Activity Feed
- Karma Re: How do I edit my search to append a subsearch result to a count on an hourly basis? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to search for users that accessed the same system more than 5 times in 10 minutes and alert on this? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to edit my search to get the max count per hour? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: SMS Alert on Splunk v.6.2.1 for hmclaren_splunk. 06-05-2020 12:48 AM
- Karma Re: SMS Alert on Splunk v.6.2.1 for Lucas_K. 06-05-2020 12:48 AM
- Karma Re: Using Internet Explorer 11, why am I getting error " This browser is not supported by Splunk"? for jkat54. 06-05-2020 12:48 AM
- Karma Re: How to implement a new Retention Policy, and what changes take effect after restarting Splunk? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to plot multiple coordinates from a CSV file on a Splunk map to embed in a dashboard? for MuS. 06-05-2020 12:48 AM
- Karma Re: Browser Unsupported on IE after upgrade to 6.2 for belka. 06-05-2020 12:47 AM
- Karma Re: How to chart data in chronological order by day of the week, not alphabetically? for somesoni2. 06-05-2020 12:47 AM
- Karma Re: How to disable location clustering of results on a map generated by the geostats command in Splunk 6.1? for jcrabb_splunk. 06-05-2020 12:47 AM
- Karma Re: Display Last Event Time in Stats function for hexx. 06-05-2020 12:46 AM
- Karma Re: How can i change the time format in Splunk web? for Ron_Naken. 06-05-2020 12:45 AM
- Posted Re: Strange message for SMS Alert on Splunk Search. 07-27-2016 08:18 PM
- Posted Re: Strange message for SMS Alert on Splunk Search. 07-27-2016 08:18 PM
- Posted Re: Strange message for SMS Alert on Splunk Search. 07-24-2016 07:54 PM
- Posted Re: Strange message for SMS Alert on Splunk Search. 07-24-2016 07:52 PM
- Posted Strange message for SMS Alert on Splunk Search. 07-22-2016 01:51 AM
- Tagged Strange message for SMS Alert on Splunk Search. 07-22-2016 01:51 AM
- Posted Re: SMS Alert on Splunk v.6.2.1 on Alerting. 07-21-2016 02:19 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-27-2016
08:18 PM
@woodcook Hi thanks for your answer. We're suspecting it's some encoding issues as well but not very sure how to solve it. The server is an internal organisation server.
I created a very simple alert base search | stats count by NRIC | where count>0 on Splunk Enterprise.
I did not check any of the details included in the alert eg trigger time/condition. The subject & message is also kept to very simple without the email tokens.
Is there any way to strip all the encoding when splunk passes out the message?
Thank you.
... View more
07-27-2016
08:18 PM
@acharlieh Hi thanks for your answer. We're suspecting it's some encoding issues as well but not very sure how to solve it.
I created a very simple alert base search | stats count by NRIC | where count>0 on Splunk Enterprise.
I did not include any of the details in the alert eg trigger time/condition. The subject & message is also kept to very simple without the email tokens.
Is there any way to strip all the encoding when splunk passes out the message?
Thank you.
... View more
07-24-2016
07:54 PM
Hi thanks for your answer. We're suspecting it's some encoding issues as well but not very sure how to solve it. The server is an internal organisation server.
I created a very simple alert base search | stats count by NRIC | where count>0 on Splunk Enterprise.
I did not check any of the details included in the alert eg trigger time/condition. The subject & message is also kept to very simple without the email tokens.
Is there any way to strip all the encoding when splunk passes out the message?
Thank you.
... View more
07-24-2016
07:52 PM
Hi thanks for your answer. We're suspecting it's some encoding issues as well but not very sure how to solve it.
I created a very simple alert base search | stats count by NRIC | where count>0 on Splunk Enterprise.
I did not include any of the details in the alert eg trigger time/condition. The subject & message is also kept to very simple without the email tokens.
Is there any way to strip all the encoding when splunk passes out the message?
Thank you.
... View more
07-22-2016
01:51 AM
Hi, I'm currently trying to implement SMS Alert for Splunk. I have a SMS Gateway server in my organisation and I'm using it to send SMS alert.
I'm able to receive the SMS but the message was a long strange of nonsensical alphabets.
