Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About wcooper003
wcooper003
Communicator
Member since:
06-29-2016
06-05-2020
Community Statistics
| Posts | 74 |
| Solutions | 5 |
| Karma Given | 0 |
| Karma Received | 11 |
| Member Since | 06-29-2016 |
Activity Feed
- Got Karma for Re: What is wrong with my tstats command?. 05-24-2022 09:13 AM
- Got Karma for Re: Why do I see several search peer errors such as "peer has status="Down"" when my peers are running?. 06-05-2020 12:48 AM
- Got Karma for Re: How can I convert a timerange token to an epoch value for filtering events on a different time field?. 06-05-2020 12:48 AM
- Got Karma for Can I use multiple kvstore lookups in a single collection?. 06-05-2020 12:48 AM
- Got Karma for How do I read stored ITSI metrics into a custom dashboard outside of ITSI?. 06-05-2020 12:48 AM
- Got Karma for How do I read stored ITSI metrics into a custom dashboard outside of ITSI?. 06-05-2020 12:48 AM
- Got Karma for Re: How to create panels with different background colors on same dashboard?. 06-05-2020 12:48 AM
- Got Karma for Re: Why is the position of the water gauge custom viz overlay in a panel changing based on search length time?. 06-05-2020 12:48 AM
- Got Karma for Re: How do I delete a data model or a data table built with the new Splunk Datasets Add-on?. 06-05-2020 12:48 AM
- Got Karma for How to filter multiple values with pivot command - is the 'in' operator broken?. 06-05-2020 12:48 AM
- Got Karma for Why don't charts display from a base search on a dashboard when 'Open in search' does work?. 06-05-2020 12:48 AM
- Posted Re: How to filter multiple values with pivot command - is the 'in' operator broken? on Splunk Search. 06-16-2017 05:59 AM
- Posted How to filter multiple values with pivot command - is the 'in' operator broken? on Splunk Search. 06-15-2017 01:18 PM
- Tagged How to filter multiple values with pivot command - is the 'in' operator broken? on Splunk Search. 06-15-2017 01:18 PM
- Tagged How to filter multiple values with pivot command - is the 'in' operator broken? on Splunk Search. 06-15-2017 01:18 PM
- Posted Re: Can I set individual tokens for both the fieldForValue and fieldForLabel? on Splunk Enterprise. 06-01-2017 07:51 AM
- Posted Can I set individual tokens for both the fieldForValue and fieldForLabel? on Splunk Enterprise. 06-01-2017 06:22 AM
- Posted Re: Why do I see several search peer errors such as "peer has status="Down"" when my peers are running? on Dashboards & Visualizations. 05-12-2017 09:05 AM
- Posted Re: Why don't charts display from a base search on a dashboard when 'Open in search' does work? on Dashboards & Visualizations. 05-10-2017 07:30 AM
- Posted Re: Why don't charts display from a base search on a dashboard when 'Open in search' does work? on Dashboards & Visualizations. 05-10-2017 07:29 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
06-16-2017
05:59 AM
Thanks for the response. Using 6.5.2 soon to be on 6.6.1.
I tried that as:
| pivot .....
splitrow fieldname
filter (fieldname ="some text1" OR fieldname="some text2")
But that didn't execute.
... View more
06-15-2017
01:18 PM
1 Karma
Based on the Splunk pivot command documentation, one should be able to use:
| pivot .....
splitrow fieldname
filter fieldname in ("some text1", "some text2")
However, this doesn't work for me - it only returns the first value in the list, not both of them. Even if I remove the quotes from the strings which seems like it works ok, it still just return the first value. However, this works:
| pivot .....
splitrow fieldname
filter fieldname contains some
This isn't ideal because it returns a lot of stuff I don't want. So the question is how do I do a simple OR logical to filter on multiple values with the pivot command?
Does the pivot command have a bug where the 'in' comparison operator doesn't work?
... View more
06-01-2017
07:51 AM
Excellent thank you!
... View more
06-01-2017
06:22 AM
I want to have a token for both the form input value and label fields which differ (fieldForValue, fieldForLabel), is it possible to do this? Or is there a way to access the label from a token (e.g., $token.label$ which I realize doesn't work, but similar to $time.earliest$)?
Here's what I'm doing manually right now, but I don't want to have to have to add new conditions every time I update the lookup, which will grow quickly.
<input type="dropdown" token="service">
<label>Select a Service:</label>
<fieldForLabel>Domains</fieldForLabel>
<fieldForValue>AFFECTED_ITEM_STRING</fieldForValue>
<search>
<query>| inputlookup domain_report.csv | table *</query>
</search>
<initialValue>*aura*</initialValue>
<change>
<condition label="Service1">
<set token="service_nm">Service1</set>
</condition>
<condition label="Service2">
<set token="service_nm">Service2</set>
</condition>
</change>
</input>
Thanks
... View more
- Tags:
- splunk-enterprise
05-12-2017
09:05 AM
Our architecture team mostly resolved these. From what I could gather - there was some connectivity issues within the cloud hosting environment that led to this. Took months to get it resolved, thankfully we were still in a testing phase - big yellow warnings on all dashboards were troublesome...
