Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Kenshiro70
Kenshiro70
Path Finder
Member since:
07-17-2016
11-25-2020
Community Statistics
| Posts | 29 |
| Solutions | 1 |
| Karma Given | 15 |
| Karma Received | 31 |
| Member Since | 07-17-2016 |
Activity Feed
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 11-11-2021 05:42 AM
- Got Karma for Re: Treemap - Custom Visualization: How to get Tooltips and Drilldowns to work?. 07-30-2021 01:44 PM
- Got Karma for Re: What's the Token name for the Time Picker's display value, if any?. 07-08-2021 02:05 PM
- Got Karma for Re: How to hide error message icons from dashboard?. 11-24-2020 03:33 PM
- Karma Re: How to change the width of panels in xml? for niketn. 06-05-2020 12:49 AM
- Karma Re: How do I dynamically set earliest from subsearch? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: How do I Hide Table Headers? for niketn. 06-05-2020 12:49 AM
- Karma Re: Want to condition match when a value is a single asterisk for simpkins1958. 06-05-2020 12:49 AM
- Karma Re: How to change font size of texts inside table using dashboard xml source for niketn. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
- Got Karma for Re: What *exactly* are the rules/requirements for using "|tstats append=t"?. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-16-2018
05:46 PM
I'm assuming you have already looked at the Custom Viz tutorial.
See this answer on setting the windows environment variables correctly.
... View more
08-28-2018
07:59 AM
1 Karma
It looks like Firefox (and now Chrome) are now registering events to objects which have no fill. Add this to your dashboard and it should work:
<row depends="$HideCSS$">
<panel>
<html>
<style>
.splunk-treemap foreignObject.foreignobj {
pointer-events: none;
}
</style>
</html>
</panel>
</row>
... View more
08-24-2018
06:56 AM
Bad news all around:
There's no Simple XML setting.
I looked at the element on the page (in Chrome, right-click and choose Inspect), and the text is not there so you can't add CSS to change the display from hidden to visible.
I looked at the javascript code and realized it's not an easy change either. SVGs don't do text wrapping by default, so those labels are overlaid onto the grid separately. The problem is that their position is calculated based on the "zoomed in" layout, so both the positions and the sizing would be wrong.
It's technically possible to do it, but you'd need to make non-trivial modifications to the visualization logic. Sorry for the bad news; I was hoping to do the same thing.
... View more
06-23-2018
06:40 PM
Thanks! If I've saved you some of the pain I experienced in learning the stuff in here, then it's worth it.
... View more
06-23-2018
01:37 PM
I've got a medium-sized (50MB) CSV lookup file with two columns (email address and server name) that I want to use. I tried a straight upload and managed to put down our Splunk instance because replication failed and blocked all searches. Can I dribble the file in 100K lines at a time using outputlookup append=t ? Or does the replication just take the whole lookup bundle and try and replicate everything?
Please note: I do not have access to the file system; whatever the solution is, I have to be able to do it from Splunk Web.
Thanks!
... View more
06-23-2018
12:15 PM
Niket's answer will work perfectly well, but over time I've migrated to using coalesce , like so:
| eval field1=coalesce(field1,"randomValue1"), field2=coalesce(field2,"randomValue2")
It's a little more readable and can also handle multiple fields in the argument section as well. It's really just a matter of preference.
... View more
06-23-2018
09:52 AM
I've had this too. From what I can tell, it's a permissions issue with Lookup definitions. Do not set Lookup definition permissions to Global. What happens is that in other apps the query looks for the definition within the app, even thought it's global. You can have the Lookup file at Global, but you have the create a Lookup definition within the app you want to use it and set the permission to App.
... View more
06-23-2018
09:46 AM
What does :: really do (e.g., country::Japan )? Does it have any extra value, or does the internal optimizer convert = to :: automatically?
... View more
06-21-2018
08:57 AM
Use the fields command, like so:
| table StageName Percentage
| chart max(Percentage) as Percentage by StageName
| transpose column_name="Title" header_field=StageName
| fields Title Application SOD Report System Online
Note that I had to use transpose to move the Percentage values to columns. For timecharts, you wouldn't need to do that.
