Activity Feed
- Got Karma for Re: How to remove spaces from the beginning and end of a field value?. 08-13-2020 08:47 AM
- Karma Re: How to effectively implement a Bubble Chart? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to group the results of a transaction? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Best way to overlay two searches on a graph that share similar X-axis intervals? for cmeyers. 06-05-2020 12:47 AM
- Karma Re: How to remove spaces from the beginning and end of a field value? for sundareshr. 06-05-2020 12:47 AM
- Karma Re: Is there a resource that explains how the system of awarding Karma points works on Splunk Answers? for ppablo. 06-05-2020 12:47 AM
- Karma Is there a resource that explains how the system of awarding Karma points works on Splunk Answers? for _dave_b. 06-05-2020 12:47 AM
- Karma Re: Can a dashboard map's center location change based on a drop-down token? for talla_ranjith. 06-05-2020 12:47 AM
- Karma Re: How do I use a csv to identify search terms and correlate events with metadata? for renjith_nair. 06-05-2020 12:47 AM
- Karma Re: How do I use a csv to identify search terms and correlate events with metadata? for renjith_nair. 06-05-2020 12:47 AM
- Karma Re: How do I use a csv to identify search terms and correlate events with metadata? for renjith_nair. 06-05-2020 12:47 AM
- Karma Re: How do I use a csv to identify search terms and correlate events with metadata? for renjith_nair. 06-05-2020 12:47 AM
- Karma Re: How can I count both events that are tagged and those that aren't? for MuS. 06-05-2020 12:47 AM
- Karma Re: How can I count both events that are tagged and those that aren't? for MuS. 06-05-2020 12:47 AM
- Karma Re: Can a dashboard user change a map's location & zoom based on a selected drop-down token? for MuS. 06-05-2020 12:47 AM
- Karma Re: How to get Splunk to recognize the date for data in a CSV file, not the creation time of the data entry? for aljohnson_splun. 06-05-2020 12:47 AM
- Karma Re: "bucket _time span=..." has no affect on search results for stephanefotso. 06-05-2020 12:47 AM
- Karma Re: How to create a saved search? for bnorthway. 06-05-2020 12:47 AM
- Karma Re: How to create a saved search? for arkadyz1. 06-05-2020 12:47 AM
- Karma How to create a saved search? for bnorthway. 06-05-2020 12:47 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
3 | |||
0 | |||
0 | |||
0 |
05-19-2016
01:12 PM
To make a "plain english" dashboard panel, I currently use the following search to change a duration value (SecondsSinceUpdate) to "ActualTimeSinceUpdate":
|metadata type=hosts
|eval SecondsSinceUpdate = now()-recentTime
|eval ActualTimeSinceUpdate=tostring(SecondsSinceUpdate,"duration")
|rex mode=sed field=ActualTimeSinceUpdate "s/\+/ days, /"
|rex mode=sed field=ActualTimeSinceUpdate "s/\:/ hours, /"
|rex mode=sed field=ActualTimeSinceUpdate "s/\:/ minutes and /"
|rex mode=sed field=ActualTimeSinceUpdate "s/$/ seconds/"
|rex mode=sed field=ActualTimeSinceUpdate "s/\Q00 hours, \E//"
|rex mode=sed field=ActualTimeSinceUpdate "s/\Q00 minutes \E//"
|rex mode=sed field=ActualTimeSinceUpdate "s/\Q 0\E/ /g"
|rex mode=sed field=ActualTimeSinceUpdate "s/^\Q0\E//"
|rex mode=sed field=ActualTimeSinceUpdate "s/^\Qand \E//"
Which results in the attached
How can this be accomplished more simply?
... View more
05-12-2016
02:26 PM
Nice!!! This works great!
I'm going to have to read up on "delim", "nomv" and "makemv"
... View more
05-11-2016
10:11 PM
First sundareshr, thank you for your persistance in assistance. I appreciate your help. I updated my question with some pictures. I think my attempt at creating a table within this web-browser is more confusing than helpful.
... View more
05-11-2016
04:54 PM
Unfortunately, this did not do what I am hoping.
I was hoping for a table that kept the groupings of users per row (user1,user2and user3 in one group with all of the values of the attributes associated with that group of users in the next collumn of the same row, with user4,user5,and user6 in the next row with all of the attributes associated with that group of users in the next column of that same row):
username attribute
user1 attribute 1
user2 attribute 2
user3
user4 attribute3
user5 attribute4
user6
This search (I apologize for the format, for some reason I cannot format this as code):
basesearch|transaction attribute|table username, attribute | mvexpand username | stats values(attribute ) as attribute by username
returned each username individually with all of the attributes associated with that individual
username attribute
user1 attribute 1
_______attribute 2
user2 attribute1
_______attribute2
user3 attribute3
_______attribute4
user4 attribute3
_______attribute4
Any other suggestions?
