Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About smhsplunk
smhsplunk
Communicator
Member since:
01-14-2016
06-05-2020
Community Statistics
| Posts | 74 |
| Solutions | 2 |
| Karma Given | 25 |
| Karma Received | 2 |
| Member Since | 01-14-2016 |
Activity Feed
- Got Karma for How can I split values based on two possible delimiters?. 09-17-2021 08:52 PM
- Karma Re: How to plot time as the y-axis in a timechart? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Feedback on regex on a single string for somesoni2. 06-05-2020 12:48 AM
- Karma Re: regex on inputlookup (via python script ?) for richgalloway. 06-05-2020 12:48 AM
- Karma Re: Extract a field/or a single value from a scheduled alert table for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to create a pie chart of percentages out of just numeric token values? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: My search works when I run it manually, but why does it not produce results when I use it to populate a table? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to get my transaction search to return "0" instead of "no results found" if no events are found? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to add multiple duration from multiple independent transactions for somesoni2. 06-05-2020 12:48 AM
- Karma Re: Making field extractor searches faster for hunters_splunk. 06-05-2020 12:48 AM
- Karma Re: Making field extractor searches faster for twinspop. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to count the number of hosts per keyword? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to get total time of events (last-first) and sum by source, by host? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: How to plot time as the y-axis in a timechart? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to edit my Simple XML to create a drilldown for clicking on any row of a table to open a new dashboard? for gyslainlatsa. 06-05-2020 12:48 AM
- Karma Re: How to edit my Simple XML to create a drilldown for clicking on any row of a table to open a new dashboard? for renjith_nair. 06-05-2020 12:48 AM
- Karma Re: How to use N values in a search dependent on a user selecting N values from drop-down forms? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Extracting each value from a multi-valued field for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Extracting each value from a multi-valued field for javiergn. 06-05-2020 12:48 AM
- Karma Re: Remove spaces in field values and run stats/timechart with new names for woodcock. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-11-2017
08:41 AM
This worked | eval _time = strftime(_time, "%Y %b %d")
... View more
01-11-2017
07:36 AM
I am trying to get a nice Y-m-d on my x axis label using xyseries
but am getting a long value attached with the date
i.e. 2016-07-05T00:00:00.000-04:000
How can I get only the first part in the x-label axis "2016-07-05"
index=street_info source=street_address
| eval mytime=strptime(record_date, "%Y-%m-%d")
| eval _time=mytime
| xyseries _time, street_id, myvalue
even when I use table _time, street_id, value it only shows Y-m-d.
I am not doing sum here, just showing the exact values on the Y-axis against time on X-axis.
please help
THanks
... View more
12-01-2016
07:09 AM
I am actually getting this
2016-08-10T00:00:00.000-04:00
where I should only be getting this
2016-08-10
... View more
12-01-2016
07:03 AM
I already have that, it still giving me long digits after the date. here is the code
<row>
<panel>
<chart>
<search>
<query>index=xyz sourcetype=xyz1 source=xyz3 id!="nan"
| search * id = "$new_hosts$"
| eval mytime=strptime(initial_date, "%Y-%m-%d")
| eval _time=mytime
| xyseries _time,id,error_values</query>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
<option name="charting.chart">line</option>
<option name="charting.seriesColors">[0x639BF1, 0xFF5A09]</option>
<option name="height">200</option>
</chart>
</panel>
</row>
... View more
12-01-2016
06:45 AM
I only have year-month-day in my _time, when I use table to show in search, it only gives me dates. Yet when I use xyseries , it gives me date with HH:MM:SS. How can I make only date appear in the X-label of xyseries plot?
| xyseries _time,series,yval
... View more
11-09-2016
12:12 PM
how can I skip a space (if field2 is empty) and chose the next character , would I have to use if statement ?
... View more
11-07-2016
01:23 PM
1 Karma
| eval field2=mvindex(split(word, " "),2)
How can I split based on either space " " or comma ","
Beforehand, I do not know which delimiter will be there, so I want to use both.
... View more
10-19-2016
09:03 AM
I am trying to regex to get a substring
I want substring "addressON" from this string "ThisStreet_addressON_blockb"
here is my query
host = "xyz" | search * streetName!="NULL" | table streetName | dedup streetName | rex field = streetName "ThisStreet\_(?<thisStreet>)\_blockb$" | table thisStreet
This is not working
... View more
10-17-2016
08:40 AM
awesome it works!
