Activity Feed
- Karma Re: Pass arguments between two searches, different sources for martin_mueller. 06-05-2020 12:47 AM
- Karma Re: Distinct count higher than a value ? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: How to edit and optimize my search to calculate the average and format top ten results? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How to extract a field with rex for a stats search? for esix_splunk. 06-05-2020 12:47 AM
- Karma Re: How to extract a field between two patterns in a search for further stats processing? for MuS. 06-05-2020 12:47 AM
- Got Karma for Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Re: Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Re: Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Re: Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Re: Email PDF report of a dashboard. 06-05-2020 12:47 AM
- Got Karma for Pie chart legend - show as a separate element. 06-05-2020 12:47 AM
- Got Karma for Distinct count higher than a value ?. 06-05-2020 12:47 AM
- Got Karma for "Compress" a multiline search. 06-05-2020 12:47 AM
- Got Karma for Re: "Compress" a multiline search. 06-05-2020 12:47 AM
- Got Karma for How to edit and optimize my search to calculate the average and format top ten results?. 06-05-2020 12:47 AM
- Got Karma for How to extract a field between two patterns in a search for further stats processing?. 06-05-2020 12:47 AM
- Got Karma for Re: How to extract a field between two patterns in a search for further stats processing?. 06-05-2020 12:47 AM
- Posted Re: Pass arguments between two searches, different sources on Splunk Search. 12-18-2014 04:32 PM
- Posted Pie chart legend - show as a separate element on Dashboards & Visualizations. 12-07-2014 10:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 2 |
12-18-2014
04:32 PM
The working solution looks like this (note, results may vary, depending on what fields you have extracted) :
index=common_index source=source2 param5 param4="*"
[
search index=common_index source=source1 param1=value1 param2=value2
|stats values(token) as omg
|rename omg as query
]
| stats values(param4) by token
This thing returns results like so :
param4_value1 token1
param4_value2 token2
param4_value2 token3
etc.
martin_mueller, thanks one more time for helping 🙂
... View more
12-07-2014
10:06 AM
1 Karma
I have a simple pie chart. Whenever I move the mouse over , it shows count/percentage values.
How do I output them in a separate table, legend or label, so that they are visible on the panel ?
Splunk is 6.2, using simple XML. These options are added at the moment, how do I achieve the one above ?
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">false</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend">legend</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">top</option>
... View more
12-07-2014
04:49 AM
The " [ inner search ] " returns the token alright , however it seems that the outer one doesn't understand the token provided ... I accepted your answer, as it seems the problem is related to my splunk instance 🙂
... View more
12-07-2014
03:12 AM
Sorry for the delay.
Yes, both searches have "token" extracted.
I can manually perform search1- copy/paste "token" in search2, but I'd like to automate.
... View more
12-06-2014
07:12 AM
True, but your way doesn't seem to be working.
The way I tried to do it , search 1 would return a list or single token like so:
tok_en1
tok_en2
What search 2 does is, foreach tok_en* get logged error message. It seems I need more time
... View more
12-06-2014
03:31 AM
I am trying to perform a "for loop" splunk style, with two sources: source1 , source2. The searches right now looks like this:
1. source="source1" param1=value1 param2=value2 | stats values(token). I need the token for the next :
2. source="source2" param4="*" token
I tried ( but returns error: "Error in 'map': Did not find value for required attribute 'token":
source="source1" param1=value1 param2=value2 | stats values(token) |
map maxsearches=10 search="search source="source2" param4="*" token=$token$ |
stats values(param4) by token "
Where am I wrong, and is there a way to optimize this ?
I tried source1 OR source2, but then I need multiple OR ( AND ( OR))) clauses to match multiple needed parameters.
Thanks in advance,
... View more
10-22-2014
07:25 AM
1 Karma
Works thanks 🙂 Finally . All I needed was to add another search option before the regexp, like so
my base search "Stuff" | rex field=thefield_to_rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...
It seems like the entire field to regexp followed the same "ID" : "Info" notation, so instead of extract all it did was print 🙂
The rex works like a charm, yet my search was wrong 😄
... View more
10-21-2014
09:52 PM
1 Karma
I have a _raw field with the following data in:
.............. "Stuff\":\"CAPITALS_AND_UNDERSCORES\", ...........
