Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About AlanMoen
AlanMoen
Explorer
Member since:
02-26-2019
06-13-2024
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 11 |
| Karma Received | 0 |
| Member Since | 02-26-2019 |
Activity Feed
- Posted Re: Is there a yum/rpm repo for Splunk? on Security. 06-13-2024 10:16 AM
- Karma Re: Is there a yum/rpm repo for Splunk? for grangerx. 06-13-2024 10:14 AM
- Karma Re: High disk space utilization on indexer for richgalloway. 10-24-2023 04:36 AM
- Karma Re: High disk space utilization on indexer for richgalloway. 10-24-2023 04:35 AM
- Posted Re: JSON array contents to lookup table on Splunk Search. 07-18-2022 05:32 PM
- Karma Re: JSON array contents to lookup table for yuanliu. 07-18-2022 05:31 PM
- Posted Re: JSON array contents to lookup table on Splunk Search. 07-18-2022 05:04 AM
- Posted Re: JSON array contents to lookup table on Splunk Search. 07-17-2022 05:50 PM
- Posted How to extract JSON array contents to lookup table? on Splunk Search. 07-17-2022 03:06 PM
- Karma Re: Is it possible to Monitor Splunk User activity? for bandit. 06-02-2022 03:11 PM
- Karma Re: What provides data to inputlookup:system_version_tracker for ddance_splunk. 06-02-2022 05:34 AM
- Karma Re: Is it possible to add a default value for a lookup without match? for sundareshr. 02-28-2022 08:25 AM
- Posted Re: Cisco eStreamer for Splunk : Narly all the events are getting timestamped to midnight? on All Apps and Add-ons. 09-29-2020 10:59 AM
- Karma Re: Splunk SAML authentication - Data Confidentiality issue for sduff_splunk. 06-05-2020 12:50 AM
- Karma Re: Splunk SAML authentication - Data Confidentiality issue for nickhills. 06-05-2020 12:50 AM
- Karma FEATURE REQUEST: Splunk Alert: All Clear Notification for bandit. 06-05-2020 12:48 AM
- Karma Re: renaming saved alerts for tsvetan. 06-05-2020 12:46 AM
- Posted Re: Problem changing cell color in dashboard on Dashboards & Visualizations. 10-14-2019 11:56 AM
- Posted Problem changing cell color in dashboard on Dashboards & Visualizations. 10-14-2019 11:38 AM
- Tagged Problem changing cell color in dashboard on Dashboards & Visualizations. 10-14-2019 11:38 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
06-13-2024
10:16 AM
This shouldn't be rocket surgery. But I expect that, since Splunk was acquired by Cisco, this will never be resolved directly. Thanks to grangerx for doing God's Splunk's work.
... View more
07-18-2022
05:04 AM
No - it looks like this when I add _time: _time | membershipId | joinDate
---------------------------------------------------------------
2022/07/18 07:25:00 | 012345678912345678 | 02-21-2020T09:25:36Z
| 987654321098765432 | 09-15-2019T17:53:25Z
| etc I need all three fields populated in the lookup field. The _time field is important to some later processes. If a member leaves, I need to know the last time they were found to be there.
... View more
07-17-2022
05:50 PM
OK - That does get the ID and joinDate in a table as discrete value pairs, so I'm closer, but trying to add the _time value only associates it with the first value pair. But it's a start, thanks
... View more
07-17-2022
03:06 PM
I've got a JSON array I ingest that I want to extract certain fields from to save into a lookup table.
