About eelisio2

eelisio2 · ‎04-25-2017

It sounds like you create more than 1 search and add each to a dashboard as an inline search (not save separately as a Report). Then, you schedule the dashboard to deliver a PDF. Your goal is to have the PDF delivered (or not) based on the result of 1 of the searches in the dashboard. You edited the ScheduledView_Mydashboard artifact in "Searches, reports, and alerts". Am I correct in understanding that you edit the Search at the top of the form? You replace " | noop" with the first inline search from your dashboard or another search entirely? And then you edit the Alert Condition to be based on a field from your search. I have tested this scenario and it works with the Alert Action being "List in Triggered Alerts". I don't have an email server set up. Please try it with List in Triggered Alerts enabled and Send Email not enabled. You can check for the alert under Activity=>Triggered Alerts

eelisio2 · ‎04-24-2017

As written, your search will set icount equal to the number of events returned. The search "index=main source=winEventlog |stats dc(source) as icount" will result in icount being set to 1. Try skipping the dashboard. In the search bar add the search, "index=main source=winEventlog |stats dc(source) as icount". Execute the search. Click "Save As". Choose Alert. You can choose to schedule the alert to execute on a regular interval. Then, Edit Trigger Alert When to Custom. Add your condition, "search icount>999999". Under Trigger Actions, choose Add Action. Select Send Email. You can choose to include a pdf, csv, link, etc.

eelisio2 · ‎04-13-2017

Can you test on a small set of events? (Maybe 5-10 events) Can you submit the sample data, the search and the results of your search?

eelisio2 · ‎04-13-2017

Saurabhsood: I assume that ENV is a field. And the values of the field ENV include "PROD". As written, your search will return the full event that corresponds to the first new value of ENV that it sees. Given the following events: 4/13/2017 PROD The first event 4/13/2017 DEV The second event 4/13/2017 PROD The third event 4/13/2017 ZZZ The fourth event 4/13/2017 DEV The fifth event Your search would return the first, second and fourth events. The ENV field would have 3 unique values. i suggest adding a table command to the end of your search to validate that you are getting the results you expect. index="abc" |dedup ENV | eval envt=ENV | table ENV

eelisio2 · ‎03-08-2012

You should be able to use a Macro for this. <searchTemplate>`YourMacro($forminput$)`</searchTemplate> http://docs.splunk.com/Documentation/Splunk/4.3.1/User/CreateAndUseSearchMacros

eelisio2 · ‎02-10-2012

This will return only the servers with more than 10 events: tag=failure | dedup _raw | stats count by CmcHost | search count > 10 This will only return rows where the count is greater than 10. Then, you can alert if number of events(rows returned by the search) is greater than zero.

eelisio2 · ‎02-05-2012

This looks like it will give you what you want. earliest=-7d@d latest=-6d@d eventtype=SALE AND venue="A" OR venue="B" | eval label="Total Same Day Last Week" | eval _time =_time+60*60*24*7 | append [search earliest=-0d@d eventtype=SALE AND venue="A" OR venue="B" | eval label="Total Today"] | append [search earliest=-0d@d eventtype=SALE AND venue="A" OR venue="B" | eval label=venue] | timechart span=15m count by label

eelisio2 · ‎01-02-2012

This should give you the results you want: cluster=cluster_1 | bucket _time span=5m | stats count(eval(relay=relayhost1 AND eventtype=relay)) as "Relay Count", count(eval(reject="554 5.7.1 Service unavailable")) as "Reject Count", count(eval(categorization="spam-confirmed" OR reject=551)) as "Spam" by _time

eelisio2 · ‎12-23-2011

This should get you part of the way there. Not sure if it is more efficient than what you are currently doing. sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration Note that the transaction command automatically creates the duration and eventcount fields for an entire transaction. Sort on -steptime is so that the results of the delta command end up with the appropriate page/event. This does not account for the third page in your posted question. The last page in any set would have a StepDuration of zero. If you want to eliminate certain StepDurations from the results you can add a search command. sourcetype=yoursourcetype | eval steptime= _time | transaction UserLogin | mvexpand steptime | sort UserLogin, -steptime | streamstats count as seq by UserLogin | delta steptime as StepDuration | eval StepDuration=abs(StepDuration) | eval StepDuration=if(seq=1,0,StepDuration) | search StepDuration > 120 AND StepDuration < 1800 | convert ctime(steptime) as StepTime | table _time UserLogin Page steptime StepTime StepDuration

