Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About sarit_s
sarit_s
Path Finder
Member since:
12-25-2015
06-11-2020
Community Statistics
| Posts | 307 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 4 |
| Member Since | 12-25-2015 |
Activity Feed
- Posted macro with arguments on Splunk Enterprise. 06-10-2020 11:54 PM
- Posted Re: search with parameters on Splunk Search. 06-09-2020 02:35 PM
- Got Karma for Re: index summary vs Cached search results. 06-05-2020 12:51 AM
- Karma Re: How can gaps be detected in data? for DavidHourani. 06-05-2020 12:50 AM
- Got Karma for Re: How do I extract fields with Rex?. 06-05-2020 12:50 AM
- Got Karma for How can gaps be detected in data?. 06-05-2020 12:50 AM
- Got Karma for Re: show top 5 values in column chart. 06-05-2020 12:50 AM
- Posted Re: search with parameters on Splunk Search. 06-04-2020 12:46 AM
- Posted Re: search with parameters on Splunk Search. 06-03-2020 09:50 AM
- Posted Re: search with parameters on Splunk Search. 06-03-2020 09:49 AM
- Posted search with parameters on Splunk Search. 06-03-2020 07:12 AM
- Posted Re: use inputlookup to get data on Splunk Search. 06-01-2020 02:59 AM
- Posted use inputlookup to get data on Splunk Search. 06-01-2020 01:36 AM
- Posted Re: calculate min and max time of event on Archive. 05-27-2020 02:52 AM
- Posted Re: calculate min and max time of event on Archive. 05-27-2020 02:31 AM
- Posted Re: calculate min and max time of event on Archive. 05-27-2020 02:24 AM
- Posted calculate min and max time of event on Archive. 05-27-2020 01:21 AM
- Posted Re: compare cell value in a raw on Archive. 05-13-2020 05:23 AM
- Posted Re: compare cell value in a raw on Archive. 05-13-2020 03:31 AM
- Posted Re: compare cell value in a raw on Archive. 05-13-2020 03:15 AM
06-10-2020
11:54 PM
Hello, I have a csv file which contains 12 columns and i want to use the values of the columns as arguments in my search. i thought the best way to achieve it will be with macro that will read the file but im not sure how to do it. maybe there is another way ? i also tried this query : [| inputlookup concurrency_rules.csv | fields Used* | transpose | rename "row 1" as eventtype | fields eventtype]
| transaction maxpause=2s maxspan=1s maxevents=5
| eval max_time=(duration + _time)
| eval min_time=(_time)
| rename kafka_uuid as uuids
| where eventcount!=5
| table eventtype ,min_time, max_time,tail_id,uuids it is working but not dynamic as i wanted. the file supposed to have more than 1 row so the rename of row 1 is not good enough and also not all the values in row 1 are eventtypes. also i have more fields there that i want to use as arguments thanks for the help
... View more
Labels
06-09-2020
02:35 PM
@efika thanks, it is working but it is not allowed me to be dynamic. what if my file will contain more than one row ? also, not all the values in "row 1" are eventtypes.. how can i use the values from the file as arguments ?
... View more
06-04-2020
12:46 AM
im not sure i understood what you are saying...
this is how my table looks like :
AlertNameNonUnique AlertNameUnique AlertSevirityNonUnique AlertSevirityUnique UsedRule1 UsedRule10 UsedRule2 UsedRule3 UsedRule4 UsedRule5 UsedRule6 UsedRule7 UsedRule8 UsedRule9
how can i use this values as parameters in my query ?
