Activity Feed
- Got Karma for Re: How to Run a search using searchmanager (from javascript) when browser/tab closes?. 11-11-2021 11:56 PM
- Got Karma for Re: How to I monitor a dropdown input for changes using Javascript?. 07-13-2021 08:20 AM
- Got Karma for Re: Set token on submit button click?. 05-12-2021 02:54 AM
- Got Karma for Re: How to I monitor a dropdown input for changes using Javascript?. 03-25-2021 02:35 AM
- Got Karma for Re: How to create time dependent thresholds from lookup?. 11-17-2020 07:19 AM
- Karma Using multiple time range on the same index to return different row values for egonstep. 06-05-2020 12:51 AM
- Karma Re: Data Model acceleration not working for 1 out of 5 event datasets for MaverickT. 06-05-2020 12:51 AM
- Got Karma for Data Model acceleration not working for 1 out of 5 event datasets. 06-05-2020 12:51 AM
- Got Karma for Re: Alert condition considering previous itirations. 06-05-2020 12:51 AM
- Got Karma for Re: Using multiple time range on the same index to return different row values. 06-05-2020 12:51 AM
- Karma Re: Delete button for KV store wont work for niketn. 06-05-2020 12:50 AM
- Karma Re: Delete button for KV store wont work for niketn. 06-05-2020 12:50 AM
- Karma Re: Machine Learning K-Means Clustering Label Question for johannthum. 06-05-2020 12:50 AM
- Karma Re: Conditional Dropdown based on date for paramagurukarth. 06-05-2020 12:50 AM
- Karma Re: How to preserve leading whitespace in a statistcs table? for vnravikumar. 06-05-2020 12:50 AM
- Karma Re: How can I test if I am overfitting? for Sukisen1981. 06-05-2020 12:50 AM
- Karma Re: How to add icons in splunk table without js for chrisyounger. 06-05-2020 12:50 AM
- Karma Re: Set token on submit button click? for nick405060. 06-05-2020 12:50 AM
- Karma Re: What is the proper way for listening SearchManager results in JavaScript for jeffland. 06-05-2020 12:50 AM
- Karma Re: How do you edit a custom message in a 404 page of Splunk for a particular app only? for paramagurukarth. 06-05-2020 12:50 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
06-03-2020
08:01 AM
Did you find out why its called multiple times? I am having the similar issue where my logs are logged multiple times but events are only coming in one of the invocations.
... View more
05-12-2020
09:40 AM
@egonstep, Yes it requires creating a dashboard. Also I've added an edit saying you can create multiple savedsearch as well like this. You can specify savedsearch name to loadjob command as well in your report search. For documentation (https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob).
... View more
05-08-2020
07:06 AM
Hi @vn_g,
I would suggest to try and play around with the regex at regex101.com. For the sake of example - https://regex101.com/r/7Rp8b8/1/.
You would see steps count which you can try to minimize as much as possible. I believe Splunk uses a similar metric and sets a hard limit on that for better search performance.
Thanks,
Harsh
... View more
05-08-2020
06:43 AM
1 Karma
Hi @egonstep,
I created this hack earlier which might be helpful here. So It gives you behavior where you have multiple searches as your basesearch and then you combine all those search results into one search. Which is as follows:
Step 1: Define your searches as follows:
<search>
<query>index="X" | stats count | eval "search name"="search1"</query>
<earliest>-24h</earliest>
<latest>now</latest>
<done>
<set token="search1_sid">$job.sid$</set>
</done>
</search>
<search>
<query>index="Y" | stats count | eval "search name"="search2"</query>
<earliest>-7d</earliest>
<latest>now</latest>
<done>
<set token="search2_sid">$job.sid$</set>
</done>
</search>
Step 2: Now the sid s will set when the searches are finished execution. Use them in the main search with loadjob command as follows:
| loadjob $search1_sid$
| append
[| loadjob $search2_sid$ ]
As the searches ran parallel (having separate job for each search) and the results in the main search are fetched directly from the job sid , this way you can combine results of long-running searches without affecting them by append as before.
Edit: You can also split the search across multiple report searches.
Hope this was helpful.
Thanks,
Harsh
... View more
05-08-2020
05:27 AM
visualization.js gets bundled by webpack. the source is available right there in the src directory at the same level. They have used d3.js.
... View more
05-08-2020
05:13 AM
Ok, I don't want to bundle it as the whole app and distribute but can we use the code that resides under appserver/statistics/visualizations directory. Also, where in package.json I found license mentioned as MIT.
