Activity Feed
- Got Karma for Re: How does summary indexing handle time?. 11-23-2021 12:25 AM
- Got Karma for What causes "Search auto-canceled"?. 09-23-2021 06:19 AM
- Got Karma for What causes "Search auto-canceled"?. 11-23-2020 12:42 AM
- Got Karma for Using a lookup table to fill multiple subsearches to show hierarchy of user data. 06-25-2020 06:40 PM
- Karma Re: How to control size of text in Trellis layout for kozanic_FF. 06-05-2020 12:50 AM
- Karma Re: How to stop drilldown value being passed before search is finished? for woodcock. 06-05-2020 12:50 AM
- Karma JSON Data Query for kenmcgarrahan. 06-05-2020 12:49 AM
- Karma Re: Lookup command to both filter and append new fields for starcher. 06-05-2020 12:49 AM
- Karma Re: Lookup command to both filter and append new fields for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Condition value NOT equal to....whatever for niketn. 06-05-2020 12:49 AM
- Karma Re: How can I change the sort order of data in a Trellis chart? for kmorris_splunk. 06-05-2020 12:49 AM
- Karma Re: Dashboard panel solid border for jpolcari. 06-05-2020 12:48 AM
- Karma Re: Initialize Token As Default Values Then Insert Latest Values When New Values Received for fk319. 06-05-2020 12:48 AM
- Karma Re: How to edit my code to change the font and background color in my dashboard? for jaxjohnny2000. 06-05-2020 12:48 AM
- Karma Re: Why does the Monitoring Console not update with new indexer information? for lguinn2. 06-05-2020 12:48 AM
- Karma How to input data from perl script to splunk? for lemmerich. 06-05-2020 12:48 AM
- Karma Re: Does Splunk Answers use Splunk? for ppablo. 06-05-2020 12:48 AM
- Karma Re: Can Splunk be used to search and index web pages for ppablo. 06-05-2020 12:48 AM
- Karma How to customize bar chart colors based on the values? for guimilare. 06-05-2020 12:47 AM
- Karma Re: How to create an eval column in a table that says "yes" or "no" if the value in another column has changed from the previous row? for martin_mueller. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-28-2020
01:53 AM
We are trying to zip and expand several levels of nested json data. Here is an example of our json data. Below is an example of the desired output.
{
"level0": {
"globalname": "TOP_A",
"globalver": "1",
"level1": {
"level2": [
{
"lvl2name": "LVL2A",
"warnings": {
"totalcount": "26",
"rulebreakdown": [
{
"rulecount": "2",
"rulename": "ruleA"
},
{
"rulecount": "24",
"rulename": "ruleB"
}
]
}
},
{
"lvl2name": "LVL2B",
"warnings": {
"totalcount": 81,
"rulebreakdown": [
{
"rulecount": "11",
"rulename": "ruleG"
},
{
"rulecount": "67",
"rulename": "ruleR"
},
{
"rulecount": "3",
"rulename": "ruleZ"
}
]
}
}
]
}
}
}
{
"level0": {
"globalname": "TOP_D",
"globalver": "1.5",
"level1": {
"level2": [
{
"lvl2name": "LVL6A",
"warnings": {
"totalcount": "2",
"rulebreakdown": [
{
"rulecount": "2",
"rulename": "ruleAB"
}
]
}
}
{
"lvl2name": "LVL6D",
"warnings": {
"totalcount": "23",
"rulebreakdown": [
{
"rulecount": "5",
"rulename": "ruleGG"
}
{
"rulecount": "14",
"rulename": "ruleRG"
}
{
"rulecount": "4",
"rulename": "ruleGZ"
}
]
}
}
]
}
}
}
This would be the desired output of these two events:
... View more
Labels
- Labels:
-
JSON
04-03-2020
12:22 PM
@kenmcgarrahan did you ever come up with a better solution than the configurations below? I have the same issue.
I see this post from 2016 describes the same. https://www.splunk.com/en_us/blog/tips-and-tricks/eureka-extracting-key-value-pairs-from-json-fields.html @LCM any chance you know if the native capability mentioned, ever materialized?
... View more
02-23-2020
06:09 PM
It was the last one that worked.
index="disk_index"
[| inputlookup sdmanager.csv
| search UserManager="$UserManager$"
| foreach UserManagerx* [ eval UserManager=mvappend(UserManager,<<FIELD>>)]
| stats count by UserManager
| table UserManager]
| stats sum(UserUsage) as TotalUserUsage by UserManager ipArchitecture process configuration drop DiskUser
| table UserManager ipArchitecture process configuration drop DiskUser TotalUserUsage
... View more
02-23-2020
05:38 PM
that does it! thank you so much!
