×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
tread_splunk
Splunk Employee
Member since: ‎12-16-2015
‎02-06-2025
Community Statistics
Posts 76
Solutions 8
Karma Given 4
Karma Received 16
Member Since ‎12-16-2015
Activity Feed
View All

Do I need to run this search twice?

by Splunk Employee in Splunk Search
‎10-17-2024 11:34 AM
‎10-17-2024 11:34 AM
I have the following fabricated search which is a pretty close representation of what I actually want to do and gives me the results I want... (index=_audit (action=search OR action=GET_PASSWORD)) OR (index=_internal [ search index=_audit (action=search OR action=GET_PASSWORD) | dedup user | table user] ) | stats count(eval(index="_audit")) as count, values(clientip) as clientip,count(eval(index="_internal")) as internalCount by user i.e for everyone who has performed a search or GET_PASSWORD in one index, I want to know something about them gathered from both indexes.  I can't get past the feeling that I shouldn't need to repeat the "index=_audit (action=search OR action=GET_PASSWORD)" search, which in the actual search is whole lot of SPL, so duplicating it makes things untidy.  Macros aside, can anyone come up with a more elegant solution? ... View more
Labels

Re: Adding a Total column (without using addtotals...

by Splunk Employee in Splunk Search
‎10-01-2024 07:18 AM
‎10-01-2024 07:18 AM
Aha!  That's how you avoid the double-count.  I've encountered this before.  Will definitely put this on file.  Thank you. ... View more

Re: Adding a Total column (without using addtotals...

by Splunk Employee in Splunk Search
‎10-01-2024 07:15 AM
‎10-01-2024 07:15 AM
Oh @ITWhisperer That is sweet. It helps me if I specify the over / by designation ... but hats off to you. | eventstats count as Total | chart count over Total by UpgradeStatus Not looking forward to explaining to anyone how it works ... but work it does.  (I'll add it to my collection of misusing a command to get a result.   Got any others? 🙂) ... View more

Re: Adding a Total column (without using addtotals...

by Splunk Employee in Splunk Search
‎10-01-2024 07:04 AM
‎10-01-2024 07:04 AM
Nice work @PickleRick !   Am I missing something?  I had previously tried with the delightful foreach command earlier but I can't get it to avoid double-counting the Total field.  So I end up with the Total equalling 22 - not the correct result of 11.  I get the same thing with your solution as well. ... View more

Adding a Total column (without using addtotals)

by Splunk Employee in Splunk Search
‎10-01-2024 06:04 AM
‎10-01-2024 06:04 AM
Sometimes I set myself SPL conundrum challenges just to see how to solve them.  I realised I couldn't do something I thought would be quite straightforward.  For the dummy data below I want a single row resultset which tells me how many events of each UpgradeStatus and how  many events in total i.e. Total Completed Pending Processing 11 6 3 2   I don't know in advance what the different values of UpgradeStatus might be and I don't want to use addtotals (this is the challenge part). I came up with the solution below which kinda "misuses" xyseries (which I'm strangely proud of) .  I feel like I'm missing a more straightforward solution, other than addtotals 🙂  Anyone up for the challenge? Dummy data and solution (misusing xyseries) follows...   | makeresults format=csv data="ServerName,UpgradeStatus Server1,Completed Server2,Completed Server3,Completed Server4,Completed Server5,Completed Server6,Completed Server7,Pending Server8,Pending Server9,Pending Server10,Processing Server11,Processing" | stats count by UpgradeStatus | eventstats sum(count) as Total | xyseries Total UpgradeStatus count         ... View more
Labels

Re: How to join search results from two indexes ba...

by Splunk Employee in Splunk Search
‎09-27-2024 04:05 AM
‎09-27-2024 04:05 AM
Nice work @PickleRick !  Imaginative approach!!  I tried out your solution and it appears to work if you replace streamstats with eventstats.  Feels like that should work to me and eventstats feels more efficient than streamstats.  Any thoughts? ... View more

Re: How to join search results from two indexes ba...

by Splunk Employee in Splunk Search
‎09-26-2024 07:32 AM
‎09-26-2024 07:32 AM
Could you provide some sample (dummy) events from both index? ... View more

