Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About AllenZhang
AllenZhang
Explorer
Member since:
09-09-2015
08-29-2024
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 1 |
| Member Since | 09-09-2015 |
Activity Feed
- Posted Re: Why is Microsoft Azure App for Splunk not showing any data? on All Apps and Add-ons. 02-12-2024 08:02 AM
- Karma Re: how to exclude in _MetaData:Index for tscroggins. 01-02-2022 02:35 PM
- Posted Re: how to exclude in _MetaData:Index on Getting Data In. 01-02-2022 02:34 PM
- Posted how to exclude in _MetaData:Index on Getting Data In. 01-02-2022 08:41 AM
- Posted Re: Alert report - columns not ordered by table command on Alerting. 04-26-2021 01:51 PM
- Posted Re: Alert report - columns not ordered by table command on Alerting. 04-22-2021 03:39 PM
- Posted Re: Convert number to string, to avoid being counted by addtotals/addcoltotals on Splunk Search. 04-22-2021 01:04 PM
- Posted Convert number to string, to avoid being counted by addtotals/addcoltotals on Splunk Search. 04-22-2021 12:39 PM
- Tagged Convert number to string, to avoid being counted by addtotals/addcoltotals on Splunk Search. 04-22-2021 12:39 PM
- Posted Re: automatic lookups on Splunk Search. 01-27-2016 06:39 AM
- Posted How to filter a search result based on the results of another search? on Splunk Search. 01-19-2016 12:09 PM
- Tagged How to filter a search result based on the results of another search? on Splunk Search. 01-19-2016 12:09 PM
- Tagged How to filter a search result based on the results of another search? on Splunk Search. 01-19-2016 12:09 PM
- Tagged How to filter a search result based on the results of another search? on Splunk Search. 01-19-2016 12:09 PM
- Posted Time format in email alert on Getting Data In. 10-23-2015 07:56 AM
- Tagged Time format in email alert on Getting Data In. 10-23-2015 07:56 AM
- Tagged Time format in email alert on Getting Data In. 10-23-2015 07:56 AM
- Posted Re: Filtered search from 2 searches on Splunk Search. 10-08-2015 11:49 AM
- Posted Re: Filtered search from 2 searches on Splunk Search. 10-08-2015 10:52 AM
- Posted Filtered search from 2 searches on Splunk Search. 10-08-2015 07:35 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
02-12-2024
08:02 AM
How many inputs have you configured on the add-on?
... View more
01-02-2022
02:34 PM
Thanks a lot @tscroggins for your help! I took it for granted that "REGEX=..." means "index=...", and I was confused by different results from 2 servers I was using for test. now I realized that one of them has "-" in computer name, thus my "REGEX=[a-zA-Z0-9]+" must have excluded. Please correct me if I am wrong: the regex only works as "index=..." when "SOURCE_KEY = _MetaData:Index" is there.
... View more
01-02-2022
08:41 AM
I noticed in our environment, from many uf, the internal logs were indexed under a different index name. After investigation, I find it's related to some settings in transforms.conf. So in transforms.conf, it's like: [test_windows_index] REGEX =.* DEST_KEY = _MetaData:Index FORMAT = rexall_windows in props.conf, for certain hosts, there're settings like: [host::testserver1] TRANSFORMS-Microsoft_AD_1 = test_windows_index, Routing_testCloud I believe I should try to exclude indexes like "_internal, _audit", so I changed REGEX=.* to REGEX=[a-zA-Z0-9]+ but it doesn't seem to work. Appreciate if somebody here can help or provide suggestions.
... View more
Labels
- Labels:
-
transforms.conf
04-26-2021
01:51 PM
In my case, index=example | table SID Auto Manual Total Everything looks fine on web. However in email as inline, it shows: Auto Total SID Manual
... View more
04-22-2021
03:39 PM
I just noticed the same issue. it's fine as search result. But not in the same order in the email as inline table received by scheduled report.
... View more
04-22-2021
01:04 PM
Hi impurush, Thanks for your reply! I've also found this "work-around" solution. I actually added "col=true" which adds a row of total for the listed column as well. Good enough for what I need. Still hard to believe why it's so hard to convert number to string in Splunk, which is much easier in other places, like Excel, Powershell, etc. Thanks Allen
... View more
04-22-2021
12:39 PM
Hi, I am creating a report with "chart field1 field2", field2 only has 2 values. So the result has 3 columns: Field1, Field2Value1, Field2Value2. And I'd like to use addtotals and addcoltotals for each row and each column. The issue I am having now, is that value of field1 are numbers so they are counted by both addtotals and addcoltotals, which I don't want. I believe the easiest way is to convert the type of Field1 to string, with certain format, like number "12345" to string "12345", number "123" to "00123". I have tried tostring. But they are still counted.