... View more
02-23-2020
05:14 PM
DiskUser is irrelevant.
I just want to look up all the corresponding UserManagerxn for the token selected UserManager and append the search with UserManager=UserManagerxn.
... View more
02-23-2020
04:53 PM
So if I try this, with my pretend csv. If the token passes NOBEL,ALFRED as the UserManager I expect to get all search results with NOBEL,ALFRED as UserManager plus PAGE,LARRY and MEAD,MARGARET, but instead I get only NOBEL,ALFRED and ROGERS,FRED. So it's finding the match in the UserManagerxn field and returning the UserManager, instead of matching the UserManager and returning all the UserManagerxn.
... View more
02-23-2020
04:20 PM
DiskUser does not specify UserManager . DiskUser is a field in the indexed data and no more relevant to the search than any other field that I'm tabling, like configuration process DiskUser ... UserManager is a field in the indexed data and in the lookup table that has matching names.
I only need this simple search to run for the selected manager and then append the same search with each UserManagerx*n* from the lookup. And none of the fields I'm tabling are null.
index="disk_index"
[| inputlookup sdmanager.csv
| table UserManager]
| search UserManager="$UserManager$"
| stats sum(UserUsage) as TotalUserUsage by UserManager ipArchitecture process configuration drop DiskUser
| table UserManager ipArchitecture process configuration drop DiskUser TotalUserUsage
... View more
02-22-2020
09:16 PM
UserManager is a field in the lookup and in the index.
DiskUser is the employee name, a direct report to the manager, and a field in the indexed data
Each LAST,FIRST is a different name.
So if UserManager Andrews,Julie is chosen in the drop down, I want to return all events where she is the manager and also all the managers that report to her, listed in the lookup as UserManagerx1 and so on.
... View more
02-20-2020
01:18 AM
UserManager UserManagerx1 UserManagerx2 UserManagerx3 ... UserManagerx20
LAST,FIRST LAST,FIRST LAST,FIRST LAST,FIRST LAST, FIRST
LAST,FIRST LAST,FIRST LAST,FIRST
LAST,FIRST LAST,FIRST
LAST,FIRST LAST,FIRST LAST,FIRST LAST,FIRST
The dashboard input selects from all names listed as UserManager. I need corresponding user data for UserManger/DiskUser pairs for all existing UserManagerx#.
Thanks
... View more
02-20-2020
12:21 AM
1 Karma
I have a lookup table that shows all the next-level managers of a particular manager as UserManager UserManagerx1 UserManagerx2 UserManagerx3... UserManagerx20. The top-level manager has about 20 nested managers, but all others have far fewer.
My indexed data has only data on the direct user and manager.
I have a dashboard select input to select the top-level manager that the user is interested in. I'm trying to create a search that will then display data of all direct report users as well as all levels below that manager via the lookup table.
This isn't working as expected. Thanks for any suggestions.
index="disk_index"
[| inputlookup sdmanager.csv
| table UserManager]
| search blah blah blah
| append
[ search index="disk_index" UserManager="$top_manager$"
]
| append
[search index="disk_index" UserManager="$top_manager$"
| lookup sdmanager.csv UserManager OUTPUT UserManagerx1 as UserManager
]
| append
[ search index="disk_index" UserManager="$top_manager$"
| lookup sdmanager.csv UserManager OUTPUT UserManagerx2 as UserManager
]
and so on until
| append
[ search index="disk_index" UserManager="$top_manager$"
| lookup sdmanager.csv UserManager OUTPUT UserManagerx20 as UserManager
]
| stats sum(UserUsage) as TotalUserUsage by UserManager DiskUser
And then I've also tried like this...
index="disk_index"
[| inputlookup sdmanager.csv
| table UserManager]
| search blah blah blah
| join type=inner
[| search UserManager="LAST,FIRST"
| stats sum(UserUsage) as TotalUserUsage by UserManager configuration process DiskUser ]
| join type=outer
[ | inputlookup sdmanager.csv | search UserManager="LAST,FIRST" | fields UserMangerx1
| stats sum(UserUsage) as TotalUserUsage by UserManager configuration process DiskUser ]
| table UserManager configuration process DiskUser TotalUserUsage
My next idea is to try map , but I've never used it and it seems widely discouraged. Perhaps my lookup should be formatted differently? Or a foreach command? Thanks again
... View more
01-22-2020
11:46 PM
One of the fields being indexed is formatted xx-xx-xxxxx_xx_xx-xx-20ww04c and various other strings always ending with year, week of the year and version, ie a=1, b=2, c=3.
I'm testing this through the Add Data UI which has the Advanced options to provide Timestamp format, Timestamp prefix, and Lookahead.