... View more
05-08-2020
12:32 AM
Hi Splunkers,
I found this https://splunkbase.splunk.com/app/3120/ visualization useful which is built by Splunk but the problem is it comes as a separate app. I want to include it in the app bundle itself. I checked the license and its MIT. I am not sure if we can just copy it in the app bundle itself or not. If we can then what will be the steps to do so.
Thanks,
Harsh
... View more
04-24-2020
09:23 AM
I believe the answer here helped me identify the issue so If anyone having this issue I would suggest first check in monitoring console if any acceleration jobs are being skipped or not.
... View more
04-24-2020
09:23 AM
Thanks for the answer (voted). Appreciate it. But sorry I can not accept this as an answer.
... View more
04-15-2020
11:04 AM
Hi @nawazns5038
The Add-On is using always the same range you specify during the input creation. I found this piece of code in the app which is executed each time of input invocation to create filter for API call.
body={"query": {
"bool": {"filter": [
{ "range": { opt_date_field_name: {"gte": opt_greater_or_equal, "lte": opt_lower_or_equal}}}
]
}}
}
There is no checkpoint mechanism. It will pull the same time range data on each invocation. If you want to increment the time range on each invocation you may have to modify the script to store epoch time in KVStore as a checkpoint and use that on next invocation for getting new data.
Hope this was helpful,
Harsh
... View more
04-15-2020
10:39 AM
Maybe asking the owner of the app might help. Try creating https://github.com/ChrisYounger/git_for_splunk github issue here.
... View more
04-14-2020
10:38 AM
I dont think thats a solution. What was the first reason for that issue? I am still troubleshooting and will post answer with reason.
Thanks,
Harsh
... View more
04-11-2020
01:10 AM
1 Karma
I have one data model accelerated which contains 5 event datasets with simple fields conditions. Now when I try to just find out count using tstats count from datamodel=X.Y1 where source=A It didn't seem to be accelerated compared to running it on other 4 datasets. Then I tried passing summariesonly=t in tstats and I found 0 count for that 1 dataset except others were giving correct count. Why is this the case for this one dataset (i.e it is not summarized?). What might be the cause of this?
Edit(11/04/2020): I deleted all other 4 datasets and rebuilt the acceleration and it turns out it worked. Maybe I am hitting some limits on datamodel which I am not aware of? This is not random behavior I did this 2 times on 2 different instances.
Edit(13/04/2020): Found these error in search.log which suggests that it is not finding tsdix files for this particular dataset means it is not summarized for some reason even though the data model shows acceleration status as 100% (Note: I've removed some parts from the log string):
st_select_handle_new found no TSIDX files warm_rc=[0,0] errno=18
and
Mixed mode is disabled, skipping search for bucket with no TSIDX data: E:\Splunk\indexes\db_1586485508_1586389645_42
Edit (14/04/2020): I was able to fix this issue by simply changing the name of the dataset that was not getting accelerated (it was named executed_background_jobs and I renamed it to batch_jobs_exec). It's still a mystery why it didn't work with the previous name.
Turns out the above fix was a random behavior. It again getting issues creating tsidx files.
Edit (17/04/2020): If anyone knows what are the factors that can cause this issue I would appreciate the help. There are no troubleshooting docs or guide for the data model acceleration whatsoever.
Edit(22/04/2020): Found on the monitoring console that acceleration searches are being skipped 92% of the time for this dataset (in the last 4 hours) and others are also getting skipped (all of them above 60% skip ratio). After looking at the answer by @sowings (link) I came to know that each root dataset has its own job (which can be seen in monitoring console as well) and as I have 5 root datasets there are 5 acceleration report searches in total running every 5 mins (set in acceleration settings). As the VM has 4 cores and has concurrent job limit set to 5, its sure that most of them are going to get skipped. In the monitoring console it also seems that highest miss ratio was for this specific one data set (approx 92% for the last 4 hours, maybe because it has large amount of data? not sure). This also explains my previous edit where I tried to accelerate datamodel with only single root dataset. As it would only need one job, it won't be bothered by the skipping issue. I am currently trying the allow_skew parameter available in the datamodels.conf with reducing the cron for the jobs as well and will post the result update here. Reference: https://answers.splunk.com/answers/543887/accelerated-data-model-100-complete-even-though-mo.html
Thanks,
Harsh
... View more
04-06-2020
09:00 AM
@genesiusj Glad to hear it.
Cheers,
Harsh
... View more
03-07-2020
04:22 AM
Did you check if the query generated after replacing both tokens has valid condition(which should satisfy the condition on event)?
... View more
03-07-2020
04:17 AM
You can check what are the settings under Settings > Searches and Reports and click on edit on the search that you are having trouble with to see its details.
