Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About joshualarkins
joshualarkins
Explorer
Member since:
07-04-2013
04-23-2021
Community Statistics
| Posts | 20 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 3 |
| Member Since | 2013-07-04 |
Activity Feed
- Got Karma for How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event?. 06-05-2020 12:48 AM
- Got Karma for Re: How to resolve hidden files in package error when uploading to Splunkbase?. 06-05-2020 12:48 AM
- Got Karma for Re: Add a comment to a search?. 06-05-2020 12:46 AM
- Posted Re: Persist tokens across executions? on All Apps and Add-ons. 08-26-2019 03:13 PM
- Posted Re: Persist tokens across executions? on All Apps and Add-ons. 08-26-2019 03:02 PM
- Posted Persist tokens across executions? on All Apps and Add-ons. 08-26-2019 02:40 PM
- Tagged Persist tokens across executions? on All Apps and Add-ons. 08-26-2019 02:40 PM
- Tagged Persist tokens across executions? on All Apps and Add-ons. 08-26-2019 02:40 PM
- Posted Re: How do you make a date and time comparison in field values based on a condition? on Splunk Search. 11-26-2018 06:19 AM
- Posted Re: How do you create a dashboard that indicates data availability? on Dashboards & Visualizations. 11-26-2018 06:07 AM
- Posted Re: Appendcols Error on All Apps and Add-ons. 10-02-2018 03:13 PM
- Posted Re: Sankey sorting on All Apps and Add-ons. 08-03-2018 04:30 AM
- Posted Re: Timeline - Custom Visualization: Additional fields can be added to the query, but where are these values shown in the visualization? on All Apps and Add-ons. 05-25-2018 10:42 AM
- Posted Re: How to resolve hidden files in package error when uploading to Splunkbase? on All Apps and Add-ons. 05-23-2017 01:40 PM
- Posted Re: Slack Notification Alert: How can I get the message to use the resulting value from a saved search? on All Apps and Add-ons. 04-17-2017 06:08 PM
- Posted Re: Slack Notification Alert: How can I get the message to use the resulting value from a saved search? on All Apps and Add-ons. 04-17-2017 06:07 PM
- Posted Re: Add a comment to a search? on Splunk Search. 12-22-2016 11:35 AM
- Posted Re: How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event? on Getting Data In. 12-14-2016 01:15 PM
- Posted Re: How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event? on Getting Data In. 12-14-2016 12:54 PM
- Posted How to edit my TIME_PREFIX in props.conf to properly extract the timestamp from my sample event? on Getting Data In. 12-14-2016 12:52 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 |
08-26-2019
03:13 PM
It seems like values stored to req_args["params"]["arbitrary_string"] within a custom responsehandler will turn into an entry in the inputs.conf, under the [rest://blah] stanza, with a key of arbitrary_string. I guess that works, but I was under the impression that Splunk Best Practices were to store that data in the $SPLUNK_HOME/var/lib/splunk/modinputs/ directory, usually via Splunk's API or the Splunk SDK. Are there any issues I should be aware of by using this method of storing checkpoints in the inputs.conf?
... View more
08-26-2019
03:02 PM
I'm familiar with the process of storing persistent checkpoints, but I'm trying to discover if this is supported within the framework of the tagged REST API app.
... View more
08-26-2019
02:40 PM
I'm trying to use the REST API Mod Input to persist a timestamp parameter. Each time I make a request of the API I'm working with, it responds with the authoritative end timestamp that it is returning data for. Between subsequent executions, I need to store this value, so it can be provided with the next execution.
I've read most of the threads here on Answers, trying to find someone doing what I'm looking for. I can't seem to find anywhere there or in the Python code of the app that shows handling persistent tokens across REST input executions. Is this just unsupported? I have another API where I'd use this, but the checkpoint that API provides is a UUID that operates in the same way - each subsequent API call needs to provide the UUID sent in the previous response.
... View more
11-26-2018
06:19 AM
Are you just trying to find all tickets where it's not their first time being "In Dev"? If so, I think you could use a combination of
| stats EARLIEST(update_final) AS earliest_update_final, LATEST(update_final) AS latest_update_final BY key
| search earliest_update_final != latest_update_final
... View more
11-26-2018
06:07 AM
Sounds like a combination of tstats BY host, sourcetype piped into a timechart might be useful here? I'm going off memory here, so I'm not sure if that'll lead to what you want.