... View more
05-10-2017
07:30 AM
I finally got the post-processing chained searches working - what I did was create a smaller kvstore lookup specifically for this search. It took the first lookup from ~500K rows to ~100K rows and 10 to 3 fields, and now the searches work OK. So my suspicion is that there was some issue with hitting default limits in the backend where the very large lookup wasn't working in the post-processing (chained) search.
... View more
05-10-2017
07:29 AM
Forgot to answer you're other question - yes there were other post-processing searches using ticket_base, that included stats and lookup commands. The raw data forked out to 6 charts total.
... View more
05-10-2017
07:21 AM
Thanks for the feedback. I intentionally put the $territory$ filter further down in a post-processing search so that if users change that filter (a multiselect), the data loads faster, since it apparently doesn't run the base search to return the raw data. Is this interpretation correct? It appears it is.
I finally got the post-processing working, what I did was create a smaller lookup specifically for this search - it took the first lookup from ~500K rows to ~100K rows and with ~30% of the fields, and now the searches work OK. So my suspicion is that there was some issue with default limits in the backend where the very large lookup wasn't working in the post-processing (chained) search.
... View more
05-09-2017
02:22 PM
Do you think there could be issues because the lookup in the post-process search is large (300K rows)? Even if I include a stats command prior to the lookup in the post-process command, very similar to the "Chained post-process searches" example in the documentation, it still doesn't run.
However, if I replace the lookup command with a join+inputlookup it runs, just painfully slow. It really doesn't like that specific lookup file.
Well i've spent 6hrs on this now, maybe it's time to switch back to a raw search for each chart individually.
... View more
05-09-2017
01:18 PM
Yes they're spelled correctly. The search runs fine when I click 'Open in search' on the same chart panel that says:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
... View more
05-09-2017
01:17 PM
Ok thanks for the link to the documentation. I'm clearly using base searches incorrectly, but I like the option of pulling the raw data only once for a dashboard, not having to pull it separately for each chart.
I tried the "| table xyz | fields *" approach and that didn't work. Trying a bunch of permutations now, still nothing working.
I think the moral of the story is i'm using base searches inappropriately, and they do weird things when used inappropriately.
... View more
05-09-2017
11:08 AM
1 Karma
I've seen other's ask this repeatedly - why do post-processing base searches not work in a dashboard, but they work fine when you click on 'Open in search'? I've tried a few approaches listed in other Splunk Answers (e.g., quoting fields) but I still can't get my dashboard to work with the base (post-processing) searches. Sometimes they work and sometimes they don't, it's extremely frustrating and buggy. I have another base search on the dashboard that calls the same 'ticket_base' using a lookup in the same way, and those charts work fine. Here's my code for the base searches that aren't working:
<search id="ticket_base">
<query>index=sm9_us source=interaction AFFECTED_ITEM="$service$"
| fields INTERACTION_ID OPEN_TIME CLOSE_TIME KPF_ID HANDLE_TIME TERRITORY SUBCATEGORY OPERATOR_ID
| dedup INTERACTION_ID</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<search base="ticket_base" id="contacts_base">
<query>
| search $territory$
| lookup sm9_contacts_lookup OPERATOR_ID OUTPUT LOCATION TITLE
</query>
</search>
And here's one of the searches that is using the above base search:
<panel>
<chart>
<title>Ticket Volume by User Location</title>
<search base="contacts_base">
<query>
| lookup sm9_locations_lookup LOCATION OUTPUT CITY
| stats count as "Total Volume" by CITY
| sort - "Total Volume"
| head 10
</query>
</search>
</chart>
</panel>
On the dashboard, it says:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
But 'Open in search' will run it fine.
Anyone have thoughts on how to get this specific set of base searches working?
Thanks
... View more
04-25-2017
10:27 AM
I'd like to populate a dashboard in an app with a list of all ITSI KPI titles and their descriptions, so users will know what KPIs were used in the composite service health score.
Is there a lookup or dataset I can access that has the KPI descriptions? I can get the list of KPI titles associated with a Service from the alarm_console_lookup, e.g.:
| inputlookup alarm_console_lookup
Is there a similar lookup that might also include the description text for each KPI?
Thanks
... View more
03-27-2017
07:09 AM
I never got it working, I ended up using a KV store within our app instead to keep persistent data that we need.
... View more
03-14-2017
12:39 PM
Thanks for your help, it's working good after I added to the props.conf.
... View more
03-14-2017
12:23 PM
Thanks for that, I think these should be stable but will have to check.