... View more
06-21-2018
08:33 AM
2 Karma
Use the fields command, like so:
| chart count over serverType by status
| fields serverType a c e d b
(I changed the name from "fields" in the original example to "serverType" to avoid confusion.)
Note that depending on the result set, you might need to use transpose or xyseries to move the data fields into columns.
... View more
06-19-2018
02:29 PM
You might want to consider changing $filterDeviceToken$ to $value$ . If prefix or suffix is defined, the full token will include them, whereas the value token will return only what's in the input.
... View more
06-16-2018
10:51 AM
4 Karma
I've used $label$ along with <change> and been mostly successful with it. The only weak point is that it doesn't always pick up the default value on the first time the screen loads and will display the system default (still on 6.5.2, so it's "All time"). Code as follows:
<input type="time" searchWhenChanged="true">
<label>Enter time range</label>
<default>
<earliest>-1d@d</earliest>
<latest>@d</latest>
</default>
<change>
<set token="displayTime">($label$)</set>
</change>
</input>
Note that this only works for the simple values (Yesterday, etc.) But in this case I was looking to keep the dashboard as simple as possible.
... View more
06-12-2018
12:02 PM
7 Karma
Add this to the Simple XML:
<row depends="$alwaysHideHTMLStyle$">
<panel>
<html>
<style>
.dashboard-row .dashboard-panel .error-details .error-indicator {
display: none; !important;
}
</style>
</html>
</panel>
</row>
As woodcock says, this should be used with caution. I only use it for end-user dashboards where display would be more confusing than not (in my case we're getting a bunch of warnings that the query initialization time is longer than a second because the storage is slow). Power User dashboards still show the errors.
... View more
06-10-2018
10:10 AM
1 Karma
LOL I found your answer after I'd written mine and was going to edit it to link to your answer. I wish I'd seen your wiki page a year ago - I'm now busy reskinning my dashboards so that they don't look like they are an IT system. 🙂
... View more
06-09-2018
02:11 PM
2 Karma
I think this should do the trick:
<row depends="$alwaysHideHTMLStyle$">
<panel>
<html>
<style>
.dashboard-panel h2.panel-title {
font-weight: bold !important;
font-size: 200% !important;
}
</style>
</html>
</panel>
</row>
Interestingly enough, if you remove .dashboard-panel then you can see the font displayed in the Edit page too.
I figured this out by using Chrome's Developer Tools menu option, then using the Elements panel, I navigated to the correct portion of the web page and looked at the class structure in the Styles display. I'm not terribly well versed in CSS, so it took a bit of guesswork.
... View more
03-29-2018
08:22 PM
Have you tried replacing the space character with \s?
<eval token="order_number_q">if($value$=="","","('"+replace(ltrim(rtrim($value$)),"\s+","','")+"') ")</eval>
It's possible the space is getting borked somehow via XML.
... View more
03-21-2018
08:35 AM
I posted a somewhat gnarly way to do what you want to do in another answer (link).
Hope this helps.
... View more
03-21-2018
08:31 AM
Here's how I did it without changing the data model.
My goal was to see what percentage of API calls returned in under 1 second and under 3 seconds.
| tstats summariesonly=t prestats=t count from datamodel=rest_api
BY object.apiName
| eval perfThreshold="Total"
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=1000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below1sec")
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=3000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below3sec")
| rename object.* as *
| chart count by apiName perfThreshold
| eval pctBelow1Sec=100 * Below1sec / Total
| eval pctBelow3Sec=100 * Below3sec / Total
| table apiName pctBelow1Sec pctBelow3Sec Total
Hope this helps.
... View more
12-17-2017
05:16 AM
On your inability to accelerate and test - see my answer below. Prestats and the sistats command seem to produce very similar results, so a back door way to test might be to use sistats to write to a summary index, then search the summary index and summarize with a stats command. Prestats and stats should be very close in their behavior (as far as I've seen at least).
... View more
12-17-2017
05:12 AM
14 Karma
Over time I've learned some of the behavior. Here's what I've found so far, with a Do's and Don'ts section after that:
What does prestats=t do?
Prestats formats the returned data in a way that can be parsed and calculated very quickly by another stats/chart/timechart command.
Prestats seems to work the same way summary indices do; as far as I can tell, sistats and prestats produce the same results.
