×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
AlanMoen
Explorer
Member since: ‎02-26-2019
yesterday
Community Statistics
Posts 9
Solutions 0
Karma Given 11
Karma Received 0
Member Since ‎02-26-2019
Activity Feed
View All

Re: Is there a yum/rpm repo for Splunk?

by in Security
‎06-13-2024 10:16 AM
‎06-13-2024 10:16 AM
This shouldn't be rocket surgery. But I expect that, since Splunk was acquired by Cisco, this will never be resolved directly. Thanks to grangerx for doing God's Splunk's work. ... View more

Re: JSON array contents to lookup table

by in Splunk Search
‎07-18-2022 05:32 PM
‎07-18-2022 05:32 PM
Perfect! Thank you very much for your assistance ... View more

Re: JSON array contents to lookup table

by in Splunk Search
‎07-18-2022 05:04 AM
‎07-18-2022 05:04 AM
No - it looks like this when I add _time: _time | membershipId | joinDate --------------------------------------------------------------- 2022/07/18 07:25:00 | 012345678912345678 | 02-21-2020T09:25:36Z | 987654321098765432 | 09-15-2019T17:53:25Z | etc I need all three fields populated in the lookup field. The _time field is important to some later processes. If a member leaves, I need to know the last time they were found to be there. ... View more

Re: JSON array contents to lookup table

by in Splunk Search
‎07-17-2022 05:50 PM
‎07-17-2022 05:50 PM
OK - That does get the ID and joinDate in a table as discrete value pairs, so I'm closer, but trying to add the _time value only associates it with the first value pair. But it's a start, thanks ... View more

How to extract JSON array contents to lookup table...

by in Splunk Search
‎07-17-2022 03:06 PM
‎07-17-2022 03:06 PM
I've got a JSON array I ingest that I want to extract certain fields from to save into a lookup table. Here's an example of the JSON:     { "Response": { "results": [ { "memberType": 2, "isOnline": false, "lastOnlineStatusChange": "1657176499", "groupId": "1234567", "destinyUserInfo": { "LastSeenDisplayName": "UserName1", "LastSeenDisplayNameType": 1, "iconPath": "/img/theme/bungienet/icons/xboxLiveLogo.png", "crossSaveOverride": 1, "applicableMembershipTypes": [ 2, 1 ], "isPublic": false, "membershipType": 1, "membershipId": "1234567890123456789", "displayName": "UserName1", "bungieGlobalDisplayName": "UserName1", "bungieGlobalDisplayNameCode": 9999 }, "bungieNetUserInfo": { "supplementalDisplayName": "UserName1#9999", "iconPath": "/img/profile/avatars/default_avatar.gif", "crossSaveOverride": 0, "isPublic": false, "membershipType": 254, "membershipId": "12345678", "displayName": "UserName1", "bungieGlobalDisplayName": "UserName1", "bungieGlobalDisplayNameCode": 9999 }, "joinDate": "2021-10-27T20:56:48Z" }, { "memberType": 2, "isOnline": false, "lastOnlineStatusChange": "1657390180", "groupId": "1234567", "destinyUserInfo": { "LastSeenDisplayName": "UserName2", "LastSeenDisplayNameType": 1, "iconPath": "/img/theme/bungienet/icons/xboxLiveLogo.png", "crossSaveOverride": 1, "applicableMembershipTypes": [ 2, 3, 1 ], "isPublic": false, "membershipType": 1, "membershipId": "4611686018431599324", "displayName": "UserName2", "bungieGlobalDisplayName": "UserName2", "bungieGlobalDisplayNameCode": 8888 }, "bungieNetUserInfo": { "supplementalDisplayName": "UserName2#8888", "iconPath": "/img/profile/avatars/HaloRingcopy.gif", "crossSaveOverride": 0, "isPublic": false, "membershipType": 254, "membershipId": "1990219", "displayName": "UserName2", "bungieGlobalDisplayName": "UserName2", "bungieGlobalDisplayNameCode": 8888 }, "joinDate": "2020-04-07T15:07:21Z" } ], "totalResults": 2, "hasMore": true, "query": { "itemsPerPage": 2, "currentPage": 1 }, "useTotalResults": true }, "ErrorCode": 1, "ThrottleSeconds": 0, "ErrorStatus": "Success", "Message": "Ok", "MessageData": {} }     (I truncated the results array to 2, there are normally many more) I want to write to a lookup table like this:     _time | membershipId | joinDate 2022-07-17 16:20:28 | 1234567890123456789 | 2021-10-27T20:56:48Z 2022-07-17 16:20:28 | 9876543210123456789 | 2020-04-07T15:07:21Z     I can get something close into a table with:     index=myindex | rename Response.results{}.destinyUserInfo.membershipId as membershipId Response.results{}.joinDate as JoinDate | table _time ID JoinDate     but saving that to a lookup table makes the membershipId and joinDate into multivalue fields and stores all of the values accordingly. I need them separate. Help? ... View more
Labels

