Activity Feed
- Got Karma for Re: How to connect search head to new indexer in a distributed environment (beginner here). 01-09-2025 05:24 AM
- Got Karma for Day to day comparison. Using stats and timechart.. 06-05-2020 12:50 AM
- Got Karma for How to append column total to column name?. 06-05-2020 12:50 AM
- Got Karma for Re: How to append column total to column name?. 06-05-2020 12:50 AM
- Got Karma for Re: How to setup alert for x% decrease in count by market?. 06-05-2020 12:50 AM
- Got Karma for Re: How to setup alert for x% decrease in count by market?. 06-05-2020 12:50 AM
- Got Karma for Re: What's the delay between last event written to disk and now()?. 06-05-2020 12:50 AM
- Got Karma for Re: What's the delay between last event written to disk and now()?. 06-05-2020 12:50 AM
- Got Karma for Re: Length of every column in a table?. 06-05-2020 12:50 AM
- Got Karma for Re: Way to monitor splunkforwarder. 06-05-2020 12:50 AM
- Posted Re: Group by id. on Splunk Search. 11-11-2019 09:48 AM
- Posted Group by id. on Splunk Search. 11-08-2019 07:18 PM
- Tagged Group by id. on Splunk Search. 11-08-2019 07:18 PM
- Posted Re: print latest and values of status in an order. on Splunk Search. 11-08-2019 07:05 PM
- Posted Re: print latest and values of status in an order. on Splunk Search. 11-08-2019 06:05 PM
- Posted print latest and values of status in an order. on Splunk Search. 11-08-2019 05:14 PM
- Tagged print latest and values of status in an order. on Splunk Search. 11-08-2019 05:14 PM
- Posted Re: How to calculate percentage of usage on VPN on Security. 11-05-2019 02:31 PM
- Posted Re: Setting Workload Categories for Workload Management on Reporting. 11-05-2019 02:19 PM
- Posted Re: Pass Variable to Panel Title. on Dashboards & Visualizations. 11-05-2019 02:11 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-08-2019
07:18 PM
I have a query like this
index=MyIndex
| stats values(status) as status by id, time
| dedup id,status
Gives me something like this
Status id time
apply 123 2019-10-28 10:04:02.707 EST
verify 123 2019-10-28 10:04:07.767 EST
approved 123 2019-10-28 10:04:10.707 PDT
login 123 2019-10-28 10:04:12.707 PDT
but I want
id latest(time) Status
123. 2019-10-28 10:04:12.707 PDT apply, verify, approved login
I did try
stats values(status), latest(time) by id but, the problem is with values(status) they're getting sorted alphabetically.
Thanks for your time.
... View more
11-08-2019
07:05 PM
What you are saying will sort all the results but, not the status from values(status) output.
... View more
11-08-2019
06:05 PM
Values(status) are printing in alphabetical order, I want them to be in the order of they occurred.
... View more
11-08-2019
05:14 PM
I have some this like this
|stats value(status) by time, id
I want to print the latest time, values(status) in the order they got indexed or they happened by id.
Can someone help, Thanks!
... View more
11-05-2019
02:19 PM
Here is the information which I think should answer the question.
https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Summaryofperformancerecommendations
https://docs.splunk.com/Documentation/Splunk/8.0.0/Capacity/Referencehardware
Hope this helps, Thanks!
... View more
11-05-2019
02:11 PM
Does your query return only one result? If it returns more than one result do you take click input from the user?
... View more
11-04-2019
04:11 PM
Try using a different browser.
... View more
11-04-2019
03:29 PM
earliest_time() should work with stats. I use it all the time, I am not sure why it's giving you an error.
... View more
10-31-2019
03:16 PM
@woodcock thanks for your response, I just updated my question with the code I'm using can you update your answer with that code, please.
Thanks!
... View more
10-31-2019
01:55 PM
I have two dropdowns
Dropdown one:
Groups all the status codes, which will display "Client Error" OR "Server Error"
Dropdown two:
Is auto-populated depending on Dropdown one.
For example:
If Client Error is selected in Dropdown one, Dropdown two will have options like 404,401,405, etc. My default value is * (ALL) but, when it is passed to the search it is searching all the values with other than Client Error.
I can group eval a group in all the searches, but I don't want to do that.
The only other way is to pass all the value that is dynamically populated file to search with OR delimiter.
Just to make it clear if Dropdown1: Client error
and Dropdown 2: 400
404
406
Search should look like something like this: host=* statuscode= 400 OR 404 OR 406 | stats count by statuscode.