May I know if there's any formatting of the Splunk Alert that led to this? Or how can I configure the message such that the message sent via SMS is in human readable format.
Any help or idea will be greatly appreciated. Thank you 🙂
... View more
- Tags:
- splunk-enterprise
07-21-2016
02:19 AM
May i know how to configure the email alert to fire to the sms gateway? I have a server with the sms gateway in my company but i'm not sure how to configuration it in Splunk. Thanks 🙂
... View more
07-21-2016
02:19 AM
@hmclaren_splunk May i know how to configure the email alert to fire to the sms gateway? I have a server with the sms gateway in my company but i'm not sure how to configuration it in Splunk. Thanks 🙂
... View more
07-19-2016
06:24 PM
I'm using Splunk from Singapore. Do you happen to know what is the sms gateway for Singtel/Starhub/M1? Cant seem to find it anywhere. Thanks 🙂
... View more
07-18-2016
08:25 PM
Hi, I'm currently using Splunk Enterprise v.6.2.1.
May I know if it's possible to send SMS Alerts through any add-ons or configurations?
I'm aware that in v.6.3, i can make use of Twilio SMS Alert add-on to send SMS alert but what about v.6.2.1?
Any help/ideas will be greatly appreciated. Thank you 🙂
... View more
- Tags:
- splunk-enterprise
06-15-2016
05:58 PM
@sundareshr Hi thank you so much for your answer. I'm currently trying to get the base count from 2-3am so i'm following your first code.
I'm trying to accumulate all the counts from 3am, so the count at 4am consist of 2-3am + 3-4am ones. I'm doing this because the code above is only for cars going IN the carpark, I'll have another search for cars going OUT of the carpark. Hence in order to find the occupancy of a particular carpark at every hour, i'm planning to take the difference between IN and OUT. This is just my logic, I welcome any other ideas of how to find the carpark occupancy. 🙂
I tried out the first code and have a few questions:
- May I know what does max(baseIN) gives me?
- The code only output results until 8am, not really sure why...
- Just to clarify my own understanding, using timechart span=1h will give me the count from eg 3-4am right?
Thank you very much! 🙂
... View more
06-15-2016
01:17 AM
Hi,
I'm trying to create a scheduled report that runs daily at 3am. The use case is to track the occupancy number of a carpark on an hourly basis and output a CSV spreadsheet.
At 3am when the report runs, I will need a base count. For the hourly count subsequently, the result will be added to the base count ( e.g. at 3am, the base count is 100; at during 3am-4am 3 cars entered the carpark, hence the base count should be updated to 100+3=103). The output result daily will only show base count that is updated at every hour.
I came up with a search string, but it isn't giving me any results and I have no idea how to fix it.
sourcetype="bn22_epsin" [search sourcetype="bn22_epsin" earliest=-25h latest=-24h |stats count as baseIN ] | bin span=1h _time | stats count as IN by _time | eval baseIN=if(IN!=0, IN+baseIN, baseIN) | table baseIN IN
I'm trying to find the base count at 3am in the subsearch by counting events from 2-3am.
Please help me out. Any suggestions will be greatly appreciated. Thank you very much!
... View more
06-12-2016
06:08 PM
@lcrielaa Hi, thanks for your answer, I tried this and no result were returned, I'm suspecting because if there is no log data when count=0 and hence count=0 wont return anything? Any idea?
... View more
06-12-2016
06:06 PM
@sundareshr Oh i see. Can you explain further the difference between using metadata command instead of just searching for sourcetype="" directly?
I tried the above search but no result were returned. Any idea why that's the case?
Thank you so much for your answer 🙂
... View more
06-09-2016
10:07 PM
@sundareshr could you explain what is the metadata part for? Thank you 🙂
... View more
06-09-2016
01:24 AM
Hi,
I'm trying to create an alert that fires if there is no event logged within an hour.
This is my search string:
sourcetype="bn22_epsin" | dedup Cpk_Num | where _time<now()-3600 | table Cpk_Num _time
I think my search string is wrong. I would like to know which carpark did not make any logs in the last hour. My alert will be configured to search every 15 minutes.
Any help will be greatly appreciated. Thank you.