You still need to consider what ultimate action you want to take - do you want a dashboard that you manually check? Is the lack of a particular host / sourcetype something you need to be alerted on? Basically, what action will you potentially take after looking at the dashboard? Use that action to drive how you solve the use case.
... View more
10-02-2018
03:13 PM
Ugh, I just ran into this too. Works fine as long as you don't use a base search in a dashboard.
... View more
05-25-2018
10:42 AM
Yeah, I'm looking to use Timeline and additional fields displayed in the tooltip would be a huge benefit.
... View more
05-23-2017
01:40 PM
1 Karma
I'm having the same issue, it would be really nice if the error would actually tell you the name or path of the offending file. Otherwise I just have to guess.
... View more
04-17-2017
06:08 PM
See @russellliss 's answer.
... View more
04-17-2017
06:07 PM
I gave up trying to pass field names with spaces and just removed my rename line that was giving me friendly names.
... View more
12-14-2016
01:15 PM
[company_product]
TRUNCATE=0
TIME_PREFIX=\"-health_checkin_date\":\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N
TZ=UTC
CHARSET=AUTO
KV_MODE=JSON
INDEXED_EXTRACTIONS=JSON
ended up solving it right after I posted this. I think it might be extra important to view the raw log and build the time prefix based on this, rather than attempt to guess based on the way Splunk shows JSON data all prettified.
... View more
12-14-2016
12:54 PM
... Is my TIME_PREFIX incorrect?
... View more
12-14-2016
12:52 PM
1 Karma
-health_checkin_date: 2016-10-30T09:45:28.824Z
That is the line from a JSON event being sent into my Splunk instance via TCP syslog. It's being put into an index in an app I made, so I added the following the props.conf of that app:
[company_product]
TRUNCATE=0
TIME_PREFIX=\"-health_checkin_date\":\s
TIME_FORMAT=%Y-%m-%dT%T.%3N%Z
CHARSET=AUTO
KV_MODE=NONE
INDEXED_EXTRACTIONS=JSON
This stanza matches what is set in the TCP receiver as the custom sourcetype for this port, but the timestamp isn't being properly extracted. I'm intentionally prefixing the field with a hyphen so Splunk will find it quickly in the event. Am I editing the wrong props.conf?
... View more
10-26-2016
07:54 PM
I need to upgrade to 6.5 and take a look at this. Thanks for pushing me to look at this. I agree, stdev probably isn't the right 'algorithm' to use long term.
... View more
10-26-2016
07:53 PM
Whoa. I need to look at this more, but this might be what I was looking for. I'm going to dig deeper on it tomorrow. THANK YOU.
... View more
10-26-2016
06:31 AM
I have a group of users to monitor. They create actions on a fairly regular basis, but they do not all follow the same pattern. Some perform this particular action 4x/hour, some 2x/hour, and some only 2x/day. What I would like to do is create a search that allows me to compare the previous hour of activity to the last 30 days and determine whether the past hour of activity is within "normal" or if their activity has dropped below a threshold.
So my thought is to calculate the avg and stdev for each hour of the day (0-23), per user. Then I could compare that data in the same search to the previous hour and see whether historical_avg_for_given_user_for_given_hour - historical_stdev_for_given_user_for_given_hour > activity_count_for_given_user_for_last_hour and if so, raise an alert for that user.
So that's the goal. I have been looking at "Time After Time – Comparing Time Ranges in Splunk" from @Anonymous, but I'm not sure how to apply that to a multi-user scenario.
Here's what I have so far:
[base search] earliest=-14d@d latest=-1d@d
| eval time_hour = strftime(_time, "%H")
| eval time_day = strftime(_time, "%D")
| stats count AS count_perhour_perday_peruser BY time_hour, time_day, userName
| chart limit=0 avg(count_perhour_perday_peruser) BY time_hour, userName
... View more
- Tags:
- splunk-enterprise
02-18-2016
11:22 AM
this worked for some JSON data I had where I needed to preserve relationships among elements of an array
... View more
05-07-2015
11:57 AM
Your transforms.conf worked amazing for me. All I had to do was format my source events like yours. Thank you!
... View more
