cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
kamlesh_vaghela
SplunkTrust
Member since: ‎09-23-2015
Online
Community Statistics
Posts 1615
Solutions 272
Karma Given 18
Karma Received 373
Member Since ‎09-23-2015
Activity Feed

Re: wanted to populate mutiseect token with if els...

by SplunkTrust in Splunk Search
41m ago
41m ago
@bapun18    Are you looking for this?   <input type="dropdown" token="smile"> <label>Dropdown</label> <choice value="*">All</choice> <choice value="A,B,C,D,E">Hey</choice> <choice value="F,G,H,I,J,K">Hello</choice> </input> index=myindex [| makeresults | eval value="$smile$" | makemv value delim="," | mvexpand value | eval field_1="*".value."*",field_2="*".value."*" | fields field_1, field_2 | format] | REST OF THE SEARCH   ... View more

Re: data extraction from Nested JSON data and prin...

by SplunkTrust in Splunk Search
3 weeks ago
3 weeks ago
| makeresults | eval _raw="{\"hostname\":\"abc\",\"inventory\":\"#####\",\"fqdn\":\"xxxxx.xxxx.xxx.xxx.xxx\",\"ip\":\"#.#.#.#\",\"platform\":\"XXXXX\",\"version\":\"XXXXX\",\"environment\":\"XXXX\",\"status\":\"XXXXX\",\"subStatus\":\"XXXXX\",\"contactSupporTeam\":\"xxxx\",\"model\":\"XXXXX\",\"product\":\"SERVER\",\"serial\":\"dfd34324\",\"app\":[{\"appName\":\"XXXXX\",\"appAcronym\":\"XXX\",\"appStatus\":\"xxxxx\",\"appOwner\":\"xxxxxx\"}],\"pkg\":[{\"pkgName\":\"xxxxx\",\"pkgVersion\":\"1.2.3\"},{\"pkgName\":\"yyyyy\",\"pkgVersion\":\"2.3.4\"},{\"pkgName\":\"zzzzz\",\"pkgVersion\":\"3.4.5\"}],\"nic\":[{\"nicName\":\"eth4\",\"nicSwitch\":[{\"nicSwitchName\":\"xxxxxxx\",\"nicSwitchSerial\":\"dfgdg45435fgg\",\"nicSwitchManufacturer\":\"XXXX\",\"nicSwitchModel\":\"XXX22\",\"nicSwitchVlan\":\"Vlan###\",\"nicSwitchChannel\":\"port-channel3\",\"nicSwitchPort\":\"Ethernet107/1/7\"},{\"nicSwitchName\":\"xxxxxxxx\",\"nicSwitchSerial\":\"dfsf23432ef\",\"nicSwitchManufacturer\":\"XXXX\",\"nicSwitchModel\":\"XXXX\",\"nicSwitchChannel\":\"port-channel3\",\"nicSwitchPort\":\"Ethernet107/1/8\",\"nicSwitchVlan\":\"Vlan###\"}],\"nicDnsName\":\"\",\"nicType\":null,\"nicStatus\":\"up\",\"nicSpeed\":\"10000\",\"nicFirmware\":\"\",\"nicMac\":\"XX##XXX###XX\",\"nicDuplex\":\"FULL\",\"nicIP\":\"undefined\",\"nicNetmask\":\"\"},{\"nicName\":\"eth5\",\"nicSwitch\":[{\"nicSwitchName\":\"xxxxxx\",\"nicSwitchSerial\":\"dsfsdf3432sdf\",\"nicSwitchManufacturer\":\"XXXX\",\"nicSwitchModel\":\"XXXXX\",\"nicSwitchChannel\":\"port-channel3\",\"nicSwitchVlan\":\"Vlan###\",\"nicSwitchPort\":\"Ethernet107/1/8\"},{\"nicSwitchName\":\"xxxxxx\",\"nicSwitchSerial\":\"fdf345345\",\"nicSwitchManufacturer\":\"XXXXX\",\"nicSwitchModel\":\"XXXXX\",\"nicSwitchChannel\":\"port-channel3\",\"nicSwitchPort\":\"Ethernet107/1/7\",\"nicSwitchVlan\":\"Vlan###\"}],\"nicDnsName\":\"\",\"nicType\":null,\"nicStatus\":\"up\",\"nicSpeed\":\"\",\"nicFirmware\":\"\",\"nicMac\":\"XXX###XXX\",\"nicDuplex\":\"\",\"nicIP\":\"undefined\",\"nicNetmask\":\"\"},{\"nicName\":\"eth6\",\"nicSwitch\":[],\"nicDnsName\":\"\",\"nicType\":null,\"nicStatus\":\"\",\"nicSpeed\":\"\",\"nicFirmware\":\"\",\"nicMac\":\"\",\"nicDuplex\":\"\",\"nicIP\":\"#.#.#.#\",\"nicNetmask\":\"#.#.#.#\"}]}" | spath nic{} output=data | stats count by data | rename data as _raw | extract | spath nicSwitch{} output=data | stats count by nicName,data | rename data as _raw | extract | fields nicName nic* ... View more

