Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About mstark31
mstark31
Path Finder
Member since:
07-20-2016
01-18-2021
Community Statistics
| Posts | 33 |
| Solutions | 1 |
| Karma Given | 16 |
| Karma Received | 9 |
| Member Since | 07-20-2016 |
Activity Feed
- Karma Re: Changing data label font size for vnravikumar. 01-18-2021 10:42 AM
- Got Karma for Re: stats on transaction. 08-21-2020 04:20 AM
- Karma How can I change the sort order of data in a Trellis chart? for ejharts2015. 06-05-2020 12:49 AM
- Karma Re: Modify subsearch time starting with timerange picker token for somesoni2. 06-05-2020 12:49 AM
- Karma Re: Modify subsearch time starting with timerange picker token for Cuyose. 06-05-2020 12:49 AM
- Karma Re: Drilldown Search Removing Math Operators for cardinalga. 06-05-2020 12:49 AM
- Karma Re: Adding more rows in the trellis single-value colored format for woodcock. 06-05-2020 12:49 AM
- Karma Re: Extract last 3 characters from field for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to build a regular expression that will split a field on the first underscore? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: How to build a regular expression that will split a field on the first underscore? for gdziuba. 06-05-2020 12:48 AM
- Karma Re: How to change the group by clause in timechart command depending on selected value in drop-down? for rjthibod. 06-05-2020 12:48 AM
- Karma Re: If statement for earliest time for woodcock. 06-05-2020 12:48 AM
- Karma Re: If statement for earliest time for woodcock. 06-05-2020 12:48 AM
- Karma Re: How to generate a conditional search based on time? for woodcock. 06-05-2020 12:48 AM
- Got Karma for Can eval be used to calculate the standard deviation in multiple fields for a single event?. 06-05-2020 12:48 AM
- Got Karma for How to build a regular expression that will split a field on the first underscore?. 06-05-2020 12:48 AM
- Got Karma for Re: How to build a regular expression that will split a field on the first underscore?. 06-05-2020 12:48 AM
- Got Karma for How to get a Line Chart with 3 Split by Clauses?. 06-05-2020 12:48 AM
- Got Karma for Re: How to get a Line Chart with 3 Split by Clauses?. 06-05-2020 12:48 AM
- Karma Re: Set subsearch at a different time range than main search for woodcock. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 1 |
12-13-2019
05:46 AM
Hello Past mstark31. Current mstark31 thanks you for asking this question 3 years ago.
... View more
12-05-2019
09:50 AM
I think I was having issues with the suggestion here as well, but I ended up going another route for my original problem. Thank you for coming up with a better solution!
... View more
12-03-2019
07:30 AM
Why have you decided to use 3 joins?
From what I can tell, it looks like the major difference between the 3 different subsearches is the time window. Would it be possible to use an if or case statement to rename fields based on when the events occur?
An example:
| eval TimeDiv1_Start = relative_time(now(), "@d+7h+30m")
| eval TimeDiv1_End = relative_time(now(), "@d+14h+30m")
| eval TimeDiv2_Start = relative_time(now(), "@d+14h+30m")
| eval TimeDiv2_End = relative_time(now(), "@d+16h+30m")
| eval TimeDiv3_Start = relative_time(now(), "-1d@d+16h+30m")
| eval TimeDiv3_End = relative_time(now(), "@d+16h+30m")
| eval TimeDiff = now() - _time
| eval TimeGroup = case((TimeDiff >= TimeDiv1_Start AND TimeDiff < TimeDiv1_End), "Bucket1", (TimeDiff >= TimeDiv2_Start AND TimeDiff < TimeDiv2_End), "Bucket2", (TimeDiff >= TimeDiv3_Start AND TimeDiff < TimeDiv2_End), "Bucket1", 1=1, null())
... View more
11-27-2018
01:30 PM
I have a main time picker on my dashboard with the token value of $field1$ .
I also have a secondary time picker on my dashboard that controls a single search panel. Its token value is $field2$ .
I want the dashboard to behave such that when I change the value of the main time picker, the secondary time picker will update. However, I want to be able to then change the value of the secondary time picker. For example, if I was looking at a time frame of 8am to 8pm on the main picker, I'd want that to be reflected on the secondary picker. Then, I could adjust the secondary picker to show 10am to 11am. However, if then I wanted to switch the whole dashboard to show 10am to 10pm, I could adjust the main time picker and both would updated.
I tried to use the Advanced section of the secondary time picker to say $field1.earliest$ and $field1.latest$ as the default, but that did not work.
