Hi all, I have below input: Now I want to do below comparision: (Row1 = started AND row2=started ) OR (row3="started" AND Row4="started") The result is good otherwise result is bad. I don't know how to do that comparison and save the value, can anyone please help? ... View more

I want to get alerts for the situations which are different from below conditions: Server a B C D condition ü ü X X X X ü ü I want to check Splunk, for the above servers, if this condition is there then it's ok- otherwise, it will alert us via email. PS: The above condition means either a and B is UP and C and D is down or A and B is Down and C and D is UP. If there are any other conditions like all are UP or all are DOWN or A and C are UP or many more condition then it will alert us. But I am not able to use Splunk to set this condition, can anyone please help me with this? I am not sure if we can use LOOKUP table to check this one. ... View more

Hi, I know how to extract the HTTP Status from Splunk. But I need it in the below format which I am not able to do: If any status with 2% and 3% then it will show as "Success" Apart from that, it will show all the status codes (example 400, 428, 430, 500, 520 or anything ) I am able to extract all the codes: |eval status=case(like(status,"2%"),"2xx",like(status,"3%"),"3xx",like(status,"4%"),"4xx",like(status,"5%"),"5xx") | stats count by status | eventstats sum(count) as perc | eval perc=round(count*100/perc,2) But in this, the table is like this: status count perc 2xx 3154 96.63 3xx 44 1.35 4xx 66 2.02 If I remove the eval and like statement then it will show the result as below: status count perc 200 2922 88.84 201 252 7.66 302 22 0.67 304 25 0.76 401 9 0.27 404 6 0.18 422 53 1.61 Whereas I want the result as below: Status count perc success(2X and 3X) 300 8.00 401 9 0.27 404 6 0.18 422 53 1.61 Can anyone help me? Thank you. ... View more

HI, I want to pass the single value into a drilldown. I tried two options, but nothing has worked. Please help me in this: I tried to click on the single value, and then on the same dashboard below table populates the details of the source. List item Code is: <dashboard> <label>TV Dashboard</label> <description>Starting...</description> <row id="allpage_row1"> <panel> <single> <search> <query>index=metroday source="tcscheck.sh" STATUS=UP raxtype=* | dedup host | stats count(STATUS) as COUNT | rangemap field=COUNT low=12-99 elevated=9-11 severe=0-8</query> <earliest>-3m@m</earliest> <latest>now</latest> </search> <option name="underLabel">TCS</option> <option name="refresh.auto.interval">120</option> <option name="refresh.time.visible">false</option> <option name="link.visible">false</option> <option name="classField">range</option> <option name="drilldown">all</option> <drilldown> <set token="source">$row.source$</set> <set token="table.source">$row.source$</set> </drilldown> </single> </panel> </row> <row> <panel depends="$source$"> <title>Source details</title> <table> <search> <query>index = metroday source=$source$ | table host, count </query> <earliest>-7d</earliest> <latest>-0d</latest> </search> </table> </panel> </row> </dashboard> I have used is clicking on this dashboard and opens a new dashboard: Source is: <search> <query>source="httppinger.sh" host=*JBO* SUCCESS | chart distinct_count(host) as COUNT | rangemap field=COUNT low=6-10 severe=0-5</query> <earliest>-7m@m</earliest> <latest>now</latest> </search> <option name="underLabel">Browser</option> <option name="refresh.auto.interval">180</option> <option name="refresh.time.visible">false</option> <option name="link.visible">false</option> <option name="classField">range</option> <drilldown taregt="blank"> <link>tv_dashboard_drilldown?dashboard.hosttok=$click.value$</link> </drilldown> </single>` Target code is: `<panel> <form> <label>Target dashboard for drilldown</label> <row> <table id="detail" depends="$source$"> <query>index = metroday source=$source$ | table host, count, source | dedup host</query> <earliest>-7d</earliest> <latest>-0d</latest> </table> </row> </form> </panel>` But nothing is working. I am interested in a second option where I clicked on the number and it opens a new dashboard and passes the value to it. My source dashboard will look like the attachment where when I click on the number 3, it will open new dashboard and create the table that contains the details of all the 3 sourcetypes. ... View more

Hi, I am trying to search for a list of users who have not logged into the Splunk environment in the past 30 days. Can you please look into the below query and let me know what is not correct in that? index=_internal sourcetype=splunkd_access | eval length=len(user) | search length>1 | eval Time=strptime(_time,"%Y-%m-%d") | eval Before30days=relative_time(now(),"-30d@d") |where Time ... View more

Hi All, Let me first explain the scenario to you: i have 4 servers in production and 2 servers in staging. My staging is not up-to date, and we want to move all the data from production to staging so that we can do first the changes in staging and review it there. Then finally, we move it to production. But there are some searches, dashboards that are specific to environment. Now the problem is: How do I move such data from production to staging irrespective of the environment? Is there a way so that, once we coordinate both the environment in the future and once we do the changes to the staging, we can move easily to the production for implementation? I am new to Splunk so I can't find these solutions. Thanks for your help in advance ... View more