Re: How to have a checkbox, check all the rows in ...

by SplunkTrust in Dashboards & Visualizations
4 weeks ago
4 weeks ago
@Archana944    I did some correction in your javascript. Can you please try this?   require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!', ], function(_, $, mvc, TableView) { // Access the "default" token model var tokens = mvc.Components.get("default"); var selected_values_array = []; var query_array = []; var query; var fieldKey = "CheckBox"; var fieldDataStoreKey = "data-sort-key=" + fieldKey; var isSelectAll = false; var submittedTokens = mvc.Components.get('submitted'); var mySearchManager = ""; var SearchManager = require('splunkjs/mvc/searchmanager'); var CustomRangeRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { console.log("IN render",cell.field); return _([fieldKey]).contains(cell.field); }, render: function($td, cell) { console.log("checked",cell.value); var cls = "checkbox"; if (isSelectAll) { cls = "checkbox checked"; } var a = $('<div>').attr({ "id": "chk-sourcetype" + cell.value, "value": cell.value }).addClass(cls).click(function() { if ($(this).attr('class') === "checkbox") { selected_values_array.push($(this).attr('value')); $(this).removeClass(); $(this).addClass("checkbox checked"); } else { $(this).removeClass(); $(this).addClass("checkbox"); var i = selected_values_array.indexOf($(this).attr('value')); if (i != -1) { selected_values_array.splice(i, 1); } // Change the value of a token $mytoken$ } }).appendTo($td); }}); //List of table IDs var tableIDs = ["myTable"]; for (i = 0; i < tableIDs.length; i++) { var sh = mvc.Components.get(tableIDs[i]); if (typeof(sh) != "undefined") { sh.getVisualization(function(tableView) { // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRangeRenderer()); tableView.table.render(); tableView.on('rendered', function(view) { setTimeout(function() { setCheckAllCheckBox(); }, 500); }); }); } } var SearchA = mvc.Components.get("SearchA"); var SearchAResults = SearchA.data("results"); SearchAResults.on("data", function() { resultArray = SearchAResults.data().rows; searchAFields = SearchAResults.data().fields; var keyIndex = searchAFields.indexOf(fieldKey); searchAValues = []; $.each(resultArray, function(index, value) { searchAValues[index] = value[keyIndex]; }) }); function setCheckAllCheckBox() { // console.log("In setCheckAllCheckBox"); var a = $("[" + fieldDataStoreKey + "]"); // console.log(a); a.html(""); var cls = "checkbox"; if (isSelectAll) { cls = "checkbox checked"; } var temp = $('<div>').attr({ "id": "chk-sourcetype", "value": "All" }).addClass(cls).click(function() { if ($(this).attr('class') === "checkbox") { $(this).removeClass(); $(this).addClass("checkbox checked"); isSelectAll = true; } else { $(this).removeClass(); $(this).addClass("checkbox"); isSelectAll = false; } checkUnCheckAllCheckboxes(); }).appendTo(a); $("[" + fieldDataStoreKey + "]").parent().removeAttr("class"); $("[" + fieldDataStoreKey + "]").removeAttr("data-sort-key"); } function checkUnCheckAllCheckboxes() { console.log($('[id^="chk-sourcetype_"]')); var cls = "checkbox"; selected_values_array = []; if (isSelectAll) { cls = "checkbox