I also added the following code in my XML, but that did not work either.
<init>
<set token="field2.earliest">$field1.earliest$</set>
<set token="field2.latest">$field1.latest$</set>
</init>
Thanks!
... View more
11-27-2018
01:23 PM
I ended up coming up with a solution that takes care of the majority of cases where I want to join on time but the times aren't identical. It's a bit of a kludge, but it works most of the time.
Turns out, most of the events that don't match perfectly are within a few milliseconds of each other. I decided to create a field called joinTime where I take the value of _time and reformat it without the milliseconds ( "%F %T" ). Thus, I can perform my join using the joinTime field, which is now the same for the vast majority of events that need to be combined.
I'm still on the hunt for something better, but this will work in the meantime.
... View more
11-27-2018
01:19 PM
Thank you for your suggestion. Unfortunately, transaction isn't appropriate for this data.
I did use a variation of finding a common value in my solution.
... View more
11-27-2018
01:02 PM
Could there be a syntax error with the fact that there are 3 $ in the token setting expression?
$result.$earliest7$
... View more
11-20-2018
05:31 AM
I have an index containing failure events for both a system as a whole ("System") and individual sections of that system. When an individual section experiences a failure, two events are logged: one for the individual section and one for the system. My goal is to join the two events together (system & section) to have access to information in fields from both events. (Essentially, tag the "system" events with data from the "section" events).
About 75% of the time, the value for _time is the same for both events, which makes it easy to join them. However, sometimes the events are a few seconds apart, which means the join on time doesn't work.
How can I associate these very close (but not exactly the same time) events together?
... View more
11-29-2017
01:15 PM
Thank you! I inadvertently discovered the need to specify an earliest time with the latest time in another search yesterday, so good reminder.
... View more
11-29-2017
12:51 PM
Thank you! This appears to be working.
If I wanted to alter the latest time to be based on an offset from the earliest time, would this work? Examples is to make lastest time 5min after earliest time.
[| gentimes start=-1 | addinfo | eval latest=info_min_time+300 | table latest]
Also, why do you use table vs. return in the last pipe of the gentimes subsearch?
... View more
11-29-2017
07:33 AM
I have a situation where I want to run a main search of one index over a time period driven by the time picker on a dashboard, but annotate the results with information from a second search. The subsearch doing the annotation needs to run over a time period that searches a week earlier than the main search.
My subsearch:
| join foo type=outer [search earliest=$field1.earliest$-604800 index="someindex"
This works fine as long as the format of the time coming from the token is relative (@w, -d@d, etc.). If that token value is epoch time format (using date or date/time on the picker), the subsearch doesn’t run.
earliest=1511969191-608400 will not evaluate. earliest=@w-604800 will evaluate.
... View more
10-10-2017
01:39 PM
Thank you for helping with my debugging process. Despite the fact that I was copying and pasting the value for Reason from my data table, there was another space in there causing the problem. I went back to our original database that is sending to Splunk and found the space.
I feel silly, but at least I was able to rule out the need to escape the forward /.
... View more
10-10-2017
01:29 PM
I am in 6.6.2.
I tried your search, and it does exactly what yours does (basically, works).
I had to abstract things for the search I shared in my question, but my original search still doesn't function properly. I am in the process of making sure I'm not missing anything else.
... View more
10-10-2017
12:16 PM
I have a conditional statement (part of an eval case) in which I need to check for the value of a field. The desired value contains a forward slash ( / ).
| eval Bool = case(Reason=="Thing1 / Thing2", 0, ... 1=1, 1) . This statement will evaluate to Bool = 1 .
I've tried to escape it with a back slash ( / ), but that didn't work.
| eval Bool = case(Reason=="Thing1 \/ Thing2", 0, ... 1=1, 1) . This still evaluates to Bool = 1 .
I can technically use a like statement, which is how I know the / is causing the issue.
| eval Bool = case(Reason like "Thing1 % Thing2", 0, ... 1=1, 1) . This evaluates to Bool = 0 .
| eval Bool = case(Reason like "Thing1%Thing2", 0, ... 1=1, 1) . This evaluates to Bool = 0 . (The only difference is no spaces around the % character.)
Is there a solution that will let me use an exact match search vs. the like statement?
... View more
08-14-2017
01:47 PM
The kludge fix is to change it to | eval FakeQty = Qty1 - (-1*Qty2) , but this is clearly a temporary workaround.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-18-2021
03:14 PM
|
Karma from
