Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About splunker1981
splunker1981
Path Finder
Member since:
09-09-2015
01-03-2023
Community Statistics
| Posts | 95 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 5 |
| Member Since | 09-09-2015 |
Activity Feed
- Posted Re: How to get the percentage using values in event over two columns? on Splunk Search. 01-03-2023 09:41 AM
- Posted How to get the percentage using values in event over two columns? on Splunk Search. 01-03-2023 08:51 AM
- Posted How do you allow automatically match against lookup file multi-value field on Splunk Search. 11-09-2020 01:17 PM
- Got Karma for How to get event counts for multiple fields grouped by another field?. 06-05-2020 12:48 AM
- Got Karma for Without using fillnull, how to output a default value when any defined sourcetypes in my search do not return any events?. 06-05-2020 12:48 AM
- Got Karma for Re: Why am I getting "Error in 'rex' command...Regex: missing )"?. 06-05-2020 12:47 AM
- Got Karma for What are recommendations for field naming conventions to handle the same field names across different technologies?. 06-05-2020 12:47 AM
- Got Karma for Re: New search using values from first search. 06-05-2020 12:47 AM
- Posted How to edit my search to prevent duplicate values when using replace command on Splunk Search. 07-30-2019 02:44 PM
- Posted How to populate column in results using two indexes? on Splunk Search. 03-11-2019 08:52 AM
- Posted How do you join two fields with dedup? on Splunk Search. 02-08-2019 07:54 AM
- Tagged How do you join two fields with dedup? on Splunk Search. 02-08-2019 07:54 AM
- Posted Re: Joining values from two indexes and returning just specific values on Splunk Search. 11-14-2018 01:28 PM
- Posted Re: Joining values from two indexes and returning just specific values on Splunk Search. 11-14-2018 12:52 PM
- Posted Joining values from two indexes and returning just specific values on Splunk Search. 11-14-2018 12:27 PM
- Posted How do you run the stats count against multiple columns? on Splunk Search. 10-30-2018 09:18 AM
- Posted How do you calculate the average across columns in a table? on Splunk Search. 10-26-2018 02:29 PM
- Posted Re: How do I filter the following data set using a wildcard field name and greater than filter? on Getting Data In. 10-23-2018 12:48 PM
- Posted Re: How do I filter the following data set using a wildcard field name and greater than filter? on Getting Data In. 10-23-2018 10:58 AM
- Posted How do I filter the following data set using a wildcard field name and greater than filter? on Getting Data In. 10-23-2018 10:01 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-21-2023
06:44 AM
This may be an answer 6 years later (almost to the date), but thought I'd post for future visitors. I was searching this today and found some info in Splunk dev docs: Splunk Dev - Manage access to a custom search command in Splunk Cloud Platform or Splunk Enterprise Not sure if .meta allows all commands to be controlled via the stanza like in the original question, but each command can be added using the following: [commands/command_name]
access = read : [ * ], write : [ admin ]
export = system Seems like it requires a stanza per command and doesn't allow mass command sharing. The comment from MuS seems to be the other option for mass sharing, but exports all objects in the app.
... View more
01-03-2023
11:24 PM
Hi @splunker1981, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉
... View more
06-16-2021
01:17 PM
hope this helps, I build out my dashboard panels and then, I edit the XML and remove </panel> </row> <row> <panel> between the panels I want to stack into into one panel. i am on- 8.2.0
... View more
11-09-2020
11:56 PM
Try mvexpand on po_id so you can lookup against each value separately
... View more
07-30-2019
08:43 PM
1 Karma
@jacobevans nailed it.
... View more
07-31-2019
05:52 AM
Hi splunker1981,
if you're satisfied by this answer, please accept and/or upvote it.
Bye, see next time.
Giuseppe
... View more
02-08-2019
08:02 AM
Like this:
index=xyz sourcetype=zzz | eval joined=if((field2!=field3), field2 . "-" . field3, null())
... View more
11-14-2018
03:15 PM
Hi there,
Give this a shot :
index=A OR index=B
| stats values(contact) as contact values(index) as index by e_id
| search index=A AND index=B
That will give you contacts that have their e_id in both indexes. Add the other values you need after the stats.
Cheers,
David
... View more
10-30-2018
11:42 AM
There may be a better way to do this but I think this works.
| eventstats count as T1count by T1
| eventstats count as T2count by T2
| eventstats count as T3count by T3
| eventstats count as T4count by T4
| eval T1 = T1."!".T1count
| eval T2 = T2."!".T2count
| eval T3 = T3."!".T3count
| eval T4 = T4."!".T4count
| stats values(T1) as T1values values(T2) as T2values values(T3) as T3values values(T4) as T4values
| rex field=T1values "(?<T1>.*?)!(?<T1_count>.*?)$"
| rex field=T2values "(?<T2>.*?)!(?<T2_count>.*?)$"
| rex field=T3values "(?<T3>.*?)!(?<T3_count>.*?)$"
| rex field=T4values "(?<T4>.*?)!(?<T4_count>.*?)$"
| table T1 T1_count T2 T2_count T3 T3_count T4 T4_count
... View more
10-26-2018
08:17 PM
1 Karma
@splunker1981 ,
Try this,
"Your base search to get fields"|addtotals|eval colcount=-1
|foreach col* [eval colcount=if(isnull(<<FIELD>>) OR <<FIELD>>=="",colcount,colcount+1)]
|eval avg=exact(Total/colcount)|fields - Total,colcount
Added conditions for both null and empty string in if(isnull(<<FIELD>>) OR <<FIELD>>=="" . If you have real null() in place, then you can remove OR <<FIELD>>==""
... View more
10-30-2018
09:00 AM
@splunker1981
Apology for a delay in reply. Can you please share more information regarding your search and samples?