... View more
10-17-2016
08:26 AM
This should work but it is giving me the entire table again, seems like its ignoring this entire part
search * host="$host_token$" | table total_time
I have
<row>
<panel>
<search ref="alert_objects" id="base_alert_objects" ></search>
<table>
<search base="base_alert_objects"> search * host="$host_token$" | table total_time</search>
</table>
</panel>
</row>
... View more
10-17-2016
07:52 AM
The actual search query is saved as an alert (alert name "alert_objects")
I am trying to get a field value from it, this is the actual query (saved as alert)
index=main host="*"
| transaction startswith="StartSession" endswith="EndSession" by source
| appendpipe [ | stats count | where count = 0 | eval duration=0]
| eval session_per_source = duration
| stats sum(session_per_source) as total_time by host
| table host, total_time
| fillnull value=NULL
I need the entire table as an alert, and was wondering if I could query this alert and only show the value part
| search * host="$host_token$"
table total_time
... View more
10-16-2016
04:49 PM
So I am generating an alert everyday at 2am, the alert is basically a table with several fields, now I would like the user to utilize this saved alert by only using a single value from it (I need the entire table because beforehand I do not know which value the user will select)
currently it is only
<table>
<search ref="alert_objects"></search>
</table>
is it possible to search in this like
<table>
<search ref="alert_objects"> | search * host="$host_token$"
table total_time</search>
</table>
... View more
10-14-2016
10:18 AM
yup thanks!
... View more
10-14-2016
08:54 AM
This is great, this works, last question is it possible to change the token names after the last line, I tried to do but it retains the old token labels as token1, token2...
... View more
10-14-2016
08:15 AM
This again gives me a table with all values, but when I try to convert it into a piechart using visualization it shows a single color for the entire piechart (currently it shows)
token0: 0
token1: 55%
token1%: 100%
I don't have pie slices per tokens
... View more
10-14-2016
07:09 AM
Please see this simplified example (this doesnt work)
index=main host="*"
| eval token1=10
| eval token2=20
| eval token3=30 | stats values(token*) by token*
so I would like the piechart to have labels 10 (20% slice), 20 (40% slice) and 30 (60% slice)
The correct slices are more important than labels i guess..
... View more
10-13-2016
04:44 PM
Its giving me a piechart with a single color and single label "token1,token2,token2..."
... View more
10-13-2016
03:39 PM
Trying to do a pie chart out of just numeric values, getting values from different tokens and using them for this piechart, I just want to show them as % of the entire sum of numeric token values. How do you create a list of values for piechart?
index=main host="*"
| eval token1="$token1$"
| eval token2="$token2$"
| eval token3="$token3$"
| eval token4 = "$token4$"
| eval token_times = list(token1, token2, token3, token4)
| stats values by token_times
... View more
10-13-2016
11:33 AM
thanks, didnt know about the appendpipe command
... View more
10-13-2016
10:59 AM
I am trying to use the transaction command to get duration between two events
In case there are no such events, I would like the search to return 0 instead of "no results found".
This following command isn't working:
index=main host="xyz"
| transaction startswith="keyword1" endswith="keyword2"
| eval spent_time = duration
| stats sum(spent_time) as total_spent_time
| table total_spent_time
| fillnull value=NULL
... View more
10-13-2016
10:19 AM
Great this works! How do I put default value of tokens to zero ?
... View more
10-12-2016
04:53 PM
So I am running multiple single valued transactions and putting the values in eval keywords, but I want to add all these new values to get the total value (duration1+duration2+....) and show it in another panel. Here is my following transactions I am running. They are all run separate inside a single row
index=main host=host1 | transaction startswith="keyword1" endswith="keyword1_ending" | eval keyword1_duration = duration | stats sum(keyword1_duration)
index=main host=host1 | transaction startswith="keyword2" endswith="keyword2_ending" | eval keyword2_duration = duration | stats sum(keyword2_duration)
how do I add these values ? Do I have to define a token on each block to use that value across panels ?
... View more
10-12-2016
12:02 PM
I am trying to extract a keyword from an event
2011-03-11 09:12:00 123 INF-1 ConStopped ::CLIenteleCompletd1_Per
When I am using Field Extraction GUI, I am selecting the complete part ConStopped ::CLIenteleCompletd1_Per for Regular Expression.
It shows all the right events (also in the Matches option) during creation, but when I click on (View in Search) it comes up with over 100+ different types of matches which has nothing to do with this pattern.
In the extraction/transform, it has
^(?:[^ \n]* ){9}(?P<co_complete>.+)
Things I have already done is
(a) Made sure the permission is global across all app
(b) Even tried to use http://splunk:8000/en-US/debug/refresh
(c) During creation, Non-Matches window is empty, also Matches only show this exact event in different time-stamps (no non-matched events to delete)
But nothing improves.
I have a feeling the Splunk regex is not great, but when I try to edit it manually myself, it doesn't work. When I did this previously it also didn't show in the left side panel of search.
... View more
10-12-2016
08:10 AM
Perhaps this is working
index=main host="*"
| stats earliest(_time) as First latest(_time) as Last by source, host | eval Date = strftime(First, "%Y-%m-%d")
| eval difference= Last-First | eval difference=difference/3600 | chart eval(sum(difference)) as total_difference over Date by host
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
