About fedevietti

fedevietti · ‎11-24-2010

Deal Splunkers, I'm doing a serach like this to valorize a SingleValue indicator with range: <my search> | eval secondsElapsedToday = now()-relative_time(now(), "@d") | eval _time=_time-secondsElapsedToday | bucket _time span=1d | stats count by _time | stats last(count) as today_count avg(count) as avg_count | eval range = case(today_count<avg_count, "low", today_count=avg_count, "elevated", today_count>=avg_count, "severe") The problem is that if in the last day there aren't events the indicator show the last picked value. Is there any way to say that if in the last day value is absent the search have not to pick the earlier value? thank you

fedevietti · ‎11-13-2010

Thank you smisplunk. How can I check search and indexer timezone? Thank you

fedevietti · ‎11-10-2010

Dear All, I'm building a complex dashboard with advanced XML. I'd like to have a panel with a HiddenSavedSearch and a StaticContentSample inside. How can I do? Thank you

fedevietti · ‎11-10-2010

Thank you nick!

fedevietti · ‎11-10-2010

Dear All, we are creaing a complex dashboard with a lot of panel in it. So, the time to create the dashboard is very high. The firts question is: - is it any way to speed up the searches? And the second is if there any way to create a static dashboard that is created at a specific (every hours, for example) time and then (every time that is looked), when someone open that dashboard, it is prompted with the value of the last time that was calculated? Thank you

fedevietti · ‎11-10-2010

Dear All, I'm doing a column graph. I'd like to color the column of a specific color if the value that they map is more than X. Is it possible? Regards

fedevietti · ‎11-08-2010

Dear All, I'm doing a search as the following: sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count I'd like to count the event on 24H basis. Indipendent of the earliest and latest time that I set, I receive a timechart with a count of events that start from 2 AM of the day to the 2 AM of the following. Anyone has idea of what is the problem? Regards

fedevietti · ‎11-08-2010

Dear All, I've got a problem with a Splunk search. I'd like to compare the last 24 h number of sent mail with the daily average of the last month. The search that I'm using is the following: sourcetype="sophos" pmx_action="keep" fur!="none"| bucket span=24h _time | timechart span=24h count | stats last(count) as today_count avg(count) as avg_count The problem is that this search compare the average with the count of the event from 00.00 of the last day to the NOW time. My will is to compare the NOW-1d count with the average. Is it possible? Regards

fedevietti · ‎11-04-2010

thank you very much

fedevietti · ‎11-04-2010

Dear All, I'm doing a search with a summarize count at the end. The search is the following: (eventtype="searchVPN" msg="AUT22675*") OR (eventtype="searchDC" EventIdentifier="680") OR (eventtype="searchVPN" msg="AUT22670*") OR (eventtype="searchDC" EventIdentifier="552") | rename user as User | stats count by User | where count > 10 | stats count that count the number of user that have generat more that 10 event of the specified event type. I'd like to obtain a column graphic that, with a column every 5 minutes, shows the value of this search. Example given: 9.00 - 9.05 -> a column height 5 (5 user has generated more that 10 events of those type) 9.05 - 9.10 -> a column height 6 etc etc How can I do this? Thank you

fedevietti · ‎10-21-2010

Dear All, I have to make an advanced view and insert in it a pie chart. This is my actual xml file, but I cannot find documentation about how to make a pie chart: template="dashboard.html"> <label>View Fede</label> <module name="AccountBar" layoutPanel="navigationHeader"/> <module name="AppBar" layoutPanel="navigationHeader"/> <module name="Message" layoutPanel="messaging"> <param name="filter">*</param> <param name="clearOnJobDispatch">False</param> <param name="maxSize">1</param> </module> <module name="HiddenSearch" layoutPanel="panel_row1_col1" group="IPS" autoRun="True"> <param name="search">eventtype="searchIPS1" DestinationIP!="N/A" Severity="High" | stats count by DestinationIP</param> <param name="earliest">1279576800</param> <param name="latest">1280008800</param> <module name="ResultsHeader"> <param name="entityName">scanned</param> <param name="entityLabel">Events</param> <module name="HiddenChartFormatter"> <param name="chart">pie</param> <module name="FlashChart"> <param name="height">180px</param> <param name="width">100%</param> </module> </module> </module> </module> </view> Have anyone a template of a pie chart constructed through advanced view? Thank you

fedevietti · ‎10-04-2010

Thank you nick, the problem is that in "foo" and "bar" we are using a "rename" function. This is because foo search, without rename function, returns (EG) the following fields: A, B The bar search (without rename) returns: A, C We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10. Something like this: "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" but whe I use rename on a search that is the put in OR with another, I received a "Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR. Any idea about how can we do a "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" search? Thank you

Posts	12
Solutions	0
Karma Given	0
Karma Received	0
Member Since	‎10-01-2010

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

last(count) pick older value. Is there any way to ...

HiddenSavedSearch and StaticContentSample in a uni...

Statis Photo of a Dashboard

Color the column of a graph if is it more than X

Event count bucket starts from 2 AM (indipendent o...

Compare the NOW-1d count of event with the average...

Show time reports for a count search

Advanced View and Pie Chart

last(count) pick older value. Is there any way to ...

Re: Event count bucket starts from 2 AM (indipende...