checked"; $.each(searchAValues, function(index, value) { selected_values_array.push(value); }) } $('[id^="chk-sourcetype_"]').removeClass(); $('[id^="chk-sourcetype_"]').addClass(cls); } $(document).ready(function() { $("#resubmit").on("click", function(e) { e.preventDefault(); console.log("selectedarray" + selected_values_array); for (q = 0; q < selected_values_array.length; q++) { var checkbox_query = "| makeresults | eval Search_Query=\"" + selected_values_array[q] + "\" | fields - _time | outputlookup append=true IIB_Dashboard_lookup.csv" console.log(checkbox_query) var epoch = (new Date).getTime(); mySearchManager = new SearchManager({ id: "lookup_search" + epoch, earliest_time: "-24h", latest_time: "now", autostart: true, search: checkbox_query, preview: true, cache: false }); } mvc.Components.get("SearchA").startSearch(); query = []; for (u = 0; u < selected_values_array.length; u++) { query[u] = "\"" + selected_values_array[u] + ",RESUBMIT\"" } console.log(query.join(" ")) search_query(query.join(" ")); selected_values_array = []; console.log(selected_values_array); }); $("#archive").on("click", function(e) { e.preventDefault(); console.log("selectedarray" + selected_values_array); for (q = 0; q < selected_values_array.length; q++) { var checkbox_query = "| makeresults | eval Search_Query=\"" + selected_values_array[q] + "\" | fields - _time | outputlookup append=true IIB_Dashboard_lookup.csv" console.log(checkbox_query) var epoch = (new Date).getTime(); mySearchManager = new SearchManager({ id: "lookup_search" + epoch, earliest_time: "-24h", latest_time: "now", autostart: true, search: checkbox_query, preview: true, cache: false }); }; mvc.Components.get("SearchA").startSearch(); query = []; for (u = 0; u < selected_values_array.length; u++) { query[u] = "\"" + selected_values_array[u] + ",ARCHIVE\"" } console.log(query.join(" ")) search_query(query.join(" ")); selected_values_array = []; console.log(selected_values_array); }); function search_query(query) { //var SearchManager = require('splunkjs/mvc/searchmanager'); var epoch = (new Date).getTime(); mySearchManager = new SearchManager({ id: "Soap_test" + epoch, earliest_time: "-24h", latest_time: "now", autostart: true, search: "| soap1 " + query, preview: true, cache: false }); var confirmationMessage = mySearchManager.on('search:done', function(properties) { console.log("DONE!\nSearch job properties:", properties.content.eventCount); return "Job Completed"; }); console.log(confirmationMessage); var myResults = mySearchManager.data("results"); console.log(myResults); myResults.on("data", function() { resultArray_rows = myResults.data().rows; console.log(resultArray_rows) tokens.set("mytoken1", resultArray_rows.join()); submittedTokens.set(tokens.toJSON()); console.log(tokens); }); } }); }); ... View more

Re: How to have a checkbox, check all the rows in ...

by SplunkTrust in Dashboards & Visualizations
a month ago
a month ago
@Archana944  I'm assuming you have used js from accepted post. Can you please add setTimeout and try again?   // Add custom cell renderer and force re-render tableView.table.addCellRenderer(new CustomRenderer()); tableView.table.render(); tableView.on('rendered', function(view) { setTimeout(function(){ setCheckAllCheckBox(); },500); });   ... View more