... View more
- Tags:
- tostring
01-19-2016
12:09 PM
I have 2 searches:
search AAA|table User
Search BBB|tabble User
How can I filter the result of Search AAA so it only shows those Users which are NOT found in search BBB?
Thanks
Allen
... View more
10-23-2015
07:56 AM
Search AAA||rename _time as UpTime |fieldformat UpTime=strftime(UpTime, "%D %H:%M:%S") |Table UpTime Info
It works well in browser. like:
10/23/15 08:06:49 Info1
10/23/15 10:02:20 Info2
However, when I set it as a scheduled alert, in the email I received,
1445602009 Info1
1445608940 Info2
How to fix this?
Thanks
Allen
... View more
10-08-2015
11:49 AM
Great, it works like a charm! I am new to Splunk, and I have learnt a lot here. Thanks again!
... View more
10-08-2015
10:52 AM
Thanks to Richgalloway, it works!
However, some expected records were not there in the result, if I the time window is not long enough.
Any way to list those hosts, which were in results of search(AAA) but not in results of Search(BBB) ?
... View more
10-08-2015
07:35 AM
I have 2 searches:
1. Search(AAA)|rename _time as TimeA|table TimeA host;
2. Search(BBB)|rename _time as TimeB|table TimeB host
How to create a new search:
Search(???)|table host; (or Search(???)|table TimeA TimeB host)
Which will only list the hosts that TimeB is older(or smaller) than TimeA
(there might be more than 1 results TimeA and TimeB for each host, in that case, just pick the latest one to compare)
... View more
- Tags:
- splunk-enterprise
10-02-2015
02:02 PM
I was going to accept both answers, but the system only allows one. Thanks to both of you!
... View more
10-01-2015
07:07 AM
Thanks for quick answer. I am still struggling how to upload the csv file from my computer to splunk, to make it available to the lookups. Do I need to save it to some certain folder, anything like "import" I need to do?
... View more
10-01-2015
06:53 AM
I have a search like:
sourcetype="AAA"|table _time userid, and I have a table like userid, username,
how to make the result as .....|table _time userid username.
... View more
- Tags:
- csv
- splunk-enterprise
09-16-2015
12:36 PM
It works, great! Thanks a lot!
And, now I am hoping to make it better by adding a column, is it possible?
Originally:
9/10/2015 23:24 303 user1 info1
9/10/2015 21:50 302 user1 info1
9/10/2015 21:50 303 user2 info2
9/10/2015 21:50 302 user2 info2
9/10/2015 11:21 303 user3 info3
9/10/2015 11:18 302 user3 info3
I hope to see:
User info Time_302 Time_303
user1 info1 9/10/2015 21:50 9/10/2015 23:24
user2 info2 9/10/2015 21:50 9/10/2015 21:50
user3 info3 9/10/2015 11:18 9/10/2015 11:21
... View more
09-11-2015
08:27 AM
Thanks, but the results are like this:
User | Time_302 | Time_303
user1 | 9/10/2015 21:50 | 9/10/2015 21:50
| | 9/10/2015 23:24
Time_302 value were shown on both columns.
... View more
09-11-2015
07:45 AM
My search string: sourcetype="AAA"|table _time event_iduser
Results:
9/10/2015 23:24 303 user1
9/10/2015 21:50 302 user1
9/10/2015 21:50 303 user2
9/10/2015 21:50 302 user2
9/10/2015 11:21 303 user3
9/10/2015 11:18 302 user3
Hope to get results as: sourcetype="AAA" .....|table user Time_302 Time_303
Usern Time_302 Time_303
user1 9/10/2015 21:50 9/10/2015 23:24
user2 9/10/2015 21:50 9/10/2015 21:50
user3 9/10/2015 11:18 9/10/2015 11:21
... View more
09-09-2015
08:07 PM
The forwarder is talking to deployment server. I can see logs from it. I need to add a particular part of the Application and Services log, [WinEventLog:Microsoft-Windows-...] to the inputs.conf file.
The inputs.conf file is located here: C:\Program Files\SplunkUniversalForwarder\etc\system\local\
I did try stop the Splunkforwarder service first, then make the change, right after I start the service, the inputs.conf file was changed back, my change is lost.
... View more
09-09-2015
12:02 PM
Hi,
I need to make some modifications on an inputs.conf file on a Windows server which is installed with a Splunk Forwarder. After I make the change and save the file, and restart the SplunkForwarder service, the file is changed back and the changes I made are lost.
How can I save the changes?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-29-2024
02:52 PM
|
