cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
danspav
SplunkTrust
Member since: ‎04-07-2019
‎02-13-2021
Community Statistics
Posts 15
Solutions 4
Karma Given 5
Karma Received 9
Member Since ‎04-07-2019
Activity Feed
Topics I've Started
No posts to display.
View All

Re: Multiple 'Where' conditions

by SplunkTrust in Splunk Search
‎10-26-2020 10:33 PM
‎10-26-2020 10:33 PM
Hi @sweety1309  I think the issue is with the where clause.  Say the duration is 108. The where clause will not match on:  (duration > 45 and duration <= 75) But will match on:  (duration > 105 and duration <= 120) However, the where clause uses AND between these terms, so the duration must be both less than 75 AND greater than 105. Try replacing your ANDs with ORs: | where (duration > 45 AND duration <= 75) OR (duration > 105 AND duration <= 120) OR (duration > 120 AND duration <= 180) OR (duration > 180) Seeing as you don't use the duration field, you could simplify it further: | where (duration > 45 AND duration <= 75) OR (duration > 105)   ... View more

Re: Splunkbase app update alert

by SplunkTrust in All Apps and Add-ons
‎10-26-2020 09:31 PM
1 Karma
‎10-26-2020 09:31 PM
1 Karma
Hi @ershishirkumar,   There's a great app available on Splunkbase that tracks all available apps on Splunkbase: Analysis of Splunkbase Apps for Splunk https://splunkbase.splunk.com/app/2919/   It pulls down details about every app on Splunkbase and presents you with a couple of dashboards to explore. There's a section on the main dashboard that compares your installed apps with the latest version on Splunkbase ("local audit"). If you install this app, you could convert the search that performs the local audit to an email alert.         ... View more

Re: Move an input class to bottom of panel

by SplunkTrust in Dashboards & Visualizations
‎10-24-2020 06:01 PM
1 Karma
‎10-24-2020 06:01 PM
1 Karma
Hi @timgren  The easiest option to do this is to add a blank panel under the results table and add the inputs to that:     If you want to move the inputs to underneath the results table, you can try some CSS like this: First, add IDs to the inputs you want to move - e.g. :  <input type="radio" token="radio" id="move_radio"> Then add some CSS to your dashboard: <row depends="$CSS$"><panel><html> <style> #move_txt, #move_radio, #move_check { position:relative; top:555px;z-index:1;} #row2 { margin-top: 200px} </style> </html></panel></row> That gives you this - with room underneath for the next panel: That's prone to issues though as when you resize the window the results panel will also resize, so you may need to adjust the CSS to move the inputs to fit. To be sure, you'd need to add some JavaScript to the dashboard to make sure the inputs moved when the window was resized. Something like this: require(['jquery', 'underscore', 'splunkjs/mvc'], function($, _, mvc) { $( window ).ready(move_inputs); $( window ).resize(move_inputs); function move_inputs( jQuery){ var position = $("#results_panel").position() var height = $("#results_panel").height(); var newtop = position.top + height - 40; console.log("Moving to : " + newtop + "px"); $( "#move_txt" ).css({top:newtop + "px"}); $( "#move_radio" ).css({top:newtop + "px"}); $( "#move_check" ).css({top:newtop + "px"}); } });   That assumes that you have the panel called "results_panel" and ids for the inputs as above.           ... View more

Re: How to read data from email in outlook and ind...

by SplunkTrust in Splunk Enterprise
‎10-23-2020 12:42 AM
1 Karma
‎10-23-2020 12:42 AM
1 Karma
Hi @Ashwini008, I have set this up before using this app from Splunkbase: IMAP Mailbox https://splunkbase.splunk.com/app/1739/ It hasn't been updated in a while, but will still do the job.  You will need your exchange admin to configure your account to be IMAP enabled in order to use this. It also works on gmail with IMAP enabled. If you want to use it in Splunk 8.0+ I'd recommend converting it to python3 using 2to3.     ... View more

