earliest/latest of subsearches based on main search? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: Why does appendcols with search post-process fail? for bmacias84. 06-05-2020 12:47 AM
- Karma Resizing the browser window sets pie chart labels to undefined on 6.2 for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Why are my Pie Chart colors correct when running a search on its own, but not when loaded in a panel on a dashboard? for frobinson_splun. 06-05-2020 12:47 AM
- Karma Re: Lookup File Editor App not finding *many* lookups for LukeMurphey. 06-05-2020 12:47 AM
- Got Karma for Re: How would I dynamically adjust earliest/latest of subsearches based on main search?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are my Pie Chart colors correct when running a search on its own, but not when loaded in a panel on a dashboard?. 06-05-2020 12:47 AM
- Got Karma for Re: Why are my Pie Chart colors correct when running a search on its own, but not when loaded in a panel on a dashboard?. 06-05-2020 12:47 AM
- Karma Re: The sort command is truncating output to 10000 rows for Drainy. 06-05-2020 12:46 AM
- Karma Re: How do you add dummy events to a search result? for ziegfried. 06-05-2020 12:46 AM
- Karma Re: Cannot use earliest and latest for _time field newly converted from other field ? for sideview. 06-05-2020 12:46 AM
- Karma Re: How would I compare the average daily results from the previous time period to today? for dwaddle. 06-05-2020 12:46 AM
- Karma Re: Need alternative to nested if's + wildcard for time sensitive error reporting for richgalloway. 06-05-2020 12:46 AM
- Karma Re: Send Drilldown Search to a New Window for Lowell. 06-05-2020 12:46 AM
- Got Karma for How would I compare the average daily results from the previous time period to today?. 06-05-2020 12:46 AM
- Karma Re: Timezone and Timestamp modification at search/report time? for dajomas. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 |
06-20-2017
01:02 PM
Has anyone tried this add-on? We're interested in querying bigquery tables similar to how we'd use dbconnect (without having to index the data).
... View more
11-20-2015
10:44 AM
Sounds good. WIll do - thanks!
... View more
11-20-2015
10:39 AM
Hmm - the 2.0 I downloaded yesterday was installed last night and we're experiencing this problem. Should I just re-download and re-install?
... View more
11-20-2015
10:28 AM
Hello,
Yesterday we upgraded to v2.0 to take advantage of new features. Prior to this, there were no problems, but now we're only seeing lookups from 4 of our many apps (about 31 lookups instead of ~150).
I'm hoping this is just a simple fix that's obvious and I'm overlooking.
Any ideas?
Thanks
... View more
11-09-2015
02:42 PM
Pacific Time (PT) is -7 OR -8 of GMT depending on Daylight Saving Time. From winter to spring it's -8 (PST), from spring to winter it's -7 (PDT).
... View more
09-09-2015
01:59 PM
This was very helpful. Is there any way to to do this globally based on user roles/settings?
... View more
09-09-2015
01:00 PM
I am also interested in the answer to this question.
... View more
09-03-2015
10:41 AM
1 Karma
So if I'm understanding you correctly, on a dashboard with lots of charts, you can run out of colors and that the fix for this is to manually set the colors for reports that are affected?
edit:
Thanks @frobinson_splunk, this solution did indeed work. However, I think that the need for this as a fix is rather silly.
<option name="charting.fieldColors">{"iOS": 0x0000ff, "Android": 0xff0000}</option>
... View more
09-03-2015
10:38 AM
1 Karma
I'm running Splunk Version 6.2.3 (build 264376). This dashboard has been unchanged for the last couple weeks AND there is another pie chart on the dashboard that displays properly (http://puu.sh/jYI1V/7e833851e0.png)
... View more
09-03-2015
10:01 AM
Hello,
I have a pie chart in a dashboard that, when loaded in its own search, looks like this (correct): http://puu.sh/jYFMd/0d02be5455.png.
Prior to this morning, every time it's loaded on the dashboard, it's been fine. However, now it looks like this (broken): http://puu.sh/jYFQJ/94ffcab70c.png.
Has anyone experienced this issue / know what's going on?
Thanks for your help!
... View more
12-18-2014
04:49 PM
1 Karma
Thanks all for the help/patience!
