Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About snoobzilla
snoobzilla
Builder
Member since:
04-07-2014
06-05-2020
Community Statistics
| Posts | 162 |
| Solutions | 16 |
| Karma Given | 41 |
| Karma Received | 31 |
| Member Since | 04-07-2014 |
Activity Feed
- Got Karma for Re: Is it better to use loadjob or scheduled saved search to improve dashboard performance?. 05-20-2021 11:00 AM
- Got Karma for Re: Is it better to use loadjob or scheduled saved search to improve dashboard performance?. 05-20-2021 11:00 AM
- Karma Re: Why is setting a token from result not working? for woodcock. 06-05-2020 12:48 AM
- Karma timeline custom visualization - Increase the width of labels in left (resource_field) for sarthakb. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for niketn. 06-05-2020 12:48 AM
- Karma Re: Is the Transaction command suitable for large volumes of data and what is the benefit of using this command? for nabeel652. 06-05-2020 12:48 AM
- Karma Re: Using Lookup Table for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: How to hide the legend? for dmaislin_splunk. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: Additional fields can be added to the query, but where are these values shown in the visualization? for frobinson_splun. 06-05-2020 12:48 AM
- Karma Re: Delete Command Permissions - Specific Index for dturnbull_splun. 06-05-2020 12:48 AM
- Karma Re: Email Alert Subject Stuck - Splunk 6.3 - Splunk Alert: $searchname$ for woodcock. 06-05-2020 12:48 AM
- Karma Re: Why am I unable to extract all fields from a JSON event? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Why does having multiple values for mvlist produce unexpected results for my transaction search? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketn. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketn. 06-05-2020 12:48 AM
- Karma Re: Timeline - Custom Visualization: Is it possible to have a floating legend when there are a lot of entries I have to scroll through? for frobinson_splun. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for niketn. 06-05-2020 12:48 AM
- Karma Re: Why is setting a token from result not working? for somesoni2. 06-05-2020 12:48 AM
- Got Karma for Re: How to name NULL column. 06-05-2020 12:48 AM
- Got Karma for Email Alert Subject Stuck - Splunk 6.3 - Splunk Alert: $searchname$. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 2 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 3 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
04-19-2017
12:16 PM
I guess what I am not saying clearly is that I need a bunch of objects from default added back to local. How best to do that cleanly?
... View more
04-19-2017
12:07 PM
Thanks... So based on this we should overwrite the default directory for the app on the SHC deployer with what I want to be there so the next deployment does not push the old objects back out...
http://docs.splunk.com/Documentation/Splunk/6.5.3/DistSearch/PropagateSHCconfigurationchanges
So something like...
Make NEW with what I want in default and local.
Put NEW default on deployer.
Put NEW local and default on SH Captain?
Do we need to restart after?
... View more
04-19-2017
09:07 AM
During an upgrade last summer, Splunk PS (Professional Services) had our admin move all the local assets into default... which left us with a bunch of objects that we can't edit/delete. I will be leaving current company soon and looking to do a clean up before I go for my successor.
Looking for best practices for moving default back to local without overwriting local.
I am a power user and work exclusively from Splunk Web. We have a separate team of Splunk admins who manage the environment. We use search head clustering. Because we don't have access to back end we would rather just have full access to all objects in app.
Plan is to...
Get copy of app
Merge .conf file entries we wish to retain from default into local.
Similar for views = move to local
Overwrite the app on the search head captain with cleaned up copy
Restart splunk or destructive sync??? <---------------------------------------------MAIN QUESTION!!!
Thanks in advance for help/feedback.
... View more
02-24-2017
09:54 AM
1 Karma
Thanks for all the help troubleshooting. Not sure who to credit answer too... but when I eliminated extra event handler and put everything in finalized it works.
Finalized vs above...
<finalized>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</condition>
</finalized>
I thought I had tried this.
Also eliminated some unnecessary table drilldown options in an event handler elsewhere... good news is working now.
... View more
02-24-2017
07:22 AM
Enterprise 6.4.1
... View more
02-24-2017
06:17 AM
@jkat54 a bit of a pain to sanitize from internal references... may resort to that eventually.
... View more
02-24-2017
05:12 AM
Thanks, no change. Updated with more of surrounding code.
... View more
02-24-2017
05:11 AM
@niketnilay Updated with more of surrounding code. Tried your suggestions, no improvement.
... View more
02-24-2017
05:06 AM
I added more of surrounding code... it is a base search and there is a finalized event handler at the end but pulling that did not fix.
... View more
02-23-2017
01:16 PM
2 Karma
Any ideas on why KER_RESULT would not be working? Tail end of base query...
Updated code...
<search id="events">
<query>$environment$ $bloomfilter$ `Errors`
| eval KER_EDIT=KER
| search Client_Impact!="Normal_Dialog" $searchType$$searchField$
| table _time ErrorLogID KER
</query>
<earliest>$timerange.earliest$</earliest>
<latest>$timerange.latest$</latest>
<done>
<condition match="'job.resultCount' == 1">
<set token="KER">$result.KER$</set>
<set token="singleresult">true</set>
<set token="runDuration">$job.runDuration$</set>
</condition>
<condition match="'job.resultCount' != 1">
<set token="runDuration">$job.runDuration$</set>
<unset token="singleresult"></unset>
<unset token="KER"></unset>
</condition>
</done>
<finalized>
<eval token="KER_COLUMN">coalesce($view$,"KER")</eval>
</finalized>
</search>
There is a single result and a KER value but the KER_RESULT token keeps coming back as $result.KER$ even though singleresult token is returning true.
Thanks
... View more
01-27-2017
10:41 AM
Need more details.
Taking a guess... something like the following should work assuming you have a cost field unique to the cost data events.
search usageevent OR costevent
| eventstats last(costfield) AS CostThisPeriod
| stats sum(usage) AS usage values(CostThisPeriod) AS CostThisPeriod by customer
| eval billing=usage*CostThisPeriod
... View more
01-27-2017
10:27 AM
Eventstats should work, though not terribly efficient...
sourcetype=access $host1$ OR $host2$ error=2*
| eventstats dc(host) AS hosts by uid
| search hosts>1
| chart max(O) over host by uid
... View more
01-23-2017
07:59 AM
Thanks... I think what you are saying is in line with what I said in original post.
... View more
01-23-2017
06:57 AM
See above. I would like to restrict more based on what they can see from an interface standpoint than a data standpoint.
... View more
01-23-2017
06:56 AM
PS... I am planning on giving them only a simple dashboard to access data, not open search access to I am more interested in controlling access that way. I am not planning on giving them access to search and reporting, etc.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