eelisio2 · ‎12-23-2011

I believe this is what you are looking for. | stats values(myvalue) as MyValues, values(colour) as Colours by name

eelisio2 · ‎12-21-2011

I would modify the search slightly. index=_internal source="metrics.log" group=per_index_thruput series!=_ | eval totalGB = (kb/1024)/1024 | timechart span=1d sum(totalGB) as SUMTOTALGB | rangemap field=SUMTOTALGB low=0-13 elevated=13-16 severe=16-9999 default=None And use the following in the Alert custom criterion: search SUMTOTALGB > 8

eelisio2 · ‎12-20-2011

Have you tried streamstats to create a sequence number? "your search" | streamstats count as seq by sessionID | search seq > 3 AND seq < 8

eelisio2 · ‎12-09-2011

Glad to help. Good luck.

eelisio2 · ‎12-08-2011

The replace() function should help: sourcetype="etrexacclog" | eval myfield="$instance$" | eval myfield=replace(myfield,":",".ad.com:") | where like(instance,"$instance$") OR like(instance,myfield)

eelisio2 · ‎11-30-2011

I'm glad that you found a different solution. The search from my answer will work as well. There needs to be a common field name for the join command to work. Note that if you run my search without " | search sourcetype=alldatabases | table db_name", the result set has a mix of the 2 sourcetypes. The rows with the sourcetype="alldatabases" did not find a match in the other sourcetype. So, the extra search command at the end should filter the results accordingly.

eelisio2 · ‎11-30-2011

Do you have (or can generate) a list of all Database Names? You could index that list. Extract the database name from the backup logs. Use the same fieldname (e.g., db_name) in both sourcetypes (the list of all databases and the backup log) The following should give you a list of database names from the alldatabases sourcetype that aren't matched in the backuplog sourcetype. sourcetype="alldatabases" | join type=outer db_name [search sourcetype=backuplog] | search sourcetype=alldatabases | table db_name

eelisio2 · ‎11-25-2011

Assuming clientpc is an IPAddress, I would try the append command to gather the events from your 3 searches and then pipe to the transaction command to correlate. In order for the transaction command to correlate based on field names, you need to change "clientpc" to "IPadr" and also change "switch_mac" to "Mac_adr". (Make sure the spelling of the Ip address and Mac address fields match.) Include your 3 searches (without the stats commands) in the framework below: "Your first search" | append [search "Your second search"] | append [search "Your third search"] | transaction Mac_adr IPadr

eelisio2 · ‎11-24-2011

Your searches results depend on having certain fields (MacAddress, IPAddress, Role). Fields can be automatically extracted by Splunk at search time based on key-value pairs in the logs events. Or they can be extracted explicitly by editing props.conf (and transforms.conf if necessary).

eelisio2 · ‎11-24-2011

Note the field in the sum() should be "cvp" underscore "reserved" underscore "count".

eelisio2 · ‎11-24-2011

I think Summary Indexing would work for this. Create a new index for your summary (e.g., summarytopstatus). Create search to use the sitop command instead of top. (sourcetype="yoursourcetype" | sitop Event_ID) with a relative timeframe of -1d@d Edit the search to have it run on a scheduled basis. (every day at midnight) Check 'Enable Summary Indexing'. Select your new index. The following should give your the results you are looking for: index="summarytopstatus" search_name="yoursearchname" | stats count as Num_Days_On_List , sum(cvp*reserved*count) as TotalCount by Event_ID

Posts	35
Solutions	11
Karma Given	1
Karma Received	27
Member Since	‎11-08-2010

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Duplicate files being indexed

Re: Custom Condition Question for Alert

Re: Custom Condition Question for Alert

Re: Custom Condition Question for Alert

Re: Custom Condition Question for Alert

Re: Creating a form using saved search

Re: finding greater than value from search resutls

Re: append comparison to 1 week earlier with timec...

Re: Combining Multiple series

Re: Calculating page read time

Re: Deduping max-match on a rex.

Re: Custom Condition Question for Alert

Re: Search and grep for numbered events

Re: drilldown click value issue

Re: drilldown click value issue

Re: Return something when search doesn't return an...

Re: Return something when search doesn't return an...

Re: Merging Results from 3 Searches

Re: Merging Results from 3 Searches

Re: Advanced Search

Re: Advanced Search