... View more
05-11-2016
12:44 PM
Hello, my search basesearch|transaction attribute|table username, attribute
As expected, this returns a table with groups of usernames that share a common value for the field "attribute":
username attribute
user1 attribute1
user2
user3
user1 attribute2
user2
user3
user3 attribute3
user4
user5
user3 attribute4
user4
user5
I am interested in creating a new table that condenses the table by groups of users while showing the attributes they have in common - something like this:
username attribute
user1 attribute1
user2 attribute 2
user3
user3 attribute3
user4 attribute4
user5
Any suggestions?
UPDATE WITH PICTURE TO CLARIFY DESIRED OUTCOME
basesearch|transaction attribute
I believe the "transaction" command groups the users together who share the common attribute. So the first table after the transaction command shows all of the users who share each attribute (singular) . I want to see statistics based on users that share common attributes (plural). Can you see the attachments?
... View more
- Tags:
- grouping
- transaction
03-26-2016
01:14 PM
I also do not see "Avg_count" option in step 4. What is the fix?
... View more
03-23-2016
05:13 PM
You are right somesoni2! Thank you!
MY SEARCH | table location, _time, count,Species_ID
Yielded:
Location, _time, count, Species_ID
Afognak River, 2015-05-11, 2, 420
Copper River, 2015-05-12, 6, 420
Afognak River, 2015-05-12, 11, 420
Copper River, 2015-05-13, 145, 420
Afognak River, 2015-05-13, 7, 420
etc.
Which, when I clicked the "visualization" tab, turned into a really cool bubble chart. Thanks!
... View more
03-23-2016
02:32 PM
Hello,
I am trying to merge two charts together. Both charts have two dimensions each with one common dimension - making three total.
Following the advice given in link text, I use the following search to return a string, number, number:
MY SEARCH | stats sum(count) by location date_month
Which returns results in the "statistics" tab that look something like this:
Location, date_month, count
Copper River, 5, 300
Copper River, 6, 300
Copper River, 7, 325
Bear River, 5, 120
Bear River, 6, 200
Bear River, 7, 177
etc
Unfortunately, when I click the "visualization" tab and select "bubble" the table is blank. What did I do wrong?
I have also tried to understand and follow the advice given link text but it appears that in the example link text, the search results need to yield four fields to use the bubble visualization properly.
It seems there is an easy way to implement the "bubble" feature of splunk search visualization and I am just missing it. Any suggestions?
Thank you in advance!
... View more
02-11-2016
12:06 PM
2 Karma
I had this same problem and |eval NewField=trim(OldField) worked great! Thank you so much!
... View more
01-29-2016
10:03 PM
NICE!!
It worked!
... View more
01-29-2016
04:43 PM
Ok. Thank you. I will try this out and let you know how it goes.
... View more
01-29-2016
12:56 PM
Thank you so much for your patient instruction! I just updated my lookup table to look like:
name,benefit,type
*banana*,5,fruit
and then I tried:
|stats count | eval name="i want bananas" | lookup food name
and it returned four columns, two of them containing values:
count benefit type name
0 "i want bananas"
So, something is working! I couldn't even get the columns to show up before...
Perhaps it is because I do not know how to change transforms.conf
On this page: http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents
It said that:
Use the Settings > Lookups > Lookup definitions page to define the lookup table or edit existing lookup definitions. You can specify the type of lookup (file-based or external) and whether or not it is time-based. Once you've defined the lookup table, you can invoke the lookup in a search (using the lookup command) or you can configure the lookup to occur automatically. Note: This is equivalent to defining your lookup in transforms.conf.
On the Settings>Lookups>Lookup definitions page, I could not find a way to mimic "match_type=WILDCARD(name)"
Is there a way to do that without editing transforms.conf? If not, how would I edit transforms.conf?
... View more
01-27-2016
01:23 PM
Step four. Unfortunatley, my food "names" are hidden in text. Do I need to do a rex command to create fields?
... View more
01-27-2016
11:49 AM
Nice! Thank you talla_ranjith!