Re: Joining data from multiple events with stats

by SplunkTrust in Splunk Search
‎10-23-2020 12:21 AM
‎10-23-2020 12:21 AM
Hi @mike_nau, Try the following search:   |makeresults |eval raw="event_type=queue,item_name=\"xxx/job/3\",queue_time=20 ### event_type=queue,item_name=\"xxx/job/3\",queue_time=30 ### event_type=queue,item_name=\"xxx/job\",queue_time=0.03 ### event_type=job,job_name=\"xxx/job/3\",item_name=\"\",,queue_time=0.03 ### event_type=queue,item_name=\"xxx/job/2\",queue_time=22 ### event_type=queue,item_name=\"xxx/job\",queue_time=0.01 ### event_type=job,job_name=\"xxx/job/2\",item_name=\"\",queue_time=0.01 ### event_type=queue,item_name=\"xxx/job/1\",queue_time=25 ### event_type=queue,item_name=\"xxx/job/1\",queue_time=15 ### event_type=queue,item_name=\"xxx/job\",queue_time=0.19 ### event_type=job,job_name=\"xxx/job/1\",item_name=\"\",queue_time=0.19 " | makemv delim="###" raw | mvexpand raw | rename raw as _raw | extract | eval index="jenkins_statistics" | eventstats values(job_name) as valid_jobs | eval job_name=if(item_name=valid_jobs,item_name, NULL) | stats values(index) as index, count(queue_time), avg(queue_time) by job_name | table index, job_name, "count(queue_time)", "avg(queue_time)" | sort - "avg(queue_time)"     The top bit is just generating the data from your table. The real stuff happens with the eventstats command. This will run a |stats type command over the whole data set and add the results to each row. In our case we get a field called "valid_jobs" that has job1,job2,job3. Next we set the job_name fields only if the item_name is the same as one of our "valid_jobs". Then we run stats to get the count and average by job_name Finally, we table out and sort by the average queue time. The result is a table similar to yours: Does that do what you were after? ... View more

Re: How to use colors on Tree View

by SplunkTrust in Splunk Search
‎10-22-2020 11:14 PM
‎10-22-2020 11:14 PM
Hi @caioandrades, I'm the developer of the Treview Viz app. I've just posted an update to Splunkbase which will let you specify the color for custom icons and the label. It also works on the other skins, but it looks best on the custom skin. With the update you can include an HTML color code in the "color" field like this: | eval color=if(cpu>80,"#990000", "#009900") You can download the new version from Splunkbase here: https://splunkbase.splunk.com/app/5101/ ... View more

Re: Insight into Citrix VDI

by SplunkTrust in Splunk Enterprise
‎10-21-2020 10:46 PM
1 Karma
‎10-21-2020 10:46 PM
1 Karma
Hi @Rob_O,  The Citrix Delivery Controller will have this information, which is available via an API. It's getting the data via the monitoring database, so if you have direct access to the DB you can probably bypass the API. Check out the Citrix developer docs here: https://developer-docs.citrix.com/projects/monitor-service-odata-api/en/latest/#failures The API provides d ata relating to connection failures - which is what you want. It will show connection attempts that failed, e.g. due to no machines available, or too many concurrent sessions. It will also tell you about successful connections that subsequently dropped out due to other network issues. I'm not familiar with the DB schema, but  the data you're looking for will be there.   ... View more

Re: How to compare output of two splunk queries wh...

by SplunkTrust in Splunk Search
‎10-21-2020 10:17 PM
‎10-21-2020 10:17 PM
If you are trying to add two numbers from two different searches it's highly likely you can do that in one search using stats. Are you able to share more about each search? Otherwise, you can do an append to combine the two outputs with something like: | makeresults | eval abc=100 | table abc | append [| makeresults |eval xyz=45 | table xyz] | stats sum(abc) as abc, sum(xyz) as xyz | eval total = abc + zyz This search gets your first number, abc, then appends the second number, xyz. Then we run stats to get them on one row, and finally do a simple eval for the total. You could then use this result in a single value visualization on a dashboard. But as I mentioned, you can probably get both totals using stats. See docs for more info. ... View more