... View more
07-23-2018
08:50 AM
Hello Splunk experts
I'm trying to figure out what the best way to get a jobID or monitor job status for a search executed via the Splunk Web UI which is then piped | to my custom command. I'd like to ensure I am working with completed data/results, so I'm trying to do something similar to the below, which I usually do when kicking-off jobs directly from the API. I am not sure how to pull job status/job id information for a job that is being executed within the UI then piped | to a custom command.
while not job.is_done():
sleep(.2)
Sample of what my search would look like
index=_internal
|eval x=blah
|stats count by x, y
| table y
| customCommandHere
... View more
06-29-2018
09:37 PM
That worked, thanks!
... View more
06-29-2018
08:09 PM
You were so close!
(index="1" AND sourcetype="1") OR (index="2" sourcetype="2")
|eval joiner=coalesce(uqIDX, buildIDX, "JUSTINCASE")
|eval sourcetype1_value=if((sourcetype="1"), coalesce(sourcetype1_value, "0_no_build"), null())
|eval sourcetype2_value=if((sourcetype="2"), coalesce(sourcetype2_value, "Manual"), null())
|stats values(sourcetype1_value), values(sourcetype2_value), values(sourcetype2_valueB), values(sourcetype2_value3) BY joiner
... View more
05-15-2018
09:43 AM
@splunker1981 following is a run anywhere search based on sample data provided.
PS: query from | makeresults till | mvexpand accountname generate the dummy data.
| makeresults
| eval accountname="userA/domainB/recordZZ;userA/recordC"
| makemv accountname delim=";"
| mvexpand accountname
| makemv accountname delim="/"
| eval user=mvindex(accountname,0), domain=case(mvcount(accountname)=3,mvindex(accountname,1)), record=case(mvcount(accountname)=2,mvindex(accountname,1),mvcount(accountname)=3,mvindex(accountname,2))
... View more
04-24-2018
12:31 PM
The case command would only execute expression where the condition is matched. If you want to process all three conditions, try this:
...| eval analysis_proposal=if( isnotnull(field1) and field1=="my field 1 test.", analysis_proposal."legacy", analysis_proposal)
| eval analysis_proposal=if( isnotnull(field10.contents) , analysis_proposal.'field10.contents' , analysis_proposal)
| eval analysis_proposal=if( isnotnull(field20.contents) , analysis_proposal.'field20.contents', analysis_proposal)
... View more
11-30-2017
12:00 PM
Figured out a better way to do this using streamstats
| streamstats count as counter
| stats values(*) as * by counter
| fields - counter
... View more
11-16-2017
09:08 AM
This partially works, I think. rec values populate but the fields and values that should be returned by the script never actually come back when run inside the appendpipe. Is there a way for that?
... View more
03-01-2017
11:19 AM
Right, I've just showed you an example of how to make that happen. You use the time picker to pick the WHOLE time range, both hours, and feed it into earliest=$timepickerEarliest$ latest=$timepickerLatest$ then split it into first-half and second-half by using addinfo and calculating the midpoint.
If you absolutely HAVE to have the time-picker picking only the later of the two ranges, then you'll need a macro that will recalculate the desired value for earliest based on
macroDesiredEarliest=($timepickerEarliest$+$timepickerEarliest$-$timepickerLatest$)
Of course, you could just have a single timepicker for the start of the second hour,then use the macro to calculate earliest=$timepickerValue$-1440 and latest=$timepickerValue$+1440 .
... View more
02-06-2017
06:00 PM
thanks for the reply, made some updates to the question, hopefully that clears things up
... View more
01-19-2017
06:58 AM
How about this one?
searchHere location="CHI" | bucket span=1d _time | stats count by sku, _time | streamstats current=f window=1 values(_time) as prev_time by sku | eval timeDelta=(_time-prev_time)/86400 | stats max(timeDelta) as salesDaysDiff by sku
... View more
12-06-2016
08:51 PM
Hi @splunker1981 - Did one of sundareshr's updated queries help answer your question? If yes, please don't forget to click "Accept" to resolve this post. If no, please leave a comment with some feedback. Thanks!
... View more
11-08-2016
06:47 PM
There shouldn't be a reason why when the span is 7d, there should be groupings of dates which are not 7 days apart, unless month end is playing a role for the dates 11/01 groupings to show up even though previous grouping of 10/28 is not 7 days apart. Somesoni's answer actually tricks all the time values to get assigned to as one of the two values and should work then.
... View more
10-19-2016
09:18 AM
See if the following generic option helps.
You can ignore everything up to foreach, as this is what I used to replicate your issue in my lab.
| stats count | fields - count
| eval _raw = "
{
\"oderNumber\": 23994,
\"orderDelay\": 120,
\"orderedDate\": \"2016/03/01 18:47:22\",
\"processedDate\": \"\",
\"orderDetails\": \"Account:11111, AccountName:1111-xxx, OrderIpAddress:1.1.1.1\",
\"orderProcessor\": \"user\",
\"orderErrors\": \"\",
\"acknowledgedErrors\": \"\",
\"orderId\": {
\"value\": 97655
}
}
"
| spath
| foreach * [
| eval temp = split('<<FIELD>>', ",")
| eval size = mvcount(temp)
| mvexpand temp
| rex field=temp "^(?<key>[^:]+)\s?:\s?(?<value>.+)$"
| eval {key} = if (size > 1, value, null())
| fields - key, value, size, temp
]
| stats first(*) as * by _raw
... View more
09-28-2016
09:12 AM
You da man, that did the trick. Thanks!
... View more
