cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
jwahlgren
Engager
Member since: ‎04-09-2014
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎04-09-2014
Activity Feed
View All

Re: Splunk 6.5.0: How to edit my dashboard to set ...

by in Splunk Search
‎11-16-2016 08:02 AM
‎11-16-2016 08:02 AM
Thank you for the detailed answer, I was able to fix the issue with the help of your instructions. ... View more

Re: How to extract text from the Message field up ...

by in Splunk Search
‎11-14-2016 05:50 AM
‎11-14-2016 05:50 AM
Try: | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) |table Short_Message Edit: Depending on the message you can filter out what lines to show with (Message,0) were 0 is first line. So if you only wan't to show line 3 you can specify eval Short_Message=mvindex(Message,2). In your case the above query should be correct as you only want to show the first line in the message. ... View more

Splunk 6.5.0: How to edit my dashboard to set an i...

by in Splunk Search
‎11-10-2016 08:04 AM
‎11-10-2016 08:04 AM
Hi fellow Splunkers 🙂 I have a table containing various fields such as sourcetype and username etc. I want to enable the user to always drilldown on sourcetype and user + what ever field is clicked on. Here is how my code looks like now <panel> <table id="master"> <title>Test</title> <search> <query>main search... | bucket _time span=5m | stats count by sourcetype,_time,user,app,action,host,src,dest</query> <earliest>$s_time.earliest$</earliest> <latest>$s_time.latest$</latest> </search> <option name="dataOverlayMode">heatmap</option> <option name="drilldown">cell</option> <option name="percentagesRow">false</option> <option name="rowNumbers">true</option> <option name="totalsRow">true</option> <drilldown> <set token="s_sourcetype">$row.sourcetype$</set> <set token="s_user">$click.value2$</set> </drilldown> </table> </panel> </row> <row> <panel> <event id="detail" depends="$s_sourcetype$"> <title>Detailed events by sourcetype $s_event_source$ and username $s_user$</title> <search> <query>main search... | search (sourcetype="$s_sourcetype$" user="$s_user$" host="$s_host$" src="$s_src$" dest="$s_dest$")</query> <earliest>$s_time.earliest$</earliest> <latest>$s_time.latest$</latest> </search> <option name="count">20</option> <option name="maxLines">5</option> <option name="rowNumbers">1</option> <option name="type">list</option> </event> </panel> For now this works just fine if I only click on the user field in the master table. It will pass the token to the second panel and show results in an event list with the title e.g. "Detailed events by sourcetype WinEventLog:Security and username admin" But, if a user clicks any of the other fields, like "host", it will show: "Detailed events by sourcetype WinEventLog:Security and username 127.0.0.1" and pass the host token to the user token. I tried to follow the "Contextual example with multiple conditions" at Splunk docs (can't post link) and that is simple with just sourcetype and log_level fields, however I want to select value in table and not by column name as this will search for user=user. With my example I'm not able to figure out how to do this. Any suggestions? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All