Re: Spl

by Splunk Employee in Splunk Search
‎05-31-2022 12:24 AM
‎05-31-2022 12:24 AM
Hi @uagraw01 What human readable format do you want? ... View more

Re: Spl

by Splunk Employee in Splunk Search
‎05-30-2022 04:29 AM
1 Karma
‎05-30-2022 04:29 AM
1 Karma
Not sure you can tokens for that.  Will wait and see what response you get.  The following looks like it works for me... index=blah AND [| makeresults | addinfo | eval last_week_min=info_min_time-(60*60*24*7), last_week_max=info_max_time-(60*60*24*7) | eval search="(earliest>".last_week_min." latest<".last_week_max.") OR (earliest>".info_min_time." latest<".info_max_time.")"] Choose the time range you want from the time picker (last 5 mins, last 3hrs, or a time range) and then the subquery returns the earliest / latest combination for that period AND the same period a week ago (i.e. 60*60*24*7 secs ago). ... View more

Re: Date conversion needed

by Splunk Employee in Splunk Search
‎01-25-2022 01:54 AM
‎01-25-2022 01:54 AM
Replace Age_Days with...   eval Age_Days=ceiling((now()-strptime(Last_Checkin,"%Y-%m-%dT%H:%M:%SZ"))/86400)    You are specifying %3N in your format string, which deals with a millisecond component.  Your time value in Last_Checkin doesn't have a millisecond component. ... View more

Re: Display fields with different values only betw...

by Splunk Employee in Splunk Search
‎11-05-2021 11:07 AM
‎11-05-2021 11:07 AM
Adapting the solution provided by @ITWhisperer to provide Desired Outcome 1. | makeresults | eval _raw="product color product_id description1 description2 description3 description4 phone blue tag_1 pass pass fail phone blue tag_2 fail pass pass fail" | multikv forceheader=1 | fields - _* linecount | eval pKey=product.":".color.":".product_id | fields - product color product_id | transpose 0 | eval same=if('row 1'=='row 2',"same","different") | where same="different" | fields - same | transpose 0 header_field=column | rex field=pKey "^(?<product>.*):(?<color>.*):(?<product_id>.*)" | fields - column pKey ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 06:19 AM
1 Karma
‎11-04-2021 06:19 AM
1 Karma
@indeed_2000  Its not very pretty.  And requires extensive testing.   | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[50] B[0000211] 2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[55] B[0000211] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Normal Packet Received: A[70] B[0000369] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[60] B[0000465] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000456] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000456] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[65] B[0000456] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): A\[(?<Acode>.*)\] B\[(?<Bcode>.*)\]" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer2=coalesce(customer2,customer), customer=if(customer=customer2,null(),customer) | eval sendTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()), receiveTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval AcodeSend=if(status="Packet Processed",Acode,null()),BcodeSend=if(status="Packet Processed",Bcode,null()),AcodeReceive=if(status="Normal Packet Received",Acode,null()),BcodeReceive=if(status="Normal Packet Received",Bcode,null()) | eval AcodeReceiveLookFor=AcodeSend+5,acr=coalesce(AcodeReceive,AcodeReceiveLookFor) | fields - Acode _time timestamp status AcodeReceiveLookFor | stats values(*) as *,count by customer2,acr,Bcode | eval duration=receiveTime-sendTime , customer=coalesce(customer,customer2) | eval status=case(isnull(AcodeSend),"No Send",isnull(AcodeReceive),"No receive") | eventstats max(duration) as duration by customer2 | where count=2 OR (status="No receive" AND isnull(duration)) | eval status=coalesce(status,duration) | table customer status ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 04:20 AM
1 Karma
‎11-04-2021 04:20 AM
1 Karma
@indeed_2000  Still not sure why... ABCD.DaQW-ParityGQQ-1231234 no receive   ...is in the result.  Shouldn't it be the red one? i.e... 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-04-2021 02:34 AM
‎11-04-2021 02:34 AM
@indeed_2000  Why is ... ABCD.DaQW-ParityGQQ-1231234 no receive   ...in the output? ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-03-2021 06:47 AM
1 Karma
‎11-03-2021 06:47 AM
1 Karma
@indeed_2000  Your second green pair have different B codes. 465 vs 456.  This is a typo, correct? ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-02-2021 01:50 PM
‎11-02-2021 01:50 PM
@indeed_2000 | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000465] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000465] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): A\[(?<Acode>.*)\] B\[(?<Bcode>.*)\]" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer2=coalesce(customer2,customer), customer=if(customer=customer2,null(),customer) | eval startTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()), endTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval AcodeStart=if(status="Packet Processed",Acode,null()),BcodeStart=if(status="Packet Processed",Bcode,null()),AcodeFinish=if(status="Normal Packet Received",Acode,null()),BcodeFinish=if(status="Normal Packet Received",Bcode,null()) | fields - Acode Bcode _time timestamp status | stats values(*) as * by customer2 | eval status=endTime-startTime , customer=coalesce(customer,customer2) | fields - startTime, endTime | fillnull value="no receive" status | where isnull(AcodeFinish) OR (AcodeFinish=AcodeStart+5 AND BcodeStart=BcodeFinish) | table customer status ... View more

