About kamlesh_vaghela

kamlesh_vaghela

@payyachamy Can you please share more details about your search like sample OUTPUT or Event from search before calculation logic ? KV

kamlesh_vaghela

@ednk Please try this. | makeresults | eval _raw="open_time update_time age 2022-02-26 2022-04-26 1m 2022-04-22 2022-04-26 4d" | multikv forceheader=1 |table open_time update_time | rename comment as "Upto now is for sample data only" | eval open_time = round(strptime(open_time, "%Y-%m-%d")) | eval update_time = round(strptime(update_time, "%Y-%m-%d")) | eval field_in_secs= update_time - open_time | eval string_dur=tostring(field_in_secs, "duration") | eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s") | eval Age=replace(formatted_dur, "^d (0h (0m )?)?","") KV

kamlesh_vaghela

@ednk You can use tostring function to get age sorta from days. Can you please try this? | makeresults | eval _raw="open_time update_time age 2022-02-26 2022-04-26 1m 2022-04-22 2022-04-26 4d" | multikv forceheader=1 |table open_time update_time | rename comment as "Upto now is for sample data only" | eval open_time = strptime(open_time, "%Y-%m-%d") | eval update_time = strptime(update_time, "%Y-%m-%d") | eval field_in_secs= update_time - open_time | eval string_dur=tostring(field_in_secs, "duration") | eval formatted_dur = replace(string_dur,"(?:(\d+)\+)?0?(\d+):0?(\d+):0?(\d+)","\1d \2h \3m \4s") | eval Age=replace(formatted_dur, "^d (0h (0m )?)?","") Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

@Ashwini008 <option name="drilldown">cell</option> <drilldown> <condition field="YOUR_COLUMN_NAME"> <link target="_blank">PUT_YOUR_LINK</link> </condition> <condition>  </condition> </drilldown> Just confirm above drilldown config with your code. Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

@ND Try by setting up blank before you set it again. var multi = splunkjs.mvc.Components.getInstance("multiselect_tkn"); multi.val([]) Please share you sample code so we can help you further. Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

@user9025 Can you please try this? YOUR_SEARCH | rex field=_raw "\"Client\":\s\"(?<Client>.+?)\"" | stats count by Client My Sample Search : | makeresults | eval _raw="{\"d1\": \"EU\",\"sn\": \"sn\",\"entityType\": \"USER\",\"email\": \"test@gmail.com\",\"id\": [\"123\"],\"Client\": \"TEST\",\"time\": \"2020-01-01T01:01:01Z\",\"List\": [{\"Type\": \"Items1\",\"value\": \"-1\",\"match\": \"NO\"}]}" | append [| makeresults | eval _raw="{\"d1\": \"JP\",\"sn\": \"sn\",\"type\": \"USER\",\"user\": \"test1@gmail.com\",\"id\": [\"123\"],\"source\": \"S1\",\"Client\": \"test_client\",\"initiate\": \"init_Name\",\"mode\": \"Test\",\"t1\": \"\",\"t2\": \"\",\"auto\": true,\"list\": [{\"type\": \"USER_DRAFTS_COUNT\",\"value\": \"-1\",\"creteria\": \"skip\"}]}" ] | rex field=_raw "\"Client\":\s\"(?<Client>.+?)\"" | stats count by Client Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

@Raghork You can troubleshoot the issue by checking any JS errors in your dashboard by inspect Element. You can also check whether your JS is properly getting loaded into browser or not, For that just check network tab after opening Inspect element. If issue is still there then please share sample code of your dashboard So we can see it. Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