<input type="dropdown" token="status" searchWhenChanged="true">
<label>Select response status code:</label>
<choice value="*">ALL</choice>
<change>
<condition label="ALL">
<set token="status">$value$</set>
</condition>
</change>
<fieldForLabel>s</fieldForLabel>
<fieldForValue>s</fieldForValue>
<search>
<query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval Tstatus=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| search Tstatus="$field3$"
| dedup s</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="field3" searchWhenChanged="true">
<label>Select response status:</label>
<choice value="*">ALL</choice>
<fieldForLabel>status</fieldForLabel>
<fieldForValue>status</fieldForValue>
<search>
<query>index=XXX "app"=D forwApp=$App$ host=$host$
| rename resStatus as s
| eval status=case(like(s, "1%"),"Informational",like(s, "2%"),"Success",like(s, "3%"),"Redirection",like(s, "4%"),"Client Error",like(s, "5%"),"Server Error")
| dedup status</query>
<earliest>$field1.earliest$</earliest>
<latest>$field1.latest$</latest>
</search>
<default>*</default>
<initialValue>*</initialValue>
</input>
That is the code I'm using.
Thanks for your time!
... View more
10-25-2019
01:34 PM
|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"
| stats dc(status) as StatusDC, values(status) by vin
| where StatusDC>1
| table vin
I think this should help.
You can see dc(status), values of all the Status by vin by removing, where and table part to test.
Thanks!
... View more
10-25-2019
11:37 AM
Yes, Can use either way. If your results are not getting to file that might be some permission issues that are defined in transforms.conf.
Hope this helps, Thanks!
... View more
10-25-2019
11:22 AM
1 Karma
This is wonderful @woodcock, Thanks for your help!
... View more
10-25-2019
10:38 AM
@kamlesh_vaghela Thanks for responding but, it does not work.
I am getting something like this.
Name row 1 row 2 row 3
AE 2 0 2
AT 5 0 6
AU 2 0 3
BE 6 0 6
BR 24 0 31
I already tried something similar, I think I am missing something, Thanks!
... View more
10-24-2019
10:22 PM
1 Karma
I have data something like this
Name. Accepted Rejected Posted Total
Change 3 5 7 15
NOC 5 6 5 16
8 11 12 21
Which I am getting by this command
Index=#####
| chart dc(TID) as count by Name Status
| addtotals
| addcolTotals
What I wanted is
Name. Accepted(8) Rejected(11) Posted(12) Total(21)
Change 3 5 7 15
NOC 5 6 5 16
8 11 12 21
I did try | eval status=status."(".count.")"
Thanks for your time!
... View more
10-22-2019
05:05 PM
source="wineventlog:security" action=success Logon_Type=2 (EventCode=4624 OR EventCode=4634 OR EventCode=4779 OR EventCode=4800 OR EventCode=4801 OR EventCode=4802 OR EventCode=4803 OR EventCode=4804 ) user!="anonymous logon" user!="DWM-*" user!="UMFD-*" user!=SYSTEM user!=*$ (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10)
| convert timeformat="%a %B %d %Y" ctime(_time) AS Date
| streamstats earliest(_time) AS login, latest(_time) AS logout by Date, host
| eval session_duration=logout-login
| eval h=floor(session_duration/3600)
| eval m=floor((session_duration-(h*3600))/60)
| eval SessionDuration=h."h ".m."m "
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(login) AS login
| convert timeformat=" %m/%d/%y - %I:%M %P" ctime(logout) AS logout
| stats count AS auth_event_count, earliest(login) as login, max(SessionDuration) AS sesion_duration, latest(logout) as logout, values(Logon_Type) AS logon_types by Date, host, user
Try this and see.
... View more
10-22-2019
03:19 PM
Is there an event that is getting generated, when a user does login and logout?
... View more
10-22-2019
02:03 PM
| stats count(Error) as ErrorCount
| where count>10
This should do it!
Please accept the answer if it helped, thanks!
... View more
10-22-2019
01:58 PM
Check your inputs.conf file and see what index is specified init. I think by default it will have index=main, update it to index=YourIndexName and restart the service.
... View more
10-22-2019
01:47 PM
| transaction command will take more resources, try to avoid it. It will work well with small data as the data gets big it'll slow down.
... View more
10-22-2019
01:43 PM
if this helped accept the answer please or comment if you have any questions.
... View more