Re: calculate send response duration

by Splunk Employee in Splunk Search
‎11-02-2021 08:29 AM
‎11-02-2021 08:29 AM
Most of this is fabricating data. | makeresults | eval temp="2021-07-15 00:00:01,800 INFO CUST.InAB-ServerApp-1234567 [MyService] Packet Processed: A[50] B[0000211] 2021-07-15 00:00:01,893 INFO ABCD.DaQW-ParityGQQ-1231234 [MyService] Packet Processed: A[60] B[0000465] 2021-07-15 00:00:01,894 INFO MNBV.ZaQW-ChatCXZ-1478523 [MyService] Packet Processed: A[70] B[0000369] 2021-07-15 00:00:11,719 INFO CUST.VqPO-Oracle7-9876543_CUST.InAB-ServerApp-1234567 [MyService] Normal Packet Received: A[55] B[0000211] 2021-07-15 00:00:11,720 INFO EFGH.GaXZ-Carry2-3456789_ABCD.DaQW-ParityGQQ-1231234 [MyService] Normal Packet Received: A[65] B[0000456] " | makemv tokenizer="(.*)\n" temp | mvexpand temp | rex field=temp "^(?<timestamp>.{23}) INFO (?<customer>.*) \[MyService\] (?<status>.*): (?<Acode>.*) (?<Bcode>.*)" | fields - temp | rex field=customer "_(?<customer2>.*)" | eval customer=coalesce(customer2,customer) | fields - customer2 | eval startTime=if(status="Packet Processed",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | eval endTime=if(status="Normal Packet Received",strptime(timestamp,"%Y-%m-%d %H:%M:%S,%3Q"),null()) | stats values(startTime) as startTime, values(endTime) as endTime by customer | eval status=endTime-startTime | fields - startTime, endTime | fillnull value="no receive" status ... View more

Re: Comparing Results from two seperate searches?

by Splunk Employee in Splunk Search
‎11-02-2021 03:36 AM
‎11-02-2021 03:36 AM
Thanks @avajax0 .  I do agree my solution, isn't as as elegant as the one posted by @somesoni2 , but I think mine might actually have performance advantages.  Suggesting this here in case anyone would like to comment.  The way I see it, in my example, the subquery returns a filter list which is applied to the DNS index. DNS might potentially have thousand of host names and hopefully the threat intelligence index will only have a hand full.  Therefore the subquery in my example could reduce the number of events fetched from the DNS index by an order of magnitude improving the overall performance of the query.  "Filter as early as possible" is a best practice rule I've heard repeated often.  Interested to hear any other opinions.  Good luck! ... View more

Re: Stats multiple sourcetypes showing unique fiel...