I appreciate how thorough you are
... View more
01-26-2016
12:44 PM
3 Karma
I currently implement dropdowns:
<input type="dropdown" token="state_token" searchWhenChanged="true">
<label>Pick a State</label>
<search>
<query>host=coolstuff | dedup State | table State</query>
<earliest>0</earliest>
</search>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<default>California</default>
</input>
This returns all the results within that state. So, instead of (52.7,-124.45) in the following:
<option name="mapping.map.center">(52.7,-124.45)</option>
I would like to use variables like (avg(latfield),avg(longfield)) but it then centers on the equator and Prime meridian. Is it possible to use variables in this field? Any suggestions?
... View more
01-26-2016
12:13 PM
Thank you Renjith,
I bet the answer is pretty simple. I just am having some difficulty here. The pages you referred me to are quite informative. I am grateful for your assistance.
"food.csv" is the csv name as well as the lookup table name I uploaded into
.../manager/search/data/lookup-table-files
and the Lookup definition I created in
.../manager/search/data/transforms/lookups
I then followed the instructions found here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Usefieldlookupstoaddinformationtoyourevents
to make my lookup automatic.
Unfortunately, the fields I requested do not show up in the side bar. Nor does the field "name" appear there. I was hoping that the names from my csv would search all fields and return the corresponding results from the other columns. The field text is there though.
... View more
01-23-2016
04:13 PM
Works! Thank you!
... View more
01-23-2016
04:02 PM
I have an index I am trying to search.
I have a seperate csv file containing a list of about 40 search terms with two metadata for each term:
name,benefit,type
banana,5,fruit
ice cream,1,desert
tomato,3,vegetable
I want to then create a table with just the events with those names and the corresponding metadata.
Is this feasible? I imagine I could use 40 individual eval functions but I would like to save time by using the csv file.
When I attempt to implement the syntax:
host=coolstuff | lookup food name OUTPUT type| table text, type
I was hoping to get a table containing text with the particular food called out along with the corresponding type from the lookup file. Instead, when I ran the search, my search returns ALL the events (not just those with the food name) and then the statistics tab returns (0) - there is no table with just text or type.
Can you help me troubleshoot where I went wrong?
I've tried mixing up the syntax to get the results I want, but am just drawing a complete blank as to how to use this command.
host=coolstuff | input food name (AS text) OUTPUT type | table text, type
... View more
01-22-2016
11:59 PM
Thanks MuS, I took time to try this out. The zoom dropdown works great!
I am trying to implement a dropdown for center:
<input type="dropdown" token="state_token" searchWhenChanged="true">
<label>Pick a State</label>
<search>
<query>host=coolstuff | dedup State | table State</query>
<earliest>0</earliest>
</search>
<fieldForLabel>State</fieldForLabel>
<fieldForValue>State</fieldForValue>
<default>California</default>
</input>
<input type="dropdown" token="city_token" searchWhenChanged="true">
<label>Pick a City (must be on "All" to change State)</label>
<search>
<query>host=coolstuff State=$state_token$ | stats count by City | sort -count</query>
<earliest>0</earliest>
</search>
<fieldForLabel>City</fieldForLabel>
<fieldForValue>City</fieldForValue>
<choice value="*">All</choice>
<default>*</default>
</input>
My problem comes trying to implement these tokens into this field:
<option name="mapping.map.center">(52.7,-124.45)</option>
So, I currently have "mapping.map.center" default to:
(52.7,-124.45)
I tried replacing numbers with variables (i.e.: (latfield, longfield) and (avg(latfield),avg(longfield)) but it wasn't working. Any suggestions?
... View more
01-22-2016
06:29 PM
I have an index of log data I am trying to search.
I have a seperate csv file containing a list of about 40 search terms with two metadata for each term:
name,benefit,type
banana,5,fruit
ice cream,1,desert
tomato,3,vegetable
I want to then create a dashboard that can peruse through the events with those terms and the corresponding metadata.
Is this feasible? I imagine I could use 40 individual eval functions but I would like to save time by using the csv file.
... View more
01-21-2016
02:26 PM
Nice! Thank you MuS! I have not "uncool" tag... I will give this a shot...
... View more
01-21-2016
01:29 PM
I currently use the following to count the number of names that are tagged as cool:
... tag::cool | stats dc("Name")
This gives me a count of cool kids. I would like to compare the number of kids that are "cool" with those that are not cool. Any ideas how I can get those two numbers?
... View more
01-11-2016
09:13 PM
Thanks MuS! I will give this a go and let you know what happens.
... View more