The way I see it, I need to extract everything between "Stuff\":\" and ", patterns.
Can you help me extract the CAPITALS_AND... info from this line to a field, so that I further perform "stats" searches ?.
Splunk build is 6.0.1 if it matters.
... View more
10-17-2014
01:50 PM
It would work with some fiddling - max and min are very close , so max-min=0 However, it gives leads where to check
I have already re-done the search using the old ideas, but will use the version above as a know how for future cases:
source="mysource" "url" evttype=INFO | bucket _time span=24h | stats dc(clientip) as uniq, count as total by _time | timechart span=24h per_day(total) as TotalHits, per_day(uniq) as UniqueHits, per_hour(total) as PerHour per_minute(total) as PerMinute | appendcols [search source="mysource" "url" evvtype=INFO | bucket _time span=24h | top clientip limit="N" by _time| sort -count| eval pair=clientip." (".count.")" | stats values(pair) as TOP"N"_IP by _time]
It still needs some small fixes but looks a bit neater than the previous and the per_hour/minute is calculated automatically.
Same trouble with span<24h, but I will check that 🙂
... View more
10-17-2014
10:49 AM
1 Karma
I have a working search that calculates total hits, avg(per_hour), avg(per_minute), top10 IPs with count and value. Now I have a couple of problems that need optimization/or fixing :
source="mysource" "POST url" evttype=INFO | bucket _time span=24h | stats dc(clientIP) as Unique_IP_Hits, count as Total_Hits by _time | eval avg_perhour=(Total_Hits/24) | eval avg_perminute=(avg_perhour/60) | table _time, Total_Hits, Unique_IP_Hits, avg_perhour, avg_perminute| appendcols [searchsource="mysource" "POST url" evttype=INFO | bucket _time span=24h | top clientIP limit=5 by _time| sort -count| eval pair=clientIP." (".count.")" | stats values(pair) as TOP10_IP]
This returns :
Time Total_Hits Unique_IP_Hits perhour perminute Top10
Now here are my concerns where I need help:
1) The avg(per_time) is calculated statically , i.e (total/24), so if the span is less than 24 it wont work. There is a | timechart span=X h per_hour(total) command that I can't get to work with this search
2) The top10 spans the upper right cell, I need to either merge all rightmost cells, or find a solution to get (top10 per day)
3) Optional - if we get to work the 1) and 2), is there a more short/nice way of rewriting the search.
I know it's a lot of work and I don't expect prompt response, but will be glad if you could.
Thanks in advance,
... View more
10-17-2014
09:06 AM
It does the job everywhere else but in my Splunk 🙂 so I will further debug my Splunk instance and accept the answer
... View more
10-16-2014
06:24 PM
I suppose we are almost there, it's could be an error with escaping slashes
as it states now : "Error in 'SearchParser': Missing a search command before '^'. "
Weird is, according to http://regex101.com/ , the above rex is OK and matches exactly as needed.
... View more
10-16-2014
06:14 PM
This one above returns mismatched "]"
... View more
10-16-2014
05:01 PM
Hello,
I am having trouble getting rex to work. I have the following :
field1 -> { "param1" : { "param1Status" : "Status INFO", ... "stuff not needed"}}
How do I extract the "Status INFO" message ? I tried :
rex field=field1 ".*param1Status: (?<param1_Status>).*" | stats values(param1_Status)
which shows no errors, but doesn't extract statistics either. Help ?
... View more
10-13-2014
03:22 AM
Thanks , for the response.I 'll look it up, and if needed, try a workaround.
... View more
10-12-2014
08:54 AM
I have a set of URLs in a log like so:
url1:"POST /stuff/test/"
url2: "GET /stuff/test-type?"
url:3"POST /stuff/test-settings/"
I need to evaluate hit count per url type.
The search at the moment can check only one url like so :
source=mysource type=INFO "POST url1" Type=INFO | bucket _time span=24h | stats dc(Remote_IP) as uniqIP, count(Remote_IP) as All_IP, count as total by _time | eval avg_perhour=(total/24) | eval avg_perminute=(avg_perhour/60) | table _time, total, avg_perhour, avg_perminute, uniqIP, All_IP
How do I regexp all three url types in a single search to get per_url hit count ?