Note - the actual raw data doesn't come in formmated with return characters, so I had to modify the regex. Do you see any issues with how I did it below? I'm a regex noob.
| gentimes start=-1
| eval _raw="<response status='success'><result> <thermal> <Slot1> <entry> <slot>1</slot> <description>Temperature @ Ocelot</description> <min>0.0</min> <max>60.0</max> <alarm>False</alarm> <DegreesC>36.0</DegreesC> </entry> <entry> <slot>1</slot> <description>Temperature @ Switch</description> <min>0.0</min> <max>60.0</max> <alarm>False</alarm> <DegreesC>37.5</DegreesC> </entry> <entry> <slot>1</slot> <description>Temperature @ Cavium</description> <min>0.0</min> <max>60.0</max> <alarm>False</alarm> <DegreesC>42.5</DegreesC> </entry> <entry> <slot>1</slot> <description>Temperature @ Intel PHY</description> <min>0.0</min> <max>60.0</max> <alarm>False</alarm> <DegreesC>35.0</DegreesC> </entry> <entry> <slot>1</slot> <description>Temperature @ Switch Core</description> <min>0.0</min> <max>85.0</max> <alarm>False</alarm> <DegreesC>62.0</DegreesC> </entry> <entry> <slot>1</slot> <description>Temperature @ Cavium Core</description> <min>0.0</min> <max>85.0</max> <alarm>False</alarm> <DegreesC>47.0</DegreesC> </entry> </Slot1> </thermal> </result> </response>"
| table _raw
| rex field=_raw "Temperature @ Ocelot<\/description>\s+(<\w+>[\w\d.]+<\/\w+>\s+){3}<DegreesC>(?<Temp_Ocelot>[^\<]+)"
... View more
03-14-2017
08:19 AM
Here's a small snippet of an xml firewall event i'm trying to parse:
<response status="success">
<result>
<thermal>
<Slot1>
<entry>
<slot>1</slot>
<description>Temperature @ Ocelot</description>
<min>0.0</min>
<max>60.0</max>
<alarm>False</alarm>
<DegreesC>36.0</DegreesC>
</entry>
<entry>
<slot>1</slot>
<description>Temperature @ Switch</description>
<min>0.0</min>
<max>60.0</max>
<alarm>False</alarm>
<DegreesC>37.5</DegreesC>
</entry>
</Slot1>
</thermal>
</result>
</response>
Ideally i'd like to set up a process to extract the two entries above as separate fields (Temp_Ocelot=36.0, Temp_Switch=37.5). I know I can do this with xpath at search time pretty easily as:
..... | xpath outfield=Temp_Ocelot "//response/result/thermal/Slot1/entry[description='Temperature @ Ocelot']/DegreesC"
But i'd like to define this in the configuration files to parse out the fields automatically. For instance, here's how I set up a props.conf to extract the XML generically so that it extracts all possible fields:
[pa_env]
DATETIME_CONFIG = CURRENT
KV_MODE = xml
LINE_BREAKER = (<response>)
MUST_BREAK_AFTER = \</response\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
pulldown_type = 1
But this leads to a lot of multivalue records, which I then have to deal with through mvzip, mvexpand, etc.
Is there a way to set up props.conf (or additionally transforms.conf) to extract the individual tags of interest as individual fields? At first I thought I could do something with the FIELDALIAS in props.conf to extract a specific entry description following how it's done in xpath, but that didn't work. Here's what I tried:
FIELDALIAS-rootfields = response.result.thermal.Slot1.entry[description='Temperature @ Ocelot'].DegreesC as Temp_Ocelot
Is there a way to specify a specific tag based on its properties in a FIELDALIAS?
Thanks
... View more
01-27-2017
09:10 AM
No we didn't tag anything - i'm guessing the DA-ITSI-VIRTUALIZATION add-on does that for you. We just had to enable it, it was disabled by default.
... View more
01-26-2017
10:29 AM
Excellent thank you! I figured there was a built in way to do this.
... View more
01-26-2017
09:41 AM
Hi Guiseppe,
Thanks for the reply. Unfortunately there are no fields extracted since it's coming in as this structured format. For example, one of the source is 'top' which is just the 'top' command output. A typical event has 100s of lines in it. If I try mvexpand on the _raw field:
index=mihealth source=top | mvexpand _raw | table _raw
Here is a snippet of the output (12 columns for each row, 100's of rows):
PID USER PR NI VIRT RES SHR S pctCPU pctMEM cpuTIME COMMAND 4186 tomcat2 20 0 7714m 450m 7692 S 2.0 1.4 38:34.88 java 7114 root 20 0 15160 1200 808 R 2.0 0.0 0:00.01 top 7360 tomcat 20 0 21.8g 5.9g 7744 S 2.0 18.8 359:51.46 java 1 root 20 0 19344 1076 848 S 0.0 0.0 0:07.64 init 2 root 20 0 0 0 0 S 0.0 0.0 0:00.02 kthreadd 3 root RT 0 0 0 0 S 0.0 0.0 0:04.54 migration/0 4 root 20 0 0 0 0 S 0.0 0.0 0:11.94 ksoftirqd/0 5 root RT 0 0 0 0 S 0.0 0.0 0:00.00 stopper/0 6 root RT 0 0 0 0 S 0.0 0.0 0:02.92 watchdog/0 7 root RT 0 0 0 0 S 0.0 0.0 0:06.73 migration/1 8 root RT 0 0 0 0 S 0.0 0.0 0:00.00 stopper/1 9 root 20 0 0 0 0 S 0.0 0.0 0:06.23 ks
It seems like i need some type of mvexpand, but it doesn't appear to expand based on return characters for each row in the raw data.
... View more