Here's an example of the JSON:
{
"Response": {
"results": [
{
"memberType": 2,
"isOnline": false,
"lastOnlineStatusChange": "1657176499",
"groupId": "1234567",
"destinyUserInfo": {
"LastSeenDisplayName": "UserName1",
"LastSeenDisplayNameType": 1,
"iconPath": "/img/theme/bungienet/icons/xboxLiveLogo.png",
"crossSaveOverride": 1,
"applicableMembershipTypes": [
2,
1
],
"isPublic": false,
"membershipType": 1,
"membershipId": "1234567890123456789",
"displayName": "UserName1",
"bungieGlobalDisplayName": "UserName1",
"bungieGlobalDisplayNameCode": 9999
},
"bungieNetUserInfo": {
"supplementalDisplayName": "UserName1#9999",
"iconPath": "/img/profile/avatars/default_avatar.gif",
"crossSaveOverride": 0,
"isPublic": false,
"membershipType": 254,
"membershipId": "12345678",
"displayName": "UserName1",
"bungieGlobalDisplayName": "UserName1",
"bungieGlobalDisplayNameCode": 9999
},
"joinDate": "2021-10-27T20:56:48Z"
},
{
"memberType": 2,
"isOnline": false,
"lastOnlineStatusChange": "1657390180",
"groupId": "1234567",
"destinyUserInfo": {
"LastSeenDisplayName": "UserName2",
"LastSeenDisplayNameType": 1,
"iconPath": "/img/theme/bungienet/icons/xboxLiveLogo.png",
"crossSaveOverride": 1,
"applicableMembershipTypes": [
2,
3,
1
],
"isPublic": false,
"membershipType": 1,
"membershipId": "4611686018431599324",
"displayName": "UserName2",
"bungieGlobalDisplayName": "UserName2",
"bungieGlobalDisplayNameCode": 8888
},
"bungieNetUserInfo": {
"supplementalDisplayName": "UserName2#8888",
"iconPath": "/img/profile/avatars/HaloRingcopy.gif",
"crossSaveOverride": 0,
"isPublic": false,
"membershipType": 254,
"membershipId": "1990219",
"displayName": "UserName2",
"bungieGlobalDisplayName": "UserName2",
"bungieGlobalDisplayNameCode": 8888
},
"joinDate": "2020-04-07T15:07:21Z"
}
],
"totalResults": 2,
"hasMore": true,
"query": {
"itemsPerPage": 2,
"currentPage": 1
},
"useTotalResults": true
},
"ErrorCode": 1,
"ThrottleSeconds": 0,
"ErrorStatus": "Success",
"Message": "Ok",
"MessageData": {}
}
(I truncated the results array to 2, there are normally many more) I want to write to a lookup table like this:
_time | membershipId | joinDate
2022-07-17 16:20:28 | 1234567890123456789 | 2021-10-27T20:56:48Z
2022-07-17 16:20:28 | 9876543210123456789 | 2020-04-07T15:07:21Z
I can get something close into a table with:
index=myindex
| rename Response.results{}.destinyUserInfo.membershipId as membershipId Response.results{}.joinDate as JoinDate
| table _time ID JoinDate
but saving that to a lookup table makes the membershipId and joinDate into multivalue fields and stores all of the values accordingly. I need them separate. Help?
... View more
Labels
- Labels:
-
field extraction
09-29-2020
10:59 AM
I'm running into this problem right now; did you ever find a resolution?
... View more
10-14-2019
11:56 AM
Hmmmm. I was using |stats because I had a couple 'by' clauses that I decided were redundant. I changed the final line to a table and now the formatting works.
Curious why it didn't work with the 'stat' command but does with the 'table' because I do use stats in other places where this would be nice. So, while this isn't so pressing now, it would be nice to understand why this didn't work with a stats table but it did work with a table, errr, table.
Thanks for your attention!
... View more
10-14-2019
11:38 AM
Using Splunk Enterprise v7.2.1
I'm creating a dashboard and want to change the colors of some of my cells based on the field value. I'm having a very hard time getting this to work as expected. What happens is that if ANY of the fields in the column match the if(like)) condition, ALL of the cells are set to that color. If none of the cell match, then they're set to the NOT IF color. Here're the format lines from the XML (they follow the option tags):
<format type="color" field="Availability">
<colorPalette type="expression">if(like(value,"%available"), "#00F000", "#F00000")</colorPalette>
</format>
<format type="color" field="Status">
<colorPalette type="expression">if(like(value,"%Nope"), "#00F000", "#F00000")</colorPalette>
</format>
And here's what the output looks like:
I purposely chose a string that doesn't match anything in the "Status" column to illustrate what's happening here.
I'm using unicode characters because I don't want to mess with icons, java, and .css files just now - the formats behave the same way if I remove the characters anyway. I've also tried if(value=="whatever", "#00F000", "#F00000") as well as if(match(...),...) to no avail.
The query I'm using is:
| from datamodel:"bigip-tmsh-pool_member_status.all"
| eval check="✅"
| eval warn="⚠️"
| eval error="❌"
| eval critical="☠️"
| where host=$host$ AND pool_name="$pool_name$"
| dedup pool_member_name
| sort enabled_state availability_state
| eval availability_state=if(availability_state="offline", error.availability_state.error, check.availability_state)
| eval enabled_state=if(enabled_state="disabled", critical.enabled_state.critical, check.enabled_state)
| convert ctime(_time) as event_time
| sort pool_member_name
| stats list(event_time) as "Last Checkin" list(pool_member_name) as "Pool Member" list(availability_state) as "Availability" list(enabled_state) as "Status" list(status_reason) as "Status Msg"
I'm at a loss and would appreciate any assistance.
... View more
10-02-2019
11:58 AM
Any chance you could share the code for these dashboards? I'm trying similar things but am a neophyte in Splunk.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-13-2024
03:40 AM
|
Karma given to