Re: Unique Contraint in Splunk

by SplunkTrust in Getting Data In
‎07-02-2020 10:32 PM
‎07-02-2020 10:32 PM
@akshgpt25  Not sure it is possible during indexing, but you can get unique event in SPL by using dedup command.  https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Dedup Thanks ... View more

Re: Subtract the Results of one search from anothe...

by SplunkTrust in Splunk Search
‎06-30-2020 11:26 PM
‎06-30-2020 11:26 PM
@ramkomarapu Can you please share sample events ?  ... View more

Re: get the last element of repeating json payload

by SplunkTrust in Splunk Search
‎06-28-2020 10:03 PM
‎06-28-2020 10:03 PM
@sharathk0525  Yes dedup will removes the events that contain an identical combination of values for the fields that you specify. dedup will gives you most recent event on the basis of data.cRID. if you looking for most recent event then dedup is best for you. In this case you can easily ignore stats also.   https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Dedup   Can you please try this for validate data? index=abc_applications cf_space_name=production cf_app_name="my-app-name" "\"newAction\":\"request-change"\" AND "Final obj-1----------" | rex field=_raw "Final obj-1----------(?P<json_data_1>\{.*\})" | eval json_data = mvindex(json_data_1, -1) | spath input=json_data | dedup data.cRID | rename data.cRID as CRID | eval Attachment_Count = spath(json_data, "changeAttachment{}") | eval Approver_Count = spath(json_data, "changeApprover{}") | eval Config_Count = spath(json_data, "changeConfigItem{}") | table _time CRID Attachment_Count, Approver_Count, Config_Item_Count   ... View more

Re: get the last element of repeating json payload

by SplunkTrust in Splunk Search
‎06-25-2020 08:50 AM
‎06-25-2020 08:50 AM
@sharathk0525    I hope data.cRID field will come in your event.   index=abc_applications cf_space_name=production cf_app_name="my-app-name" "\"newAction\":\"request-change"\" AND "Final obj-1----------" | rex field=_raw "Final obj-1----------(?P<json_data_1>\{.*\})" | eval json_data = mvindex(json_data_1, -1) | spath input=json_data | dedup data.cRID | rename data.cRID as CRID | eval Attachment_Count = spath(json_data, "changeAttachment{}") | eval Approver_Count = spath(json_data, "changeApprover{}") | eval Config_Count = spath(json_data, "changeConfigItem{}")| stats count(Attachment_Count) as Attachment_Count, count(Approver_Count) as Approver_Count, count(Config_Count) as Config_Item_Count by CRID  Can you please try this?   ... View more

Re: Event.conf & Tags.conf

by SplunkTrust in Security & the Enterprise
‎06-24-2020 11:41 PM
‎06-24-2020 11:41 PM
@mag85032  I hope you are asking about eventtypes.conf and tags.conf.   Event Types: Splunk event type refers to a collection of data which helps in categorizing events based on common characteristics. It is a user-defined field which scans through huge amount of data and returns the search results in the form of dashboards. You can also create alerts based on the search results. Tags:   Splunk tags are used to assign names to specific fields and value combinations. It is the simplest method to get the results in pair while searching. Any event type can have multiple tags to get quick results.   It helps to search groups of event data more efficiently.  Tagging is done on the key value pair which helps to get information related to a particular event, whereas an event type provides the information of all the Splunk events associated with it.  You can also assign multiple tags to a single value     Most popular use case where we are using event types and tags is CIM Mapping. You can check other configuration files  form List of configuration files . Thanks Kamlesh Vaghela ... View more

Re: get the last element of repeating json payload

by SplunkTrust in Splunk Search
‎06-24-2020 11:32 PM
‎06-24-2020 11:32 PM
@sharathk0525    Please provide valid sample JSON from your _raw and your expected output from that sample. That will make us clear understanding about your requirement. Please make sure _raw events should be the single liner JSON event. Thanks Kamlesh Vaghela ... View more