... View more
07-30-2014
07:24 AM
Hello,
I have a column list received from "values(mymail)"
abra@sth.com
cada@sth.com
bra@sth.com
this@sth.com
is@sth.com
anew@sth.com
I need to get top/head N results of that list with the idea that values(mymail) can reach thousands of rows.
The whole search string related to the question is :
$SEARCH | stats count dc(mymail) as unique count(mymail) as hits values(mymail) as list by VAR
How do I do that ? 🙂
I tried with eval
just before |stats like eval email_list=(values(mymail)|head 10 ), but it seems not right
... View more
07-27-2014
02:55 PM
1 Karma
An unbiased colleague compared my version to a newbie 200-row "Hello world " search.
I tried the last one - WOW !!! Amazing ! It worked like a charm. Thanks a LOT!
Now I need to figure out how you did that, perhaps I should RTFM !!!
Thanks a lot !!!
... View more
07-27-2014
02:05 PM
1 Karma
Hi,
I am trying to compress/optimize a search, spanning multiple lines, see below (obfuscated, but logically the same ). You can see it's hard to process, even in this form:
index=myindex source="somesource" var1=* | stats count by var2 | search count > 50
| map maxsearches=100 search="search index=myindex source=\"somesource\" var2=$var2$ | stats dc(var1) as thisname by var2| where thisname > 10"
| appendcols
[ index=myindex source="somesource" var1=* | stats count by var2 | search count > 50
| map maxsearches=100 search="search index=myindex source="somesource" var2=$var2$ | stats count(var1) as thatname by var2" ]
Logically it looks like this:
PART1| stats dc(var1) as thisname by var2| where thisname > 10 | appendcols [PART1 | stats count(var1) as thatname by var2" ]
And should further be passed to "|table var2, thisname, thatname"
Is there a way, to optimize/compress the search to a form, similar to the one in bold above, perhaps saving PART1 and passing parameters to it ?
... View more
- Tags:
- optimization
- search
07-27-2014
01:21 PM
Thanks, it worked like a charm, it seems I have to RTFM more often 🙂
... View more
07-27-2014
01:07 PM
1 Karma
Hello all,
I am trying to search for distinct count higher than a value.
Below is what I tried, obfuscated :
stats dc(var1) as some_name by var2 which returns a column of values , say {1, 55, 2200, 45, 100, .. etc}
How do I extract from that column values higher than a "limit" ?
I tried
stats dc(var1) as some_name by var2 | search some_name > limit, but it doesn't work
Ideas ?
... View more
06-27-2014
03:05 PM
4 Karma
So, the problem was, that I first used an inline search (doesn't work) , then scheduled single panel reports (doesn't work)
If you setup a dashboard made of predefined reports, and perform a "schedule pdf delivery" for the whole dashboard, then it works like a charm, sending a PDF with charts of every panel on the needed dashboard.
Kind regards,
... View more
06-27-2014
02:04 PM
I am not sure it matters, I tested, no luck yet.
I'll do some more testing and ask further.
Thanks
🙂
... View more
06-27-2014
01:50 PM
2 Karma
Hello guys,
I am trying to create a "Scheduled PDF Report of a dashboard ". Currently running a two-panel dashboard and when I schedule a report no PDF is received :
"Scheduled view delivery.
A PDF snapshot has been generated for the view: ....
"
However if I remove one panel, the PDF report is attached to the email.
Both panels run 24h searches, timechart span=10m so they generate together roughly 300 rows of results. If I generate the report manually, it works fine. What could be the problem ?
Thanks in advance,
... View more
- Tags:
- scheduled-reports
05-19-2014
05:32 PM
Hello all,
After a couple of hours of searching, google provided the best idea.
Now here's the result:
index=myindex source="where_we_search.log" "URL Query" field2=* | stats count by IP_Address| search count > 20 | map maxsearches=5 search="index=myindex source="where_we_search.log" IP_Address=$IP_Address$ | stats count by field2 "
Thanks for your time. Now I need to figure how to output the results of the two searches into a table/csv.
Kind regards,
... View more