Re: Network Diagram Viz is supported by Splunk Clo...

by SplunkTrust in All Apps and Add-ons
‎10-21-2020 08:50 PM
1 Karma
‎10-21-2020 08:50 PM
1 Karma
Hi @dkgs, All previous versions of the app up to 1.7.0 are cloud approved, but I've only just submitted version 1.8.0 so it's not approved yet. It's in the approval queue, so I'm hoping it will be available soon.     ... View more

Re: Can icons in network diagram viz like firewall...

by SplunkTrust in Dashboards & Visualizations
‎10-21-2020 08:48 PM
‎10-21-2020 08:48 PM
Hi @datracy, I'm a bit late in replying - but in case anyone else has this question - yes, you can set the color of icons. You can add the field "color" to set the color of the from icon. You can set the color of the link by setting a "linkcolor" field. Use hex colors or english words:  "red" or "#FF0000" | eval color=case(value==0,"blue", value==1,"yellow",value==2,"green", 1==1, "red") Hope that helps   ... View more

Re: In Event Timeline viz app: does it possible to...

by SplunkTrust in All Apps and Add-ons
‎12-17-2019 12:29 PM
‎12-17-2019 12:29 PM
Hi @edvinas, The events in the Event Timeline Viz are listed in time-order. Take this example - two events have the same date, so they appear in the same order as the results: If you have the time axis at the bottom, the events will be flipped, so the order is preserved. The first event in the results is the closest to the axis. If they have different dates, they will appear on the time line in time order. If you want a specific order, can you manipulate the _time field? Perhaps you can give an example of how you want it ordered. ... View more

Re: custom viz formatter.html div.hlp-block

by SplunkTrust in Dashboards & Visualizations
‎11-17-2019 10:17 PM
1 Karma
‎11-17-2019 10:17 PM
1 Karma
Hi @RngFox, I had the same problem with my own apps. It looks like from around Splunk 7.3-ish the word "undefined" appeared under all the fields in the visualization options menu. The work-around is to provide help, or a single space character, so that there is a value to display within the splunk-control-group tag: To show nothing (removing 'undefined'): <splunk-control-group label="Mode" help=" "> To show a helpful message: <splunk-control-group label="Mode" help="Select the mode"> See the Formatter API reference. Updating your formatter.html to include this attribute on all tags will remove the annoying 'undefined' message. Cheers Daniel ... View more

Re: How to update Icons

by SplunkTrust in All Apps and Add-ons
‎09-18-2019 03:43 PM
‎09-18-2019 03:43 PM
Hi PJ, Pictorial Chart Viz uses Font Awesome icons right now and there's no way to use your own custom set. I can look at adding that feature in a future release. Cheers, Daniel ... View more

Re: Network Diagram Viz: Is it possible to add ico...

by SplunkTrust in All Apps and Add-ons
‎06-28-2019 11:03 PM
1 Karma
‎06-28-2019 11:03 PM
1 Karma
Hi @pjrwlazlo, In the next update I'll add a bunch more icons. The Viz uses the Font Awesome library, but I need to manually add each icon to the viz due to the way it currently works. Unfortunately, that means I can't just let people specify the Font Awesome class directly in the search results. I don' think there's a "router" specific icon yet, but you could possibly use "code-branch" instead? ... View more

Re: In Event Timeline viz app the group column nee...

by SplunkTrust in All Apps and Add-ons
‎06-15-2019 11:04 PM
2 Karma
‎06-15-2019 11:04 PM
2 Karma
Hi @yadavshilpa, I have added the ability to sort groups by time - check out the update on splunkbase: https://splunkbase.splunk.com/app/4370/ You can choose how to sort groups in the options under General > Group Sorting: @niketnilay's solution is also a good option. I'd just add the following line to remove the null values: | search label!=NULL ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-13-2021 11:57 PM
Karma from
Karma given to