Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About fedevietti
fedevietti
New Member
Member since:
10-01-2010
06-05-2020
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 10-01-2010 |
Activity Feed
- Posted last(count) pick older value. Is there any way to block thi behaviour? on Splunk Search. 11-24-2010 02:09 PM
- Tagged last(count) pick older value. Is there any way to block thi behaviour? on Splunk Search. 11-24-2010 02:09 PM
- Posted Re: Event count bucket starts from 2 AM (indipendent of earliest and latest) on Splunk Search. 11-13-2010 10:06 AM
- Posted HiddenSavedSearch and StaticContentSample in a unique advanced xml dashboard panel on Dashboards & Visualizations. 11-10-2010 06:14 PM
- Tagged HiddenSavedSearch and StaticContentSample in a unique advanced xml dashboard panel on Dashboards & Visualizations. 11-10-2010 06:14 PM
- Posted Re: Statis Photo of a Dashboard on Dashboards & Visualizations. 11-10-2010 06:12 PM
- Posted Statis Photo of a Dashboard on Dashboards & Visualizations. 11-10-2010 09:29 AM
- Tagged Statis Photo of a Dashboard on Dashboards & Visualizations. 11-10-2010 09:29 AM
- Posted Color the column of a graph if is it more than X on Dashboards & Visualizations. 11-10-2010 09:19 AM
- Tagged Color the column of a graph if is it more than X on Dashboards & Visualizations. 11-10-2010 09:19 AM
- Posted Event count bucket starts from 2 AM (indipendent of earliest and latest) on Splunk Search. 11-08-2010 10:22 AM
- Tagged Event count bucket starts from 2 AM (indipendent of earliest and latest) on Splunk Search. 11-08-2010 10:22 AM
- Posted Compare the NOW-1d count of event with the averageof the last month on Splunk Search. 11-08-2010 09:41 AM
- Tagged Compare the NOW-1d count of event with the averageof the last month on Splunk Search. 11-08-2010 09:41 AM
- Posted Re: Show time reports for a count search on Splunk Search. 11-04-2010 04:30 PM
- Posted Show time reports for a count search on Splunk Search. 11-04-2010 03:16 PM
- Tagged Show time reports for a count search on Splunk Search. 11-04-2010 03:16 PM
- Posted Advanced View and Pie Chart on Dashboards & Visualizations. 10-21-2010 03:50 PM
- Tagged Advanced View and Pie Chart on Dashboards & Visualizations. 10-21-2010 03:50 PM
- Posted Re: SET UNION problem with time reporting on Splunk Search. 10-04-2010 02:54 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-24-2010
02:09 PM
Deal Splunkers,
I'm doing a serach like this to valorize a SingleValue indicator with range:
<my search> | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d | stats count by _time | stats last(count) as today_count avg(count) as avg_count | eval range = case(today_count<avg_count, "low", today_count=avg_count, "elevated", today_count>=avg_count, "severe")
The problem is that if in the last day there aren't events the indicator show the last picked value. Is there any way to say that if in the last day value is absent the search have not to pick the earlier value?
thank you
... View more
- Tags:
- search
11-13-2010
10:06 AM
Thank you smisplunk.
How can I check search and indexer timezone?
Thank you
... View more
11-10-2010
06:14 PM
Dear All,
I'm building a complex dashboard with advanced XML.
I'd like to have a panel with a HiddenSavedSearch and a StaticContentSample inside.
How can I do?
Thank you
... View more
- Tags:
- dashboard
11-10-2010
09:29 AM
Dear All,
we are creaing a complex dashboard with a lot of panel in it.
So, the time to create the dashboard is very high.
The firts question is:
- is it any way to speed up the searches?
And the second is if there any way to create a static dashboard that is created at a specific (every hours, for example) time and then (every time that is looked), when someone open that dashboard, it is prompted with the value of the last time that was calculated?
Thank you
... View more
- Tags:
- dashboard
11-10-2010
09:19 AM
Dear All,
I'm doing a column graph.
I'd like to color the column of a specific color if the value that they map is more than X.
Is it possible?
Regards
... View more
- Tags:
- dashboard
11-08-2010
10:22 AM
Dear All,
I'm doing a search as the following:
sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count
I'd like to count the event on 24H basis.
Indipendent of the earliest and latest time that I set, I receive a timechart with a count of events that start from 2 AM of the day to the 2 AM of the following.
Anyone has idea of what is the problem?
Regards
... View more
- Tags:
- search
11-08-2010
09:41 AM
Dear All,
I've got a problem with a Splunk search.
I'd like to compare the last 24 h number of sent mail with the daily average of the last month.
The search that I'm using is the following:
sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count | stats last(count) as today_count avg(count) as avg_count
The problem is that this search compare the average with the count of the event from 00.00 of the last day to the NOW time.
My will is to compare the NOW-1d count with the average. Is it possible?
Regards
... View more
- Tags:
- search
11-04-2010
03:16 PM
Dear All,
I'm doing a search with a summarize count at the end.
The search is the following:
(eventtype="searchVPN" msg="AUT22675*") OR (eventtype="searchDC" EventIdentifier="680") OR (eventtype="searchVPN" msg="AUT22670*") OR (eventtype="searchDC" EventIdentifier="552") | rename user as User | stats count by User | where count > 10 | stats count
that count the number of user that have generat more that 10 event of the specified event type.
I'd like to obtain a column graphic that, with a column every 5 minutes, shows the value of this search.
Example given:
9.00 - 9.05 -> a column height 5 (5 user has generated more that 10 events of those type)
9.05 - 9.10 -> a column height 6
etc etc
How can I do this?
Thank you
... View more
- Tags:
- search
10-21-2010
03:50 PM
Dear All,
I have to make an advanced view and insert in it a pie chart.
This is my actual xml file, but I cannot find documentation about how to make a pie chart:
template="dashboard.html">
<label>View Fede</label>
<module name="AccountBar" layoutPanel="navigationHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
<module name="HiddenSearch" layoutPanel="panel_row1_col1" group="IPS" autoRun="True">
<param name="search">eventtype="searchIPS1" DestinationIP!="N/A" Severity="High" | stats count by DestinationIP</param>
<param name="earliest">1279576800</param>
<param name="latest">1280008800</param>
<module name="ResultsHeader">
<param name="entityName">scanned</param>
<param name="entityLabel">Events</param>
<module name="HiddenChartFormatter">
<param name="chart">pie</param>
<module name="FlashChart">
<param name="height">180px</param>
<param name="width">100%</param>
</module>
</module>
</module>
</module>
</view>
Have anyone a template of a pie chart constructed through advanced view?
Thank you
... View more
- Tags:
- advanced-xml
10-04-2010
02:54 PM
Thank you nick,
the problem is that in "foo" and "bar" we are using a "rename" function.
This is because foo search, without rename function, returns (EG) the following fields:
A, B
The bar search (without rename) returns:
A, C
We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10.
Something like this:
"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"
but whe I use rename on a search that is the put in OR with another, I received a
"Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR.
Any idea about how can we do a
"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"
search?
Thank you
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
