×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Alex_Megremis
Explorer
Member since: ‎01-10-2011
‎06-05-2020
Community Statistics
Posts 7
Solutions 0
Karma Given 1
Karma Received 2
Member Since ‎01-10-2011
Activity Feed
View All

Re: subsearch breaks on different index? subsearch...

by in Splunk Search
‎01-28-2011 12:39 AM
‎01-28-2011 12:39 AM
That worked like a charm. Thank you. ... View more

subsearch breaks on different index? subsearch for...

by in Splunk Search
‎01-27-2011 10:02 AM
‎01-27-2011 10:02 AM
Hi all, I have index01 which has all the web server log data that I'm interested in. I have index02 which has parsed a CSV containing configuration values (in this case peak period start and end hours), as well as timestamp and version columns If I run index="index01" // I have also tried including here OR index="index02" eventtype="myIndex01EventType" time_hour > [search index="index02" "KEY_NAME" | sort VERSION DATE | head 1 | fields VALUE | rename VALUE as time_hour // I have tried renames to "query" and "search" | convert num(time_hour)] // I have tried without the convert I get Error in 'UnifiedSearch': Unable to parse the 'Invalid RHS for comparison' search. The subsearch, if run on its own, returns a single event, with a single field called time_hour and a value of 5. I've tried a many variants of this, but my brain is turning to mush. My closest suspicion is that the subsearch return is somehow incompatible with the comparison (as the message indicates), be it for syntax or semantics. In case it's not clear, I'm trying to build a search to retrieve events based on, among other things, a peak/off-peak time bracket that's defined in a monitored CSV, and indexed in index02 Any help would be greatly appreciated. Thank you. ... View more

Re: addcoltotals ignored in HiddenPostProcess ?

by in Dashboards & Visualizations
‎01-24-2011 10:12 AM
‎01-24-2011 10:12 AM
I've edited the question to reflect this. ... View more

Re: addcoltotals ignored in HiddenPostProcess ?

by in Dashboards & Visualizations
‎01-24-2011 10:09 AM
‎01-24-2011 10:09 AM
Thanks. No - sadly the paginator doesn't seem to have any relation. I have cleaned up the XML so that the hierarchy contains only: HiddenSearch - HiddenPostProcess with addtotals or addcoltotals calls - SimpleResultsTable I still lose the column totals. Any other ideas? ... View more

Re: addcoltotals ignored in HiddenPostProcess ?

by in Dashboards & Visualizations
‎01-23-2011 05:04 AM
‎01-23-2011 05:04 AM
Thanks for answering! I have edited the question to reveal the structure of the search. All the resulting fields are numeric, apart from the date. As I mentioned, I still get totals per row, but I lose the totals per column. ... View more

addcoltotals ignored in HiddenPostProcess ?

by in Dashboards & Visualizations
‎01-21-2011 06:50 AM
‎01-21-2011 06:50 AM
If I have <module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls"> <param name="search">index=myIndex eventtype="EVENTS_TYPE_01" OR eventtype="EVENTS_TYPE_02" OR eventtype="EVENTS_TYPE_03" | timechart span="1d" count(eventtype) by eventtype | addtotals rows=t cols=t</param> it works as expected. I get a Total row and column on a table However, if I do <module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls"> <param name="search">index=myindex01 eventtype="EVENTS_TYPE_01" OR eventtype="EVENTS_TYPE_02" OR eventtype="EVENTS_TYPE_03" | timechart span="1d" count(eventtype) by eventtype <module name="HiddenPostProcess"> <param name="search"> | addtotals rows=t cols=t</param> which I would be doing to avoid having the totals column mess up my chart's Y axis, for example, the Totals row isn't there. It's the same if I do <param name="search"> | addtotals | addcoltotals</param> EDIT: The behaviour is exhibited even in a clean XML with a hierarchy of nothing but: <module name="HiddenSearch"> <module name="HiddenPostProcess"> <module name="SimpleResultsTable"> Does anyone have any idea why this is, and how to fix it? I vaaaaguely have a recollection of this being a known issue of some sort, but I'm probably wrong. All help appreciated. Thanks! ... View more

HiddenPostProcess 10000 limit? Configurable? How t...

by in Dashboards & Visualizations
‎01-10-2011 01:47 AM
2 Karma
‎01-10-2011 01:47 AM
2 Karma
Hi all, I am having difficulty working around what I understand to be a hard limit of 10000 events for the HiddenPostProcess module. I am looking for a way to reduce the granularity of the events going across, but without success. Example problem code: <module name="HiddenSearch" autoRun="False" layoutPanel="mainSearchControls"> <param name="search">index=analysisindex01 eventtype="EVENTS01" OR eventtype="EVENTS02" OR eventtype="EVENTS03" OR eventtype="EVENTS04" OR eventtype="EVENTS05" OR eventtype="EVENTS06" OR eventtype="EVENTS07" OR eventtype="EVENTS08" timeformat="%d/%m/%Y" starttime=10/11/2010 searchtimespandays=5 | fields eventtype, _time </param> ... stuff ... <module name="HiddenPostProcess" layoutPanel="panel_row2_col1"> <param name="search">timechart span="1d" count(eventtype) by eventtype</parm> This will fail. It will produce results, but they will be capped to 10000. If I do timeformat="%d/%m/%Y" starttime=10/11/2010 searchtimespandays=5 | bucket _time span=1h | fields eventtype, _time in an attempt to summarize the events a bit, I only get 1 row, for 1 day, in the reports generated, and the numbers in it make no sense. Is there something I am missing? Any and all help is greatly appreciated. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:02 AM
Karma from
View All
Karma given to
View All