by Splunk Employee in Splunk Search
‎11-01-2021 08:16 AM
1 Karma
‎11-01-2021 08:16 AM
1 Karma
Stats values(sourcetype) values(Date) as date values(Username) values(Version) by number |mvexpand date ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎11-01-2021 07:25 AM
‎11-01-2021 07:25 AM
@noman377 I've used my eventstats/streamstats/where technique previously but realised in this case it could be replaced with a stats latest command.  So here is a simplification of the solution.  The "list(count) as count" element is simply a way to see the series of values per pod from which you can verify that durInBadState is providing the correct result. index=_internal component="*" | rename component as pod | timechart span=1m count by pod partial=f limit=0 | untable _time pod count | sort pod _time | eval zeroInterval=if(count=0,1,0) ```zeroInterval is Boolean flag, true (1) when count is zero ``` | streamstats sum(zeroInterval) as durInBadState by pod,zeroInterval reset_on_change=true ```durInBadState is running tally of consecutive zero intervals``` | stats latest(durInBadState) as durInBadState, list(count) as count by pod | where durInBadState!=0 | eval count=mvjoin(count,":")   ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-31-2021 07:38 AM
1 Karma
‎10-31-2021 07:38 AM
1 Karma
@noman377 Try this commented, use-anywhere example, assuming you have access to _internal index.  It works from the time picker and the span=? value in line 3. _internal index collects metrics continuously for numerous different components..  I'm using component to represent your pod.  The report produces a list of pods reporting "missing" (zero) values in the last interval of the time range (specified in the time picker), and the number of consecutive time intervals, at the end of the time range, that have reported zero minutes.  The length of the time interval is specified by the span value in line 3 (1 minute in my example below).  Play around with different span values and time ranges.  'Last 60minutes' is a good place a to start on my instance. index=_internal component="*" | rename component as pod | timechart span=1m count by pod partial=f limit=0 | untable _time pod count | sort pod _time | eval zeroInterval=if(count=0,1,0) ```zeroInterval is Boolean flag, true (1) when count is zero ``` | streamstats sum(zeroInterval) as durInBadState by pod,zeroInterval reset_on_change=true ```durInBadState is running tally of consecutive zero intervals``` | eventstats count as LastIntervalInRange by pod ```LastIntervalInRange is number of time intervals in time range. Determined by time picker``` | streamstats count as IntervalInRange by pod ```Give each interval a position in time range. So we can determine whether it is the last interval. See filter below``` | where IntervalInRange=LastIntervalInRange AND count=0 ```filter to last time interval per pod. And where count is zero``` | table pod count durInBadState   ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-29-2021 08:06 AM
1 Karma
‎10-29-2021 08:06 AM
1 Karma
I'm not quite clear on what you're looking for but I'm playing around with the following... index=_internal component="*" | timechart span=1m count by component | untable _time component count | sort component _time | eval zeroMin=if(count=0,1,0) | streamstats sum(zeroMin) by component,zeroMin reset_on_change=true | xyseries _time component count sum(zeroMin) zeroMin format="$VAL$:$AGG$" ... View more

Re: Query when count is zero in Minute interval

by Splunk Employee in Splunk Search
‎10-29-2021 07:57 AM
‎10-29-2021 07:57 AM
Do you want to calculate, for each pod, the length (in minutes) of the gap?   ... View more

Re: Comparing Results from two seperate searches?

by Splunk Employee in Splunk Search
‎10-29-2021 06:12 AM
1 Karma
‎10-29-2021 06:12 AM
1 Karma
Reading this again, I think you're looking for a subsearch.  Something along these lines. index=DNS [| search index=Threat_Intelligence | table DomainName | rename DomainName as RequestedDomainName | format] | dedup RequestedDomainName | table RequestedDomainName So the subsearch returns a string like ((RequestedDomainName=IntelDomainName1) OR (RequestedDomainName="IntellDomainName2" etc etc)".  Run the subsearch on its own and you'll see what it builds.  This string gets applied to your DNS data as a filter.  Leaving all the events in the DNS index which have domain names referenced in the Threat_Intelligence index. ... View more

Re: How do you use timewarp in specific?

by Splunk Employee in Splunk Search
‎10-29-2021 05:33 AM
‎10-29-2021 05:33 AM
You can adapt this.  I don't have months of data on my laptop.  So I've produced a chart with 2 lines.  One line is the last minute of activity (count of events per second), the other line is the average activity based on the 4 minutes before that. index=_internal sourcetype=splunkd component=Metrics earliest=-5min@min latest=@min | timechart span=1s count | eval latestMinute=if(_time>=relative_time(now(),"-1m@m"),"LatestMinute","Average"), sec=strftime(_time,"%S") | chart avg(count) over sec by latestMinute ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-06-2025 09:11 AM
Karma from
Karma given to
View All