The good news: you can read up on summary indices to get a better idea of what's happening.
The bad news: the docs are very fuzzy on the exact syntax for retrieving data from summary indices.
Summariesonly can be either true or false.
How should I set up the fields so that they flow from tstats prestats=t to stats?
The functions must match exactly. So if you have max(displayTime) in tstats, it has to be that way in the stats statement.
However, you can rename the stats function, so it could say max(displayTime) as maxDisplay.
| tstats prestats=t max(object.field1) from datamodel=foo by object.field2
| stats max(object.field1) as maxField1 by object.field2
The stats By clause must have at least the fields listed in the tstats By clause. I think you can add fields to the stats By clause (see below), but get the basics working first.
What does summariesonly=t do?
It forces Splunk to use only accelerated data in the data model. If you have 30 days of data but only have acceleration for 7 days, using summariesonly=t will return only 7 days of data even if your earliest date is before that. The summariesonly flag is independent of the prestats and can be used with or without prestats.
If the data model is not accelerated and you use summariesonly=t: "No results found"
What does summariesonly=f do?
This is the default behavior, so it's pretty rare to see it spelled out in searches. As far as I can tell, If the datamodel is accelerated, Splunk will use the accelerated data where it can and then search against the underlying data.
If the data model is not accelerated and you use summariesonly=f: Results return normally.
When using tstats, do all of the fields you want to use need to be declared in the data model?
Yes. That all applies to all tstats usage, not just prestats. tstats is reading off of an alternate index that is created when you design the datamodel. It's actually quote powerful because it allows you to create your own objects, which in turn will manage all of the data relationships so that you don't have to declare them in every search. It's a shame the documentation is so sparse.
Are there any special rules for using append=t?
I'm glad you asked, because I lost at least four hours last week figuring this one out.
You must use prestats=t for all tstats commands.
Get the first tstats prestats=t and stats command combo working first before adding additional tstats prestats=t append=t commands. Otherwise debugging them is a nightmare.
It appears that you have to declare all of the functions you are going to use in the first tstats statement, even if they don't exist there. If you don't it, the functions in the second tstats command will be ignored. Think of it like the outputlookup append=t command - if a field wasn't already in the lookup, it won't get added.
In other words, it has to look like this:
| tstats prestats=t max(object.field1) max(object.field2) from datamodel=foo
| tstats prestats=t append=t max(object.field2) from datamodel=foo
| stats max(field1) as maxField1 max(field2) as maxField2
What if the "BY" fields don't match?
This is one major difference between stats and | tstats prestats=t append=t. In stats, NULL fields in the BY statement will exclude that event. But in tstats with appent=t, the missing fields are treated as empty, not null.
How does the count function behave with append=t?
Unpredictably. It gets recalculated in the stats function . Avoid using the function alone; always use it with a field.
Bad
| tstats prestats=t count from datamodel=foo where by object.field1 object.field2
| tstats prestats=t append=t count from datamodel=bar by object.field2 object.field3
| stats count by by object.field1 object.field2 object.field3
In the example above, matches on field2 will count both sets of results. If you don't want that, use this instead:
| tstats prestats=t count(object.uniqueField4) from datamodel=foo where by object.field1 object.field2
| tstats prestats=t append=t count(object.uniqueField5) from datamodel=bar by object.field2 object.field3
| stats count(object.uniqueField4) count(object.uniqueField5) by by object.field1 object.field2 object.field3
Can you use tstats append=t to do conditional counts?
Yes! Here's how I did it without changing the data model.
My goal was to see what percentage of API calls returned in under 1 second. See after the code sample for an explanation of why it works.
| tstats summariesonly=t prestats=t count from datamodel=rest_api
BY object.apiName
| eval perfThreshold="Total"
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=1000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below1sec")
| tstats summariesonly=t prestats=t append=t count from datamodel=rest_api
WHERE object.responseTime<=3000
BY object.apiName
| eval perfThreshold=case(isnotnull(perfThreshold), perfThreshold, true(), "Below3sec")
| rename object.* as *
| chart count by apiName perfThreshold
| eval pctBelow1Sec=100 * Below1sec / Total
| eval pctBelow3Sec=100 * Below3sec / Total
| table apiName pctBelow1Sec pctBelow3Sec Total
DO's and DON'Ts
What you CAN do between the tstats statement and the stats statement
The bad news: the behavior here can seem pretty wonky, though it does seem to have some internally consistent logic.
