Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About agro1986001
agro1986001
Engager
Member since:
01-09-2019
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 01-09-2019 |
Activity Feed
- Karma Re: How do you make a real time alert for the first occurrence of an event? for richgalloway. 06-05-2020 12:50 AM
- Posted Re: ingest-time eval (creating new field dynamically on index time) not working on Splunk Search. 01-26-2019 10:27 PM
- Posted ingest-time eval (creating new field dynamically on index time) not working on Splunk Search. 01-26-2019 09:09 AM
- Tagged ingest-time eval (creating new field dynamically on index time) not working on Splunk Search. 01-26-2019 09:09 AM
- Tagged ingest-time eval (creating new field dynamically on index time) not working on Splunk Search. 01-26-2019 09:09 AM
- Posted Re: How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:46 AM
- Posted Re: How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:34 AM
- Posted Re: How do you make a real time alert for the first occurrence of an event? on Alerting. 01-23-2019 05:26 AM
- Posted How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:22 AM
- Tagged How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:22 AM
- Tagged How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:22 AM
- Tagged How do you run a Python script on (or before) an index? on Splunk Dev. 01-23-2019 05:22 AM
- Posted How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
- Tagged How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
- Tagged How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
- Tagged How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
- Tagged How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
- Tagged How do you make a real time alert for the first occurrence of an event? on Alerting. 01-09-2019 11:34 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-26-2019
10:27 PM
@richgalloway
Thanks for your reply
$ pwd
/Applications/Splunk/etc/system/local
$ cat transforms.conf
[myeval]
INGEST_EVAL = eval_city=lower(city)
$ cat props.conf
[testLog]
TRANSFORMS = myeval
$ cat fields.conf
[eval_city]
INDEXED = True
Here's my search
sourcetype=testLog
time=2019-01-27T15:23:02.664129+09:00 eventName=purchase userId=8304 city="London" item=food price=4200
And here's trying to get the ingest-time eval field
sourcetype=testLog | table userId, city, eval_city
but eval_city is blank
Any idea? Thanks a lot!
... View more
01-26-2019
09:09 AM
Hi. I tried the ingest-time eval documentation at (single enterprise instance):
https://docs.splunk.com/Documentation/Splunk/7.2.3/Data/IngestEval
However I could find the new field from the "| table eval_user" pipe. Does anyone have any experience in making it work? Thanks a lot
... View more
- Tags:
- eval
- index-time
01-23-2019
05:46 AM
Thanks, but that's different than what I want to accomplish.
I'm not trying to make a script that inputs data to splunk.
I already have data flowing into splunk. I just want a script to be called for every event before that event gets indexed.
... View more
01-23-2019
05:34 AM
Hi @vishaltaneja07011993
I gave a simple example of reading data, but unfortunately what I'm doing is not just that. Let's say for example that my python script wants to write to a database (mysql, redis, etc.), which cannot be done using just splunk (only an example. the point is I really want a python script to be called). I want to know whether it's technically possible or not.
Thanks a lot!
... View more
01-23-2019
05:26 AM
Thanks @richgalloway
But now the question becomes, how do I maintain such lookup using only Splunk?
My idea is to run a script on/before index and then somehow writes into Splunk's key value store. However I couldn't find info on how to make a custom script called on/before index. Any idea? Thanks
Related question is here: https://answers.splunk.com/answers/718386/run-a-python-script-on-or-before-index.html
... View more
01-23-2019
05:22 AM
Hi,
Is it possible to create a custom app on Splunk so that will run a Python script on a custom source (or sourcetype) before a new item is indexed? Specifically, I would also like to access the data that is incoming.
Suppose I have this event coming into splunk:
eventName=newUser firstName=henry lastName=adams
I would like to intercept it and then perhaps add fullName="henry adams"
PS: on my use case, I have to do the processing on/before index, so I cannot use real time alerts.
Best regards
... View more
Labels
- Labels:
-
python
01-09-2019
11:34 PM
Suppose I have events of user purchases
<pre>
eventName=purchase userId=1 time=1000 item=food price=100
eventName=purchase userId=1 time=1002 item=cloth price=200
eventName=purchase userId=1 time=1010 item=cloth price=150
eventName=purchase userId=99 time=1050 item=book price=200
</pre>
I would like to set a real time alert that informs me whether a user's FIRST EVER purchase has price >= 200
If I use normal search, I can just use "All time" with this query
<pre>
eventName=purchase | sort time | dedup userId | where price >= 200
</pre>
However, how do I efficiently implement the same thing using real time search? Something like
<pre>
eventName=purchase | ONLY PROCEED WHEN THIS IS THE FIRST ONE FOR THE USER | where price >= 200
</pre>
Thanks
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
