Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About ixixix_spl
ixixix_spl
Explorer
Member since:
07-16-2018
06-05-2020
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 07-16-2018 |
Activity Feed
- Karma Re: Does anyone know of a right way to perform a case match statement with an or condition? for niketn. 06-05-2020 12:49 AM
- Karma Re: Equivalent of SQL WHERE IN Subquery clause? for richgalloway. 06-05-2020 12:49 AM
- Karma Re: Equivalent of SQL WHERE IN Subquery clause? for kiamco. 06-05-2020 12:49 AM
- Posted How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:44 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:44 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:44 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:44 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:44 PM
- Posted Re: How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-13-2018 01:39 PM
- Posted How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-12-2018 01:34 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-12-2018 01:34 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-12-2018 01:34 PM
- Tagged How do you create a table with each row being a log and every column being a recognized "Interesting Field"? on Splunk Search. 09-12-2018 01:34 PM
- Posted Re: How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:51 PM
- Posted How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:33 PM
- Tagged How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:33 PM
- Tagged How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:33 PM
- Tagged How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:33 PM
- Tagged How to escape double backslash in rex/regex command? on Splunk Search. 09-05-2018 03:33 PM
- Posted Re: Coalesce Fields With Values Excluding Nulls on Splunk Search. 07-25-2018 03:34 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-13-2018
01:44 PM
I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual | table field1, field2... method.
To be clear I want to have each row in the table as a separate instance/log and not a summary of counts. In other words, I would like a substitution for | table but to capture every single interesting field that is recognized. Thanks!
i am looking for a shortcut that will basically do something like this:
field1 . field2 .... field100
log A: string1. string2 . string100
logB: string21 . string22. string200
I know you can do it manually by performing the command | table field1, field2... field100
but typing out every field i want to capture is extremely time consuming so i am wondering if there is a shortcut to do it
... View more
09-13-2018
01:39 PM
sorry this doesnt answer my question i am looking for a shortcut that will basically do something like this:
field1 . field2 .... field100
log A: stringA . stringB . stringC
logB: stringD . stringE . stringF
i know you can do it manually by performing the command | table field1, field2... field100
but typing out every field i want to capture is extremely time consuming so i am wondering if there is a shortcut to do it
... View more
09-12-2018
01:34 PM
I was wondering if there is an easy way to create a table that contains every single recognized interesting field instead of doing the usual | table field1, field2... method.
To be clear I want to have each row in the table as a separate instance/log and not a summary of counts. In other words, I would like a substitution for | table but to capture every single interesting field that is recognized. Thanks!
... View more
09-05-2018
03:51 PM
wow that was quick thanks!!!
... View more
09-05-2018
03:33 PM
I'm having some serious difficulty in figuring out how to escape a double backslash within the REX/regex spl command..
The following regex works on regex101 "title\\\\\"\:\\\\\"(?<event>[^\)].*)\\\\\"\,\\\\\"selection" when extracting the log snippet below to get the "Button Title" text:
"partyId\":\"lahflkhasdljkflkf\",\"title\”:\”Button Title\”,\”selectionType\":\"button\
I found a suggestion on "Tricky behavior of escaping backslash in regex" to \\ to match a single \ but that didn't do the trick. Anyone have advice on how to escape a double backslash in the rex command, and if so please post the regex below!
Thanks!
... View more
07-25-2018
03:34 PM
@somesoni2 No it means that that log file doesn't have that field. For, example the field transaction_id may be a non-nested key or it could be something like payload.response.transaction_id which is nested. I basically want to melt that into one column, but am having problems with null overwriting the current value. You suggested that I order the columns in increasing sparseness? (i.e. coalesce(4% sparse,20% sparse, 80% sparse))
... View more
07-25-2018
09:27 AM
@ghantk1 Didn't do it for me, null values are still overwriting if in the last column I am coalescing on ( | eval C_col =coalesce(A_col, B_col, C_col) command makes B_col nulls overwrite A_col non-null values)
... View more
07-24-2018
04:22 PM
I know you can coalesce multiple columns to merge them into one. However, I am currently coalescing around 8 fields, some of which have null values. Because the last field I am including is sparse (only appears in 3% of the logs), I have found that the coalesced field returns as mostly null (matching the last coalesced field). A demonstration of what I'd like to do is below (A_col is first to coalesce then B_col to make C_col and B_col overwrites A_col if the value in B_col is not null).
Here is the query format I am using
... | eval name = coalesce(entityName, individualName) | ...
A demonstration of what I'd like to do (C is a coalesced field of A and B):
A_col . B_col . C_col
A Null . A
Null . B . B
A . B . B
... View more
07-18-2018
04:57 PM
@kiamco can you give an example of how you would join two searches by a single field?
... View more
07-17-2018
12:02 PM
Hello,
I am looking for the equivalent of performing SQL like such:
SELECT transaction_id, vendor
FROM orders
WHERE transaction_id IN (SELECT transaction_id FROM events).
I am aware this a way to do this through a lookup, but I don't think it would be a good use case in this situation because there are constantly new transaction_id's generated and several thousand of them within a small timeframe, as well as my goal to create a timechart report.
As of right now I can construct a list of transaction_ids for orders in one search query and a list of transaction_ids for events in another search query, but my ultimate goal is to return order logs that have transaction_ids shared with the transaction_ids of the events log. Any help is greatly appreciated, thanks!
... View more
07-17-2018
08:41 AM
Great explanation, thank you very much!
... View more
07-16-2018
01:13 PM
I went ahead and ran your solution on my system and only the k12 and k3 rows display. Are you having the same problem or is there something within my search preferences that are causing this error?
what i am seeing is below in the imgur link
https://imgur .com/a/BlUc0m1
... View more
07-16-2018
11:21 AM
I am looking to perform a case match search and have found that this query template attempted to answer how to define a case statement with an or condition on two matches. However, when I have used it within my own search I have found that even though the search executes correctly, the table returns with the "k12" row missing, even though "k1", "k2", and "k3" appear. Anyone know of a right way to perform a case match statement with an or condition, or is there a better method I should be following instead?
index=abc sourcetype=xyz
| eval w=case( match(_raw,"keyword1"), "k1",
match(_raw,"keyword2"), "k2",
match(_raw,"keyword3"), "k3",
match(_raw,"keyword1") OR match(_raw,"keyword2"), "k12")
| chart count by w
... View more
- Tags:
- splunk-enterprise
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