Re: Cisco eStreamer for Splunk : Narly all the e...

by in All Apps and Add-ons
‎09-29-2020 10:59 AM
‎09-29-2020 10:59 AM
I'm running into this problem right now; did you ever find a resolution? ... View more

Re: Problem changing cell color in dashboard

by in Dashboards & Visualizations
‎10-14-2019 11:56 AM
‎10-14-2019 11:56 AM
Hmmmm. I was using |stats because I had a couple 'by' clauses that I decided were redundant. I changed the final line to a table and now the formatting works. Curious why it didn't work with the 'stat' command but does with the 'table' because I do use stats in other places where this would be nice. So, while this isn't so pressing now, it would be nice to understand why this didn't work with a stats table but it did work with a table, errr, table. Thanks for your attention! ... View more

Problem changing cell color in dashboard

by in Dashboards & Visualizations
‎10-14-2019 11:38 AM
‎10-14-2019 11:38 AM
Using Splunk Enterprise v7.2.1 I'm creating a dashboard and want to change the colors of some of my cells based on the field value. I'm having a very hard time getting this to work as expected. What happens is that if ANY of the fields in the column match the if(like)) condition, ALL of the cells are set to that color. If none of the cell match, then they're set to the NOT IF color. Here're the format lines from the XML (they follow the option tags): <format type="color" field="Availability"> <colorPalette type="expression">if(like(value,"%available"), "#00F000", "#F00000")</colorPalette> </format> <format type="color" field="Status"> <colorPalette type="expression">if(like(value,"%Nope"), "#00F000", "#F00000")</colorPalette> </format> And here's what the output looks like: I purposely chose a string that doesn't match anything in the "Status" column to illustrate what's happening here. I'm using unicode characters because I don't want to mess with icons, java, and .css files just now - the formats behave the same way if I remove the characters anyway. I've also tried if(value=="whatever", "#00F000", "#F00000") as well as if(match(...),...) to no avail. The query I'm using is: | from datamodel:"bigip-tmsh-pool_member_status.all" | eval check="✅" | eval warn="⚠️" | eval error="❌" | eval critical="☠️" | where host=$host$ AND pool_name="$pool_name$" | dedup pool_member_name | sort enabled_state availability_state | eval availability_state=if(availability_state="offline", error.availability_state.error, check.availability_state) | eval enabled_state=if(enabled_state="disabled", critical.enabled_state.critical, check.enabled_state) | convert ctime(_time) as event_time | sort pool_member_name | stats list(event_time) as "Last Checkin" list(pool_member_name) as "Pool Member" list(availability_state) as "Availability" list(enabled_state) as "Status" list(status_reason) as "Status Msg" I'm at a loss and would appreciate any assistance. ... View more

Re: Use of F5 Network Analytics app for customers

by in All Apps and Add-ons
‎10-02-2019 11:58 AM
‎10-02-2019 11:58 AM
Any chance you could share the code for these dashboards? I'm trying similar things but am a neophyte in Splunk. ... View more
Contact Me
Online Status
Offline
Date Last Visited
yesterday
Karma given to
li.common.scroll-to.top