Re: Need Time_Format value

by SplunkTrust in Getting Data In
‎06-24-2020 01:28 AM
‎06-24-2020 01:28 AM
@vijaysri    You can go through this link. https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Commontimeformatvariables Please  check my sample search with your provided data.   | makeresults | eval date="2020-06-24 03:07:39,997Z|2020-06-24 03:07:39.990Z" , date=split(date,"|") | mvexpand date | eval epochtime = strptime(date,"%Y-%m-%d %M:%H:%S,%3QZ") | eval ReIterated = strftime(epochtime,"%Y-%m-%d %M:%H:%S,%3QZ") | table date epochtime ReIterated   Hope this will help you.   Thanks Kamlesh Vaghela ... View more

Re: How to sum one field values based on other fie...

by SplunkTrust in Splunk Search
‎06-24-2020 12:50 AM
‎06-24-2020 12:50 AM
@kirrusk    Can you please try this?   YOUR_SEARCH | stats sum(Remediated) as Remediated by Source,Space_id     Sample Search:     | makeresults | eval _raw="Source Remediated Space_id A 45 156 B 46 199 B 98 233 B 8 233 A 9 156 D 3 148" | multikv forceheader=1 | stats sum(Remediated) as Remediated by Source,Space_id     ... View more

Re: Need help in applying checkbox in splunk table...

by SplunkTrust in Dashboards & Visualizations
‎06-23-2020 09:16 AM
‎06-23-2020 09:16 AM
@spkriyaz  For providing UnAck feature,  please add below code in my provided example in this answer. XML 1) Add a search manager. <search id="myrevertsearch"> <query> | inputlookup sample_data where Number = "$UnAckID$" | eval Ack="" | append [| inputlookup sample_data where Number != "$UnAckID$"] | sort Number | outputlookup sample_data</query> </search>   2) Add button with "Ack Selected Button". <div> <input type="button" id="mybutton" value="Ack Selected Rows"/> <input type="button" id="myrevertbutton" value="Un Ack Entered Id"/> </div>   JS: 3) Add SearchManager Object and on:done event with other object, // Disabling button while search is running var mysearch = mvc.Components.get('mysearch'); var mainSearch = mvc.Components.get('mainSearch'); var myrevertsearch = mvc.Components.get('myrevertsearch'); myrevertsearch.on('search:done', function (properties) { $("#myrevertbutton").attr('disabled', false); mainSearch.startSearch(); });   4) Add onclick event on UnAck button $(document).ready(function () { //setting up tokens with selected value. $("#mybutton").on("click", function (e) { e.preventDefault(); tokens.set("mytoken", selected_values_array.join()); submittedTokens.set(tokens.toJSON()); $("#mybutton").attr('disabled', true); }); $("#myrevertbutton").on("click", function (e) { e.preventDefault(); myrevertsearch.startSearch(); $("#myrevertbutton").attr('disabled', true); }); });     Thanks Kamlesh Vaghela ... View more

Re: Need help to encircle the table row based on t...

by SplunkTrust in Splunk Search
‎06-23-2020 06:48 AM
‎06-23-2020 06:48 AM
Hello @spkriyaz  You can use same approach as I mentioned in below link. https://community.splunk.com/t5/Dashboards-Visualizations/Need-help-in-applying-checkbox-in-splunk-table-and-saving-the-on/td-p/503603   In above example just do below changes. 1) Add below class in CSS. .table_raw { border: solid #FF0000 !important; border-width: 2px 2px 2px 2px !important; }   2) In JS, comment below line.   // $(this).parents('tr').addClass(this.className);   And add this block. if(this.className === "range-cell range-not-acked") { $(this).parents('tr').addClass("table_raw"); }   This will highlight row which is not acknowledged. In your case, just add class in any cell of your required row and use in above if condition for matching. It will highlight that row.   Please try and let me know if any issue. In case, you are not able to do then share your sample XML, JS and CSS, so I can help on that.   Thanks Kamlesh Vaghela   ... View more

