Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About snoobzilla
snoobzilla
Builder
Member since:
04-07-2014
06-05-2020
Community Statistics
| Posts | 162 |
| Solutions | 16 |
| Karma Given | 41 |
| Karma Received | 29 |
| Member Since | 04-07-2014 |
Activity Feed
- Karma Re: Why is setting a token from result not working? for woodcock. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for niketnilay. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for nabeel652. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: How to hide the legend? for dmaislin_splunk. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: Additional fields can be added to the query, but where are these values shown in the visualization? for frobinson_splun. 06-05-2020 12:48 AM
- Karma timeline custom visualization - Increase the width of labels in left (resource_field) for sarthakb. 06-05-2020 12:48 AM
- Karma Re: Using Lookup Table for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Delete Command Permissions - Specific Index for dturnbull_splun. 06-05-2020 12:48 AM
- Karma Re: Email Alert Subject Stuck - Splunk 6.3 - Splunk Alert: $searchname$ for woodcock. 06-05-2020 12:48 AM
- Karma Re: Why am I unable to extract all fields from a JSON event? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketnilay. 06-05-2020 12:48 AM
- Karma Re: Why does having multiple values for mvlist produce unexpected results for my transaction search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketnilay. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: Is it possible to have a floating legend when there are a lot of entries I have to scroll through? for frobinson_splun. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketnilay. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Re: Why is setting a token from result not working?. 06-05-2020 12:48 AM
- Got Karma for Custom Eval Command or Custom Search Command as Calculated Field?. 06-05-2020 12:48 AM
- Got Karma for Re: How can I separate the event by condition?. 06-05-2020 12:48 AM
- Got Karma for Timeline - Custom Visualization: How to set up tokens and control the drilldown behavior for cells, rows, and the legend?. 06-05-2020 12:48 AM
04-19-2017
12:16 PM
I guess what I am not saying clearly is that I need a bunch of objects from default added back to local. How best to do that cleanly?
... View more
04-19-2017
12:07 PM
Thanks... So based on this we should overwrite the default directory for the app on the SHC deployer with what I want to be there so the next deployment does not push the old objects back out...
http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges
So something like...
Make NEW with what I want in default and local.
Put NEW default on deployer.
Put NEW local and default on SH Captain?
Do we need to restart after?
... View more
04-19-2017
09:07 AM
During an upgrade last summer, Splunk PS (Professional Services) had our admin move all the local assets into default... which left us with a bunch of objects that we can't edit/delete. I will be leaving current company soon and looking to do a clean up before I go for my successor.
Looking for best practices for moving default back to local without overwriting local.
I am a power user and work exclusively from Splunk Web. We have a separate team of Splunk admins who manage the environment. We use search head clustering. Because we don't have access to back end we would rather just have full access to all objects in app.
Plan is to...
Get copy of app
Merge .conf file entries we wish to retain from default into local.
Similar for views = move to local
Overwrite the app on the search head captain with cleaned up copy
Restart splunk or destructive sync??? <---------------------------------------------MAIN QUESTION!!!
Thanks in advance for help/feedback.
... View more
02-24-2017
09:54 AM
1 Karma
Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.
Finalized vs above...
<finalized>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
</finalized>
I thought I had tried this.
Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.
... View more
02-24-2017
07:22 AM
Enterprise 6.4.1
... View more
02-24-2017
06:17 AM
@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.
... View more
02-24-2017
05:12 AM
Thanks, no change. Updated with more of surrounding code.
... View more
02-24-2017
05:11 AM
@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.
... View more
02-24-2017
05:06 AM
I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.
... View more
02-23-2017
01:16 PM
2 Karma
Any ideas on why KER_RESULT would not be working? Tail end of base query...
Updated code...
<search id="events">
<query>$environment$ $bloomfilter$ `Errors`
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<done>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
</condition>
</done>
<finalized>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</finalized>
</search>
There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.
Thanks
... View more
01-27-2017
10:41 AM
Need more details.
Taking a guess... something like the following should work assuming you have a cost field unique to the cost data events.
search usageevent OR costevent
| eventstats last(costfield) AS CostThisPeriod
| stats sum(usage) AS usage values(CostThisPeriod) AS CostThisPeriod by customer
| eval billing=usage*CostThisPeriod
... View more
01-27-2017
10:27 AM
Eventstats should work, though not terribly efficient...
sourcetype=access $host1$ OR $host2$ error=2*
| eventstats dc(host) AS hosts by uid
| search hosts>1
| chart max(O) over host by uid
... View more
01-23-2017
07:59 AM
Thanks... I think what you are saying is in line with what I said in original post.
... View more
01-23-2017
06:57 AM
See above. I would like to restrict more based on what they can see from an interface standpoint than a data standpoint.
... View more
01-23-2017
06:56 AM
PS... I am planning on giving them only a simple dashboard to access data, not open search access to I am more interested in controlling access that way. I am not planning on giving them access to search and reporting, etc.
... View more
01-23-2017
06:39 AM
We have a fairly large deployment with 60 plus individual apps. These are used almost exclusively by DEVOPS and we haven't really had a need to limit users from using apps/views.
Now we have a need to expose some data to 200 people outside of IT and would like to determine the best way to prevent them from being able to just poke around... i.e. limit them to a specific APP and/or Views/Dashboards within that app and not allow them access to Search within that app.
Based on docs, to grant a role only access a single App it looks like I need to:
Remove "everyone" access from all apps and grant each existing role specific access to all 60+ existing apps
Create a new role with most capabilities of user (e.g. user_external)
Grant user_external access only to the apps/views needed
Do I have this right? If so any suggestions as to the best way to go about it?
For background, I am power user/developer without full admin access who just got admin certification. I will be bringing approaches to the Splunk admin team to execute and want to bring best practice to the table as we haven't done this before.
Thanks!
... View more
01-23-2017
04:47 AM
There are a lot of ways to do things in Splunk and I was relating my experience where I was trying to improve performance of a dashboard.
2 million records is a lot to put through the pipeline every call and expect it to be fast. Some options:
1. cache the loaded job in a database outside of Splunk and poll it from there.
2. build an accelerated datamodel containing the results and query Splunk with filters and/or any aggregation commands applied to the datamodel, so you are only pulling a smaller set of results out.
If you are trying to join with external data can you move that data into Splunk and join it there?
... View more
01-22-2017
08:12 PM
Having gone down this path with fewer events, I changed over to an accelerated datamodel with just the fields of concern.
... View more
01-18-2017
04:50 AM
I think I am following. Add what you want to filter on as a sum or max in the second stats command then use that for your filter...
| stats max(BlockedServiceCount) AS maxBlockedServiceCount sum(BlockedServiceCount) AS sumBlockedServiceCount list(BlockedService) AS BlockedService list(BlockedServiceCount) AS BlockedCount list(AllowedService) AS AllowedService list(AllowedServiceCount) AS AllowedCount list(DestIP) AS DestIP by src_ip
| where ...
| fields - maxBlockedServiceCount sumBlockedServiceCount
Does that help?
... View more
01-17-2017
04:00 AM
Not sure I am following. Can you post where you are putting the where in the query?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