I'm trying these for the first two values, but it's obviously not correct:
Timestamp format: %yww%Vc
Timestamp prefix: (?<_time>\w{7})$
Thanks for any help
... View more
01-21-2020
04:13 PM
Thanks very much, Pavel. I'd just found the same solution with a colleague. Thanks for the confirmation that it will work!
... View more
01-21-2020
02:16 PM
I have a the output of a Perl script as a Perl hash. I'm not able to run the script directly from Splunk, but would like to index the hashes by monitoring the location where they are saved. I tested one of the files, by trying to index it manually, but couldn't make sense of the data via the UX.
Can Splunk index a Perl hash?
As may be obvious, I don't have much experience with Perl, I just need to get the data indexed...
... View more
- Tags:
- splunk-enterprise
09-30-2019
11:17 AM
thanks, @niketnilay, I went ahead and posted this as a new question. https://answers.splunk.com/answers/773306/timechart-of-two-stats-with-split-by-same-field-on.html
... View more
09-27-2019
03:54 PM
I've been doing ugly hacks around this need for months and now I need to dig in and figure out an eloquent solution even if it means learning some new skills. I need to | timechart two stats - Total Turnin Time and Files changed per Turnin , split by the same FileID . I'd like the Files changed per Turnin value to be an overlay as below. I can achieve this below by manually selecting the overlay fields for each concatenation of Files Changed per Turnin : FileID , but this won't transfer to a dashboard where FileID is filled by token. Is there a way to use a wildcard in the overlay field?
It's important to know that from here the FileID is being passed through drill down. I was working on a concatenation of the FileID and value of Files Changed per Turnin so that it would be displayed in the tooltip, but then I couldn't pass the FileID .
Finally, I'd like to color-code the columns based on yet another filed value, TurninStatus . You can see below that this search is only for TurninStatus=P . I currently have an entirely separate view for TurninStatus=F .
Thanks very much for any thoughts or suggestions on any part of the issue.
... View more
09-25-2019
09:53 PM
hi @james_n, did you ever figure this out? i'm having the same issue. i'm not using the time field directly in the timechart, but am passing it to a where statement in the query. i'm thinking that is why, because the method described above works whenever I use a timechart with a standard time implementation.
... View more
09-24-2019
09:21 AM
hi @niketnilay, i've been trying to implement your solution here for the same issue. i would like to use the overlay without trellis, but the fields become a concatenation with the by value so the overlayField doesn't work. i'm able to make it work in the GUI by manually choosing each concatenated value for a particular search, but it doesn't generalize for the dashboard.
thanks for any suggestions. is it possible to have a wildcard in the field name or something similar, for example?
... View more
09-23-2019
02:24 PM
Would this work for a timechart? I need to display the value for a field that isn't in the timechart.
... View more
09-04-2019
02:44 PM
1 Karma
I'm having the same issue. My events have a _time value, but it is not maintained in the summary index. It also stores the current system time which seems to contradict the precedence outlined above. Did you ever find a solution @AnilPujar?
... View more
09-03-2019
01:30 PM
+1, my settings were correct, but Apply Changes was apparently missing. fixed it immediately
... View more
08-21-2019
01:52 PM
I think that fact that your field values indicate a numerical range is causing unnecessary confusion. Does this work?
<option name="charting.fieldColors">{"<2000":#A6CE39,">7000:#ED1C24,"Up to 3000":#FFDA00,"Up to 4000":#FFDA00,"Up to 5000":#FFDA00,"Up to 6000":#FFDA00,"Up to 7000":#FFDA00 }</option>
... View more
08-19-2019
10:57 AM
Thanks! This was very helpful to not continue trying to do the impossible. The table is a form with inputs so I've struggled to find a way to speed it up with these options.
... View more
08-16-2019
12:20 PM
Hi,
I have a table that is calculating a value for "totaljobs". The drilldown passes that value as a token to the next panel, but if the first panel is clicked on before the search finishes it passes the count at that moment and not the correct value that would be passed once the search has finished. Clicking on the same line after the search is finished updates the token value to the correct value, but users don't know that they are getting an incorrect value when clicking "early."
In drill down of first panel:
<set token="CounterJ">$row.totaljobs</set>
In title of second panel:
<title>Failed Jobs: $CounterF$ Total Jobs: $CounterJ$</title>
The other token, $CounterF$, isn't an issue because it's a count of the results that loads with the panel.
How do I prevent the drilldown from passing the value until after the search is complete and the value is correct?
... View more
08-09-2019
09:53 AM
thank you @helenashton! this is great. I hesitated to try it at first thinking it wouldn't make sense after the | table line in my search, but it works exactly as expected!
in your search, you | table all the fields you need to keep and then copy only the field names you want to be visible into the |fields line.
... View more