... View more
03-04-2020
10:29 PM
Please elaborate more on what you are trying to achieve.
... View more
03-04-2020
04:32 AM
Well, you can use eval in the xml as well. Not sure if this helps:
<fieldset submitButton="false">
<input type="dropdown" token="tknProtocol">
<label>Protocol</label>
<choice value="SFTP">SFTP</choice>
<choice value="HTTP">HTTP</choice>
<change>
<condition value="SFTP">
<eval token="tknFinal">case(0=0, "do this", 1=1, "do that")</eval>
</condition>
<condition>
</condition>
</change>
</input>
</fieldset>
Also, could you explain why the above solution doesn't work for you? Sorry I didn't get it.
... View more
03-04-2020
04:18 AM
Could you provide the exact stanza and config from your savedsearches.conf?
... View more
03-02-2020
10:57 PM
Hi @adcon82,
You can do something like this. Please note that based on your use case you can define whole searches based on dropdown selected in token and use the token as the query in the table:
<form>
<label>Dropdown based search</label>
<fieldset submitButton="false">
<input type="dropdown" token="tknProtocol">
<label>Protocol</label>
<choice value="table SFTP">SFTP</choice>
<choice value="table HTTP">HTTP</choice>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults count=1 | eval SFTP="column value", HTTP="column value" | $tknProtocol$</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
If you have specific starting characters in the column names based on protocol then you can do something like -> | table SFTP* (it will table all the columns with names starting with SFTP)
Hope this helps.
... View more
03-02-2020
10:41 PM
1 Karma
Hi @praddasg,
Typically how this works is you have the alert search running in the same interval as what you define in its time range so it runs on exclusive events only (i.e. it doesn't overlap on to same events). So for example, if you set your search time-range to be 1 hour then you set up your alert search to run after 1-hour intervals.
Please elaborate if I am misunderstanding your question. I'd be happy to help.
Hope this helps.
... View more
10-25-2019
03:16 AM
Hi @kranthimutyala ,
I think what you can do here is have one more layer of token through javascript. Where changing the filter will cause these next layer of tokens to update which are set by your logic.
For example:
Lets say you have filter token named as $filter_token$ . So what you can do is have onChange event listener on this token and inside that you can check for value of the token and according to that set another token named $search_token$ which will be used in the query. That way you can keep the text input empty and on page load you can initialize $search_token$ to be * which won't show up on the text input that you are displaying.
Hope this helps,
Harsh
... View more
08-22-2019
11:43 PM
Hello everyone,
So I was trying to understand how prebuilt panels worked so I can use it in HTML dashboard. So first I created a dashboard with prebuilt panels using simplexml I had these different panel scenarios. I added one with custom drill-down (redirects to search in new tab with custom search). After saving it I just clicked the convert to HTML option provided at the top right. In the converted dashboard it lost the custom drill-down and sets it to default drill-down search. Not sure if it is supposed to do this.
Thanks,
Harsh
... View more
08-13-2019
06:21 AM
Hi,
So at the current state of my search results in following format:
key fieldname fieldvalue
k1 name1 0 day
k1 name2 N/A
k2 name1 0 day
I want it to be something like following but I am not sure how to achieve this.
key name1 name2
k1 0 day N/A
k2 0 day
Thanks,
Harsh
... View more
07-15-2019
10:55 PM
Hi @nick405060,
I encoutered something similar to this. If you inspect the HTML generated by your XML you will realise where the problem lies.
To solve I assigned an id to panel and then through javascript I added the button as follows:
XML:
<panel id="mypanel">
<html depends="$alwaysHideCSSPanel$">
<style>
#submit_button .btn-pill{
background-repeat: repeat-x;
background-color: #61a637;
color: #ffa;
text-shadow: none;
text-decoration: none;
border-radius: 4px;
}
#submit_button .btn-pill.active{
background-color: rgba(100,255,100,.05) !important;
text-decoration: none !important;
color: #500 !important;
border-radius: 4px !important;
}
</style>
</html>
<input type="text" token="networkIdOnChange" searchWhenChanged="false">
<label>NetworkID:</label>
<default></default>
</input>
<input type="text" token="networkid" depends="$justHideMe$" searchWhenChanged="false">
<default>$networkIdOnChange$</default>
</input>
</panel>
JavaScript:
require([
"jquery",
"splunkjs/mvc/simplexml/ready!"
], function ($,mvc) {
$("#mypanel > div > div").append('<div class="input"><label> </label><div class="splunk-view"><button class="btn" id="submit_button">Submit</button></div></div>')
});
Hope this helps,
Harsh
... View more