... View more
06-03-2020
09:50 AM
hi, thanks for your answer...
i know the algorithm, i just don't know how to apply it
... View more
06-03-2020
09:49 AM
Hey, thanks for your answer..
my lookup table has 10 different columns that calls UsedRule1...UsedRule10
eventtype should be each one of the UsedRole in the lookup
... View more
06-03-2020
07:12 AM
Hello,
I have this query:
index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=2s maxevents=5
| eval Max_time=(duration + _time)
| eval Min_time=(_time)
| table _time,eventcount, eventtype ,Min_time, Max_time,tail_id,kafka_uuid
| foreach eventtype
[eval flag_eventtype=if(eventcount!=5,"no", "yes")]
now i have a lookup table and i want to set parameters in my query that will be taken from the lookup table. for example , instead of searching
eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
i want to take the values of the eventtype from the lookup table
how can i do that ?
thanks
... View more
06-01-2020
02:59 AM
thanks
is it possible to group all the fields to one ?
for example, in this query i have 5 different eventtypes. if im running "|table eventtype" im getting all the 5.. if im running it from the lookup file i have each eventtype in different parameter.
is it possible to group them all ?
... View more
06-01-2020
01:36 AM
Hello I'm running this query:
index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=1s maxevents=5
| eval max_time=(duration + _time)
| eval min_time=(_time)
| rename kafka_uuid as uuids
| where eventcount!=5
| table eventtype ,min_time, max_time,tail_id,uuids
| eval eventtype="csm_dhcp_anomaly"
now i have csv file and i want to read the "eventtype" parameters from there. how can i call inputlookup ? all of my tries didn't work..
thanks
... View more
Labels
05-27-2020
02:52 AM
it looks like using transaction is the right way.. so how can i use rex to extract _time ?
... View more
05-27-2020
01:21 AM
hello
im trying to calculate min and max time of event (the time when the event started and when its ended)
when im adding my calculation to the query im loosing the results of the rest of the query and getting only the result of the time calculation...
what am i missing ?
index=prod eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| transaction maxpause=2s maxspan=1s maxevents=5
| stats first(_time) as min_time, last(_time) as max_time
| table _time,eventcount, eventtype, tail_id, kafka_uuid,min_time,max_time
| foreach eventtype
[eval flag_eventtype=if(eventcount!=5,"no", "yes")]
... View more
05-13-2020
05:23 AM
index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| timechart span=1s count BY eventtype
| foreach eventtype
[ eval flag_eventtype=if(match('eventtype',"0"),"yes", "no")]
still same results..
... View more
05-13-2020
03:31 AM
this is my query:
index="prod" eventtype="csm-messages-dhcpd-lpf-eth0-sending" OR eventtype="csm-messages-dhcpd-lpf-eth0-listening" OR eventtype="csm-messages-dhcpd-send-socket-fallback-net" OR eventtype="csm-messages-dhcpd-write-zero-leases" OR eventtype="csm-messages-dhcpd-eth1-nosubnet-declared"
| bin span=1s _time
| chart count OVER _time BY eventtype
| foreach eventtype [ eval flag=if(match('<<eventtype>>',"0"),"yes", "no")]
im getting flag "no" for every raw even if there are mismatches ..
what am i missing ?
... View more
05-13-2020
02:07 AM
Hello
i have a raw with 5 columns from the same type and i want to compare the value of the cells of this 5 columns. how can i do it ?
thanks
... View more
05-11-2020
02:17 AM
i think i did not explain myself well...
let say i have 5 different eventtypes..
each one of them gets count value..
for the example, each one of them gets the value 1..
if the count value of all the eventtypes is equal than all is OK. but if the value is not equal i have to act as written in the question.. so.. if 4 of the eventtypes has the value 1 and one of them has the value 0 than it is not OK. i have to find those rows where there is different between the count value for each time stamp.
after i will find this i have to do the rest of the description in my question..
... View more
05-11-2020
01:20 AM
thanks for your answer.. can you please explain how it is answering my question ?
... View more
05-10-2020
11:39 PM
Hey,
maybe it display more than 50000 but not the right results 🙂
any way, the main thing is Q2..
i will try to explain it better..
i have 5 eventtypes.. each one of them has count value..
the good scenario is when the count value of all the eventtypes is equal.. so i want to check if this value is equal (for each raw) and if not to do what is written in my question..
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-11-2020
12:24 AM
|