Re: Required help in applying color on the icons

by SplunkTrust in Splunk Enterprise
‎06-23-2020 04:06 AM
1 Karma
‎06-23-2020 04:06 AM
1 Karma
Hello @premranjithj  You missed to add text in style also. Can you please update your code with below one?   //Create the icon element and add it to the table cell $td.addClass('icon').html(_.template('<%- text %> <i class="icon-<%-icon%> <%- text %>"></i>', { icon: icon, text: cell.value }));   Thanks Kamlesh Vaghela ... View more

Re: How to use updated version of moment.js in my ...

by SplunkTrust in Splunk Enterprise
‎06-22-2020 05:10 AM
‎06-22-2020 05:10 AM
@umairahmad3985  I'm not able to access below URL https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.1/moment-withlocales.min.js   But I tried this URL and working fine. https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.0/moment.min.js   Can you please try this JS code in your JS? require.config({ paths: { "moment": "https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.18.0/moment.min" } }); var deps = [ "moment", "splunkjs/ready!" ]; require(deps, function(moment) { console.log("Test moment",moment); });   Thanks Kamlesh Vaghela  ... View more

Re: How to use updated version of moment.js in my ...

by SplunkTrust in Splunk Enterprise
‎06-21-2020 11:45 PM
‎06-21-2020 11:45 PM
Hello @umairahmad3985  Here we can go with same solution but with some variation. https://community.splunk.com/t5/Dashboards-Visualizations/Moment-js-won-t-work-in-XML/td-p/434524   Download latest version of moment.js and put into your app. change the path of moment in require([]) array. require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!', '<<PATH OF LATEST MOMENT JS>>' ], function(_, $, mvc) { var moment = require('moment');   Please try and let me know if you face any difficulties:)   Thanks Kamlesh Vaghela ... View more

Re: Avoid multiple spath for a better performant q...

by SplunkTrust in Splunk Search
‎06-17-2020 05:32 AM
‎06-17-2020 05:32 AM
@monika0511    You can try this also.   YOUR_SEARCH | spath prints.urls{} output=urls | stats count latest(_time) as Time by urls | rename urls as _raw,Time as _time | extract | rename Time.db as db_time, Time.total as total_time, uri.name as uri_name | table _time uri_name, response_time, db_time, total_time   Sample Search:   | makeresults | eval _raw="{\"version\":\"v0.2\",\"prints\":{\"urls\":[{\"response_time\":256,\"uri\":{\"bool\":false,\"name\":\"abc\"},\"Time\":{\"total\":52,\"db\":11}},{\"response_time\":578,\"uri\":{\"bool\":false,\"name\":\"xyz\"},\"Time\":{\"total\":78,\"db\":13}}]}}" | spath prints.urls{} output=urls | stats count latest(_time) as Time by urls | rename urls as _raw,Time as _time | extract | rename Time.db as db_time, Time.total as total_time, uri.name as uri_name | table _time uri_name, response_time, db_time, total_time   ... View more

Re: Need help in applying checkbox in splunk table...

by SplunkTrust in Dashboards & Visualizations
‎06-16-2020 04:05 AM
1 Karma
‎06-16-2020 04:05 AM
1 Karma
yes @spkriyaz .   So you can use global token to store user information in lookup. like   |inputlookup ram_error.csv | where ID IN ($mytoken$) | eval Ack=now(),User="$env:user$" | append [|inputlookup ram_error.csv | where not ID IN ($mytoken$) ] | sort ID | outputlookup ram_error.csv ... View more

Re: Group by repeating value at value change

by SplunkTrust in Splunk Search
‎06-16-2020 02:23 AM
‎06-16-2020 02:23 AM
@aseadmin  Can you pleas share some sample event or table same like you shared in question ? So we can help you on  ... View more
Contact Me
Online Status
Online
Date Last Visited
41m ago
Karma given to