... View more
06-08-2016
07:05 PM
@jchampagne_splunk Hi, I posted my problem as a different question here,
https://answers.splunk.com/answers/409788/how-to-do-conditional-formatting-with-geostats-to.html
And yes i'm trying to change the colours of the pie slice based on specific ranges of values.
Hope you can help me out. Thank you very much.
... View more
06-08-2016
07:03 PM
@shaskell_splunk Hi, I have already referred to that post as mentioned above. The solution in that post is unable to display the CPK_NUM for me, it only displays the category of count as it doesnt have a by-clause after count.
I need to use the count by CPK_NUM and at the same time do conditional formatting.
Unfortunately, I'm using v 6.2.1
... View more
06-08-2016
01:13 AM
Hi
I'm trying to display coordinates on a Splunk Map and color code the points with different ranges of count values.
I managed to create the map with the default pie chart with the search string below, but it's using the default colors.
[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK
I also referred to a similar question:
https://answers.splunk.com/answers/221348/geostats-display-bubbles-on-map-instead-of-pie-cha.html
and came out with a second code which is color coded, but each bubble is identified by the color category (eg greenCount) instead of the NUM_CPK (ID).
[base search] | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count(NUM_CPK) as TOTAL | eval redCount = if(TOTAL >= 50000,TOTAL,0) | eval yellowCount = if((TOTAL >= 10000 AND TOTAL < 50000),TOTAL,0) | eval greenCount = if(TOTAL < 10000,TOTAL,0) | fields - TOTAL
I understand that the 2nd search string is not displaying the NUM_CPK column because I didn't use the BY clause. However, if I use the BY clause (first search string), I won't be able to do conditional formatting on the points anymore.
Any idea how I can use the first search string and yet do conditional formatting? Any help will be greatly appreciated.
Thank you very much.
... View more
06-07-2016
07:22 PM
@jchampagne_splunk I understand that. My original search string was ...| geostats count by CPK_ID and hence it displays all the carparks coordinates in pie chart form with the CPK_ID displayed. However, I wish to color code it by count instead of using the default colors and I also want the CPK_ID to be displayed instead of just the count number. It's not possible for me to rename the "redCount" for every ID cause there're 1000+.
Hope you can understand my problem here.
Thank you very much 🙂
... View more
06-07-2016
12:53 AM
Hi just wondering, how do i do conditional formatting like the one above but i also want to keep the values of each bubble (eg i dont want it just display redCount, i want to see the original ID).
Thanks 🙂
... View more
06-06-2016
08:07 PM
okay i will try again, thank you 🙂
... View more
06-06-2016
07:21 PM
sorry, what do you mean by re-using it?
My entire search is
sourcetype="UDBCUNIT.TF_PRKNG_MVMNT" | lookup cpk_coord_lookup NUM_CPK as NUM_CPK OUTPUT NUM_LNGTD, NUM_LATD | geostats latfield=NUM_LATD longfield=NUM_LNGTD maxzoomlevel=18 globallimit=0 count by NUM_CPK
... View more
06-06-2016
06:59 PM
Hi thanks for your answer, sorry i just realised, the naming of the csv that i posted previously was wrong. It's supposed to be NUM_CPK, NUM_LATD, NUM_LNGTD .
I managed to plot the points onto Splunk Map. However, i realised something strange, the map shown in the search query (using Verbose Mode) has a lot more points (100+pts) plotted than the one i saved to dashboard (30pts). It seems like some points were not displayed after saving to dashboard.
Any idea why is this so?
... View more
06-06-2016
05:50 PM
But how do i put Google Maps inside the normal Splunk dashboard without Advanced XML?
... View more
06-06-2016
02:09 AM
Hi,
I'm trying to plot all carpark locations on the Splunk Map. I have a lookup CSV file with the following columns:
CPK_ID, Latitude, Longitude
I do not have the lat and lon data inside the Splunk environment, so I'm trying to match the CPK_ID in the CSV file with that in the event.
... | lookup cpk_coord_lookup NUM_CPK as NUM_CPK | geostats latfield=NUM_LATD longfield=NUM_LNGTD count
However, I'm unable to plot all the carpark locations on the Splunk Map.
Any idea what I can do? Eg using openstreetmap or Google maps? Eventually I would want to embed it into the normal Splunk dashboard.
Thank you very much! 🙂
... View more