@splunkelz Can you please try this? YOUR_SEARCH | eval status="" | foreach *_status [| eval status= mvappend(status,"<<FIELD>>"+"="+<<FIELD>>)] | table hostname ip status My Sample Search : | makeresults | eval _raw="hostname ip database_status internet_status proxy_status server101 192.168.10.2 online online offline server102 192.168.10.3 offline online offline" | multikv forceheader=1 | table hostname ip database_status internet_status proxy_status | eval status="" | foreach *_status [| eval status= mvappend(status,"<<FIELD>>"+"="+<<FIELD>>)] | table hostname ip status Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela

kamlesh_vaghela

@Ashwini008 Try below example code and modify as per your requirement. XML <form script="a.js"> <label>Submit Button Confirm Alert</label> <fieldset submitButton="false"> <input type="dropdown" token="tkn_A" searchWhenChanged="false"> <label>Dropdown A</label> <choice value="A">A</choice> <choice value="AA">AA</choice> </input> <input type="text" token="tkn_B" searchWhenChanged="false"> <label>Text B</label> </input> <html> <input type="button" id="submitbutton" class="btn btn-primary" value="Submit"></input> </html> </fieldset> <row> <panel> <table> <title>Test Table</title> <search> <query>|makeresults count=10 | eval dropdown_a="$tkn_A$", text_b="$tkn_B$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> a.js require([ 'underscore', 'jquery', 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!' ], function(_, $, mvc) { console.log("LAZY!!!"); var defaultTokenModel = mvc.Components.get('default'); var submittedTokenModel = mvc.Components.get("submitted"); $(document).ready(function() { $('input#submitbutton').click(function() { if (confirm("Are you sure?!")) { defaultTokenModel.set("dummy", 1); submittedTokenModel.set(defaultTokenModel.toJSON()); } else { console.log("Do Nothing") } }); }); }); Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-13-2022

@bijodev1 Can you please share sample output from below variable? response_text May be I can help you on this. KV

kamlesh_vaghela · ‎04-13-2022

@ND Can you please try this? | inputlookup abc.csv | chart sum(field1) as field1 by field2, field3 | addtotals | eval field1 = tostring(field1, "commas") For further help can you please share sample output of below search? | inputlookup abc.csv | chart sum(field1) as field1 by field2, field3 | addtotals Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-13-2022

@ofer_s You can extract your required values using below search. Here, you need to change where condition as per your requirement. I have YOUR_SEARCH | spath path={} output=raw | mvexpand raw | rename raw as _raw | spath | where 'event_age.hours' > 4 My Sample Search : | makeresults | eval _raw="[{\"id\": \"123\",\"percentage\": 25.0,\"active\": true,\"second_id\": \"456\",\"creation time\": \"2022-04-13T09:30:06.517\",\"event_age\": {\"hours\": 3,\"minutes\": 4,\"seconds\": 2}}, {\"id\": \"789\",\"percentage\": 56.0,\"active\": true,\"second_id\": \"222\",\"creation time\": \"2022-04-13T09:30:06.517\", \"event_age\": {\"hours\": 6,\"minutes\": 2,\"seconds\": 2}}]" |rename comment as "Upto now is for sample data only" | spath path={} output=raw | mvexpand raw | rename raw as _raw | spath | where 'event_age.hours' > 4 Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-12-2022

@sb01splunk Just update your pie chart search with below one. 🙂 <query>index=myIndex $condition_tkn$ | stats count by targetAppAlternateId</query> Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-12-2022

@yk010123 @VatsalJagani Added more SQL Query related use cases to help Community. I have also updated regular expression and made masking more unpredictable for end user. | makeresults | eval _raw="field select id from table where id In [\"123\",\"12\"] limit 1 select id,\"Test\" as dummy from table where id=\"123\" limit 1 select id from table where id=\"123\" limit 1 select id,name from table where id = 123 limit 1 select id,name from table where name = \"test\" select id,name from table where mo_number=\"1234567890\" select id,name from table where name = 'test' select id from table where id In [123,12] limit 1 select id from table where name In [\"name1\",\"name2\"] limit 1" | multikv forceheader=1 | rex mode=sed field=field "s/(?i)where (.*(|\s)[^=])(=|in)\s*(\"[^\"]*\"|'[^']*'|[^\s]*|[\[^\]*])/where \1\3 XXXX/g" |table _raw field Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-12-2022

kamlesh_vaghela · ‎04-12-2022

@yk010123 Add custom field in @VatsalJagani search to get values in desired format. YOUR_SEARCH | stats count by Service Message | eval custom_field=Service.":".Message.":".count My Sample Search : | makeresults | eval _raw="Service Message Service1 Hello world Service2 Another message Service1 Hello world Service1 Some other message" | multikv forceheader=1 | table Service Message | rename comment as "Upto now is for sample data only" | stats count by Service Message | eval custom_field=Service.":".Message.":".count Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-12-2022

