About curtismcginity

curtismcginity · ‎10-13-2022

Have this same need. Has there been any progress along these lines, e.g. with tokens?

curtismcginity · ‎02-10-2022

If you do a (distinct)count of something and there are no matching events, the result is 0. This is expected behavior imho. Actually there's a very important distinction to make here. Suppose I ask you, "How many balls are inside the box in the next room?" Consider two scenarios: You walk into the next room, see the box, look inside, and see nothing. You walk into the next room and see nothing. No box, no balls; nothing. These are clearly not the same scenario, and so I would expect different behavior imho. Intuitively, a human would likely respond along the lines of "Zero!" "Uhm... there is no box!" The fundamental issue is that any feasible response to a question implicitly validates the premise(s) of the question. In case 2, we need Splunk to return a result indicating our premise is false. Indeed, the "null value" config exists, at least in part, to make this distinction... assuming it works 😉

curtismcginity · ‎02-10-2022

I observe results contradictory to this. Specifically, I have a group of `alerts' visible in the GUI at `~/app/search/alerts` and not visible in `~/app/search/reports`. The entire group has `alert.track=0`. If these were created as `reports` with `alert` actions (in this case, email), then how/why does Splunk know to make these visible in `Alerts` and not `Reports`? If these are created as `alerts` and are visible in `Alerts`, then why does Splunk set `alert.track=0`? (P.S. How did you accomplish that inline formatting in your response? Can't seem to make it work...)

curtismcginity · ‎07-01-2021

We have three cases of wildcard renaming preceding an eval command that result in errors (searches below): In Case 1 we observe a silent error whereby a duplicate field (of the same name!) is created with a different value, and in Case 2, we have an overt error in eval ("Expected )"). The solution is to employ quotes, but the rules appear different in each case (see below table). In light of this, how should we be thinking about wildcard/bulk renaming in an "as" clause preceding an eval? The apparent rules are summarized in the following table. The first row is modeled after the relevant elements of the final eval statement in the below searches. The red options do not work as expected (either due to created a duplicate field in Text prefix case, or due to an eval error in the Numeric prefix case). | eval <field> = if( isnotnull(_____), _____,0) Case 1: Text prefix <field> | "<field>" | '<field>' <field> | '<field>' Case 2: Numeric prefix <field> | "<field>" | '<field>' <field> | '<field>' Case 3: Suffix <field> | "<field>" | '<field>' <field> | '<field>' Reproduce Case 1 with this search (generates duplicate field with value 0): index=_internal sourcetype=splunkd earliest=-5m@m latest=@m | timechart span=1m c as ct, avg(linecount) as lc by sourcetype | rename ct:* as *_ct | stats sum(*_ct) as *_txtprefix | eval splunkd_txtprefix = if(isnotnull(splunkd_txtprefix),splunkd_txtprefix,0) Reproduce Case 2 and Case 3 with this search (generates eval error): index=_internal sourcetype=splunkd earliest=-5m@m latest=@m | timechart span=1m avg(linecount) as lc_100, max(linecount) as lc_200, sum(linecount) as 100_lc, min(linecount) as 200_lc | stats sum(lc_*) as *_numprefix, sum(*_lc) as numsuffix_* | eval 100_numprefix = if(isnotnull(100_numprefix),100_numprefix,0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0) You can resolve the error by replacing the final line with | eval 100_numprefix = if(isnotnull('100_numprefix'),'100_numprefix',0), numsuffix_100 = if(isnotnull(numsuffix_100),numsuffix_100,0)

curtismcginity · ‎04-07-2021

In the context of an HTML Dashboard, why would a simple JS file get parsed into HTML within .../static/app/myapp/? For example, line 20 of myClass.js reads: size(width,height) { which, inside of my.splunk.domain/en-US/static/@12B...85/app/myapp/myClass.js becomes <tr> <td id="L20" class="blob-num js-line-number" data-line-number="20"></td> <td id="LC20" class="blob-code blob-code-inner js-file-line"> size ( width , height ) {</td> </tr> and so on for the entire file. Please note that myClass.js has the simple form // this is the entire file class myClass { // vanilla js stuff... } Here's the relevant context: I have an HTML dashboard, properly converted from a simple XML via the UI. This dashboard uses two JS files: d3.js and myClass.js. The first file, d3, works just fine; the second is included identically: require.config({ baseUrl: "{{SPLUNKWEB_URL_PREFIX}}/static/js", waitSeconds: 0, // Disable require.js load timeout paths: { 'd3': '{{SPLUNKWEB_URL_PREFIX}}/static/app/myapp/d3v5', 'myClass': '{{SPLUNKWEB_URL_PREFIX}}/static/app/myapp/myClass' } }); require([ "splunkjs/mvc", // ... "myClass", "d3" // Add comma-separated libraries and modules manually here, for example: // ..."splunkjs/mvc/simplexml/urltokenmodel" ], function( mvc, // ... myClass, d3 // Add comma-separated parameter names here, for example: // ...UrlTokenModel ) { // Everything else... } Both scripts are properly located in /splunk/etc/apps/myapp/appserver/static myClass.js does depend on d3.js. The browser console logs two errors: Uncaught SyntaxError: Unexpected token '<' in myClass.js: // Translations for en_US i18n_register({"plural": function(n) { return n == 1 ? 0 : 1; }, "catalog": {}}); <!DOCTYPE html> // ERROR THROWN HERE // ... bubbling to Uncaught TypeError: Cannot read property 'myProperty' of undefined Again, d3.js is also included in the same way and works fine; the script includes a similar preamble but is otherwise unchanged. Any ideas and/or solutions would be very much appreciated. Also, apologies for the formatting; extra spaces are being inserted.

curtismcginity · ‎04-09-2019

I have simple KPI giving a distinct count of a USER_ID field. Assume USER_ID exists for 100% of logged events. Within ITSI, the KPI is configured to "fill gaps in data" with NULL values and an Unknown threshold level. During a time when no events were logged, the KPI maintained a 0 value (not the NULL value). Is this a bug, or some kind of expected behavior? Any suggestions on a workaround?

curtismcginity · ‎03-08-2019

So I solved this problem by applying a time zone offset using kvstore_to_json.py operations. The documentation very clearly details how to make this work. Just remember to enter your time offset in SECONDS, as I missed this the first time around 🙂 Edit: Link doesn't seem to appear, so adding here: http://docs.splunk.com/Documentation/ITSI/4.1.2/Configure/kvstore_to_json.pyoperations#Apply_time_zone_offset

Posts	7
Solutions	0
Karma Given	20
Karma Received	2
Member Since	‎03-08-2019

Online Status	Offline
Date Last Visited	‎10-13-2022 08:42 PM

How to think about wildcard/bulk renaming in AS cl...

In an HTML dashboard, why is a simple JS file pars...

ITSI distinct count KPI: 0 vs. NULL values?

Re: Splunk Dashboards EventHandlers options,Splunk...

Re: ITSI distinct count KPI: 0 vs. NULL values?

Re: How can i query to get all alerts which are c...

How to think about wildcard/bulk renaming in AS cl...

In an HTML dashboard, why is a simple JS file pars...

ITSI distinct count KPI: 0 vs. NULL values?

Re: Different time displayed(ITSI threshold for ti...