I worked out a solution with a coworker using gentimes. It goes something like this (tokens included to show how it interacts with the dashboard I created):
Dash options look like this: http://puu.sh/dAqeR/a22c568323.png (search truncated)
index="foo" sourcetype="bar" earliest="$earliest_input$" latest="$latest_input$"
| bucket _time span=1h
| stats count as current_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| join joiner [ search index="foo" sourcetype="bar"
[|gentimes start="$earliest_input$" end="$latest_input$" increment="$increment$" | eval earliest=starttime-(86400*7) | eval latest=endtime-(86400*7)| table earliest,latest | format "" "" "" "" "" ""]
.....
etc.
Only downside is that the increment needs to be the exact amount of time between the start and end for this to be accurate. Fwiw, I ran the report on 5 weeks of data using this method, got the desired results, and the search took 47sec with diskUsage @ 1196032.
... View more
12-18-2014
03:19 PM
You may be right. Unfortunately, I haven't found a way besides the join/subsearching method to get exactly what I'm looking for. I'm not trying to compare a full week to a full week every time and join/subsearch allows me to get more granular.
... View more
12-18-2014
11:37 AM
Additionally, your solution is taking a 5 week data set then pairing it down instead of having 5 separate, significantly smaller searches. You're right that it would take a long time to run, but I think my starting point, while far more verbose, is actually a bit more efficient for this task.
... View more
12-18-2014
10:40 AM
Thanks so much for your response! It's very important for this report that I be able to get very granular with the earliest or latest times. The reason behind this is so that I can measure the impact of a code release, which I know the exact time of, on business metrics.
I tried implementing this and I don't think it's quite what I'm looking for - http://puu.sh/dzWrg/0a31d4edf2.png. Ideally, I'd be able to set an earliest and/or latest time with the picker and have that populate the earliest and/or latest of "current", then have the previous four weeks adjust accordingly, regardless of how long ago the set date is.
Thanks for giving this your attention!
... View more
12-17-2014
04:17 PM
Hello,
I have a query that does 5 searches. A recent search, and four sub searches on the same exact data from 1-4 weeks ago, then compares the 4 week avg to the recent data. The subsearches join on weekday and hour so need to be exactly 7 days prior to the original earliest/latest. Here's a hard-coded example:
index="foo" sourcetype="bar" earliest="11/05/2014:12:00:00" latest="11/11/2014:12:00:00"
| bucket _time span=1h
| stats count as current_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| join joiner [ search index="foo" sourcetype="bar" earliest="10/29/2014:12:00:00" latest="11/04/2014:12:00:00"
|lookup siteid_lookup siteid as site OUTPUT name
| fields _time site
| bucket _time span=1h
| stats count as week_ago_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| fields joiner, week_ago_joins ]
| join joiner [ search index="foo" sourcetype="bar" earliest="10/22/2014:12:00:00" latest="10/28/2014:12:00:00"
|lookup siteid_lookup siteid as site OUTPUT name
| fields _time site
| bucket _time span=1h
| stats count as two_week_ago_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| fields joiner, two_week_ago_joins ]
| join joiner [ search index="foo" sourcetype="bar" earliest="10/15/2014:12:00:00" latest="10/21/2014:12:00:00"
|lookup siteid_lookup siteid as site OUTPUT name
| fields _time site
| bucket _time span=1h
| stats count as three_week_ago_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| fields joiner, three_week_ago_joins ]
| join joiner [ search index="foo" sourcetype="bar" earliest="10/08/2014:12:00:00" latest="10/14/2014:12:00:00"
|lookup siteid_lookup siteid as site OUTPUT name
| fields _time site
| bucket _time span=1h
| stats count as four_week_ago_joins by _time
| eval joiner = strftime(_time,"%w:%H")
| fields joiner, four_week_ago_joins ]
| eval four_week_combined_avg = round((four_week_ago_joins+three_week_ago_joins+two_week_ago_joins+week_ago_joins)/4,2)
| eval change_pct = round(((current_joins-four_week_combined_avg)/four_week_combined_avg)*100,2)
I've found this analysis to be very useful in analyzing business metrics, especially around release management. I'm trying to figure out a way to create a dashboard where you only need to select an earliest and/or latest time, then the subsearches will adjust accordingly. Any advice would be greatly appreciated, thanks!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