The good news: the behavior is the same for summary indices too, which means:
- Once you learn one, the other is much easier to master.
- You can use sistats to write to a summary index the look at the results there, which will give you a much better understanding of how the data flows when using prestats.
Actions you can take:
Rename fields (rename all.* as *)
Add fields. For example, eval webServer=host
Modify group by fields. For example, eval webServer=replace(webServer, ".com", "")
What you CAN'T do between the tstats statement and the stats statement
Change stats calculated values
Set a name for the function in the tstats statement. Not sure why, but it's probably because it returns the values in that special sistats format.
TL;DR: if you just want one search to return quickly, you're probably much better off making a report, accelerating it or scheduling it in the off hours, and calling it from the dashboard. but if you put in the time, you can do some pretty amazing stuff. Patience is key.
Please add any comments or corrections - I'll edit this post as needed.
... View more
11-11-2017
08:35 AM
Figured this one out just yesterday:
<input type="multiselect" token="tokMulti2">
<label></label>
<choice value="value1">Field 1</choice>
<choice value="value2">Field 2</choice>
<choice value="value3">Field 3</choice>
<default>"Field 1","Field 2","Field 3"</default>
<delimiter> </delimiter>
</input>
Yours would also work if you used initialValue instead of default.
<input type="multiselect" token="tokMulti3">
<label></label>
<choice value="value1">Field 1</choice>
<choice value="value2">Field 2</choice>
<choice value="value3">Field 3</choice>
<initialValue>value1,value2,value3</initialValue>
<delimiter> </delimiter>
</input>
Hope this helps.
... View more
10-28-2017
07:22 AM
I did a similar version of this, so I'll share what I did. The use case: I wanted a dropdown of server IDs for newbie users but a direct entry text box for advanced users. The same token did not work: the input tokens all seem to recalculate at the same time. It MIGHT work for a drilldown; you can try two and test.
If not, how I solved it was to have the two inputs feed into a hidden text input field, like so:
<fieldset submitButton="false">
<input type="dropdown" token="dropdown_picker" searchWhenChanged="true">
<label>Either select server OR </label>
<default></default>
<search>
<query>| inputlookup server_list.csv
| fields + server_name
| table server_name</query>
</search>
<fieldForValue>server_name</fieldForValue>
<fieldForLabel>server_name</fieldForLabel>
<change>
<condition match="$value$!=""">
<set token="form.input_parse">$value$</set>
</condition>
</change>
</input>
<input type="text" token="text_picker" searchWhenChanged="true">
<label>Enter Server Name</label>
<default></default>
<change>
<condition match="$value$!=""">
<set token="form.input_parse">$value$</set>
</condition>
</change>
</input>
</fieldset>
<row depends="$dummy_token$">
<panel>
<input type="text" token="input_parse" searchWhenChanged="true">
<default></default>
</input>
</panel>
</row>
<search id="serverDataFetch">
<query>| inputlookup server_list.csv where sever_name="$input_parse$"
| table server_name datacenter server_type</query>
</search>
Note how I set the form field with "form.field_name" - that seemed to avoid the token conflict.
... View more
10-29-2016
10:34 AM
Nice - it even accounts for duplicate values!
... View more
10-22-2016
09:34 AM
One of the most useful functions in Excel is percentilerank, which calculates the percentile of a value within a range of values. The closest I've been able to get is to do a p10, p20, p30, etc. and then search for everything below the value. I'm trying to show benchmarks and the function would be quite useful.
If you're not familiar with the percentilerank function, it works as follows:
You specify percentilerank(value, array of values)
Percentile rank returns the percentile for that value (e.g., 23rd percentile)
It's basically the converse of the perc commands.
... View more
09-03-2016
08:41 AM
This worked for me in diagnosing concurrent API calls from customers.
I consider myself reasonably good at Splunk, but wow.
(bows in the presence of a Splunk master)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-25-2020
08:53 AM
|
Karma from