@ND Can you please share some sample data from `rrc_main` search manager and the expected CSV output from those samples. It would be really helpful to understand your requirements and the issue. KV

kamlesh_vaghela · ‎04-12-2022

@bijodev1 I've a little know on pandas library. But you can do it. In our python script `response_text` will return json string. you can use that json to convert into DataFrame. You can also get selected value from `response_text` and create dictionary of userid & those selected values to create DataFrame. Please check below links for the same. https://pandas.pydata.org/docs/reference/api/pandas.DataFrame.html https://www.w3schools.com/python/pandas/pandas_dataframes.asp https://towardsdatascience.com/how-to-convert-json-into-a-pandas-dataframe-100b2ae1e0d8 Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

kamlesh_vaghela · ‎04-12-2022

@bijodev1 May be this will help you. import requests import json # from requests.auth import HTTPBasicAuth # import urllib3 # urllib3.disable_warnings() # # # # search_query={'search':'search earliest = -24h index=_internal | stats count by sourcetype'} # response = requests.post('https://localhost:8000/services/search/jobs/export', data=search_query,verify=False, auth=HTTPBasicAuth('admin', 'admin')) # print("Status = "+str(response.status_code) ) # print("response text = "+str(response.text)) # # json_data = json.loads(str(response.text)) import requests import urllib3 from base64 import b64encode import urllib.parse from csv import reader urllib3.disable_warnings() def fetch_data_using_userid(userid): url = "https://localhost:8089/servicesNS/admin/search/search/jobs/export" payload = { 'search': f'search index=_internal earliest=-1h sourcetype="{userid}" | stats count by sourcetype', 'output_mode': 'json' } safe_payload = urllib.parse.urlencode(payload) userAndPass = b64encode(b"admin:admin123").decode("ascii") headers = { 'Authorization': 'Basic %s' % userAndPass, 'Content-Type': 'application/x-www-form-urlencoded' } response = requests.request("POST", url, headers=headers, data=safe_payload, verify=False) return response.text # open file in read mode with open('user_data.csv', 'r') as read_obj: # pass the file object to reader() to get the reader object csv_reader = reader(read_obj) header = next(csv_reader) if header is not None: # Iterate over each row in the csv using reader object for row in csv_reader: # row variable is a list that represents a row in csv print(row) response_text = fetch_data_using_userid(row[0]) print(response_text) Thanks KV If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Posts	2414
Solutions	452
Karma Given	47
Karma Received	670
Member Since	‎09-23-2015

Online Status	Offline
Date Last Visited	yesterday

How can we delete particular data from KVStore usi...

How to restrict time range picker to specific peri...

Is there any way to send Splunk indexed Data to an...

Are there any limitations of search string length ...

Why am I getting an error to start a fresh Splunk ...

Why AppInspect tool Fails check_lookup_files check...

Got Error: "The splunk daemon (splunkd) is already...

How to add custom validation on Configuration Page...

How to change app banner css when open search in s...

Dashboard Export to Pdf Not working with Table vie...

Re: Splunk Query

Re: how to calculate age of event?

Re: how to calculate age of event?

Re: How to display a popup message "yes/no" to dis...

Re: remove null value from multiselect input

Re: Wrong JSON value extracted by query

Re: Java Script isn't working on HTML page uploade...

Re: how do you transform table values like this

Re: Is it possible to get sum of Top 5 values per ...

Re: How to display a popup message "yes/no" to dis...

Re: How to convert splunk api response to datafram...

Re: How to use thousand comma separator for chart ...

Re: Parse Json array with inner condition

Re: How to limit the 'All' option to what query ac...

Re: Remove values in quotes with a placeholder

Re: How can I create a report where values are gro...

Re: How can I count values by a subgroup?

Re: How to export Splunk data to CSV file using Ja...

Re: Splunk API - JSON Expecting value: line 1 colu...

Re: Splunk API - JSON Expecting value: line 1 colu...