Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About jfolkers
jfolkers
New Member
Member since:
11-17-2010
06-05-2020
Community Statistics
| Posts | 4 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 11-17-2010 |
Activity Feed
- Posted Re: Search Head - Splunkd.log on Deployment Architecture. 06-05-2011 12:22 AM
- Posted Re: What should we name Splunk User Groups? How about splunk>local ? on #Random. 06-03-2011 05:29 PM
- Posted Re: Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 11:59 PM
- Posted Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 02:05 PM
- Tagged Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 02:05 PM
- Tagged Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 02:05 PM
- Tagged Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 02:05 PM
- Tagged Series Theory - or - Pie chart creation from search reporting keywords on Splunk Search. 11-17-2010 02:05 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
06-05-2011
12:22 AM
Marlon,
I had this same issue. In my case, I had multiple splunk instances on the same linux server all working just fine, but bundle replication didn't seem to work. Like your post above, I too had these events in splunkd.log, "WARN DistributedBundleReplicationManager - Server indexer1 does not support distributed bundle exchange, probably because it is an older version. Giving up due to error code 401." etc.
All splunk instances are running the same 4.2.1 code, so I'm sure it's not due to an older version.
My workaround was to use mounted bundles and turn off bundle replication.
So, on each indexer in $SPLUNK_HOME/etc/system/local, I put this in distsearch.conf
[searchhead:searchhead1]
mounted_bundles = true
bundles_location = /opt/shared_bundles/searchhead1
Docs are here.
... View more
06-03-2011
05:29 PM
splunk>etc
splunk>group
splunk>meet
splunk>local 514 (the syslog port)
I don't know about splunk>local, reminds me of a union. haha!
... View more
11-17-2010
11:59 PM
Nick, you'd be so proud of me. I used your stats & sum technique in a new column chart I made.
sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | eval V=WS_VOICE_OUT_OCTETS+VZ_VOICE_OUT_OCTETS | eval G=WS_OUT_OCTETS+VZ_OUT_OCTETS | eval D=G-V | bucket _time span=1h | stats sum(V) as Voice, sum(D) as Data by _time
So, even though your answer helped only with field formation optimization, I'm going to give you credit for the answer.
... View more
11-17-2010
02:05 PM
So a manager comes into my office and asks for a pie chart.
I tell him, yes it's possible, in fact I can do it today. Big F.
I quickly whip up this vastly inefficient search string and all I want is one pie chart with two slices: gross data and gross voice:
sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 OR SITE=RDGDC-WAN2 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval VOICE=WS_VOICE + VZ_VOICE | eval DATA=GROSS - VOICE | chart last(GROSS),last(DATA), last(VOICE)
However, after reading all the docs and answers on this board - my wish remains unfilled.
Curiosity killed the cat. I couldn't resist clicking Show Report. What it generates is indeed a pie chart - however it is generating a 100% full blue pie chart of one value. Mousing over it reveals what it is doing with the 2nd value. I'll stop here.
My guess is I need series theory. I'm missing something basic.
I think I need either quantum physics with quarks theory taught to me, or search string series theory taught to me. I'm thinking splunk's the easier of the two.
I need some enlightenment! Anyone care to step up to this probably easy plate?
===============================
UPDATE:
I solved it. Turns out Splunk's Pie Chart engine requires a 2x2 table at a minimum. I didn't realize that and had just output a single summary results table with 1 line.
I had to use eval to generate the labels in column one, and append to generate the values for column two.
This works to generate the 2x2 table using eval to generate the labels in column 1 and append to generate the values in column two.
sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval V=WS_VOICE + VZ_VOICE | eval D=GROSS - V | eval TYPE="Data" | chart last(D) as BYTES by TYPE | append [search sourcetype="wan_traffic" earliest=@d SITE=RDGDC-WAN1 | fields SITE,WS_OUT_OCTETS,WS_VOICE_OUT_OCTETS,VZ_OUT_OCTETS,VZ_VOICE_OUT_OCTETS | accum WS_OUT_OCTETS as WS_GROSS | accum VZ_OUT_OCTETS as VZ_GROSS | eval GROSS=WS_GROSS + VZ_GROSS | accum WS_VOICE_OUT_OCTETS as WS_VOICE | accum VZ_VOICE_OUT_OCTETS as VZ_VOICE | eval V=WS_VOICE + VZ_VOICE | eval D=GROSS - V | eval TYPE="Voice" | chart last(V) as BYTES by TYPE]
This generates the 2x2 table properly:
TYPE BYTES
Data 206051242413
Voice 1440297883
Which Splunk will happily generate into a pie chart. However, the search string is very huge. Any idea how to optimize?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:02 AM
|
