Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About splunkin11
splunkin11
Path Finder
Member since:
07-29-2016
06-05-2020
Community Statistics
| Posts | 28 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 5 |
| Member Since | 07-29-2016 |
Activity Feed
- Got Karma for Is there an alternative to the stats list and values functions to get my expected result?. 06-05-2020 12:48 AM
- Got Karma for Is there an alternative to the stats list and values functions to get my expected result?. 06-05-2020 12:48 AM
- Got Karma for Is there an alternative to the stats list and values functions to get my expected result?. 06-05-2020 12:48 AM
- Got Karma for Why is Splunk removing spaces in my field?. 06-05-2020 12:48 AM
- Got Karma for Why is Splunk removing spaces in my field?. 06-05-2020 12:48 AM
- Posted Re: Why is Splunk removing spaces in my field? on Dashboards & Visualizations. 12-05-2016 03:23 PM
- Posted Why is Splunk removing spaces in my field? on Dashboards & Visualizations. 12-05-2016 02:04 PM
- Tagged Why is Splunk removing spaces in my field? on Dashboards & Visualizations. 12-05-2016 02:04 PM
- Tagged Why is Splunk removing spaces in my field? on Dashboards & Visualizations. 12-05-2016 02:04 PM
- Posted Re: Is there a way to change the time duration calculated to a more readable format? on Splunk Search. 11-18-2016 06:54 AM
- Posted Is there a way to change the time duration calculated to a more readable format? on Splunk Search. 11-17-2016 03:30 PM
- Tagged Is there a way to change the time duration calculated to a more readable format? on Splunk Search. 11-17-2016 03:30 PM
- Tagged Is there a way to change the time duration calculated to a more readable format? on Splunk Search. 11-17-2016 03:30 PM
- Posted Re: How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:47 PM
- Posted Re: How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:31 PM
- Posted Re: How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:22 PM
- Posted How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:13 PM
- Tagged How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:13 PM
- Tagged How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:13 PM
- Tagged How to add final total count of results without adding another column? on Splunk Search. 11-01-2016 01:13 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 0 | |||
| 0 |
12-05-2016
03:23 PM
I'm using Win7 with IE11.
I tried editing the XML directly myself to resolve the issue but that didn't work - well it works once and when I either exit the dashboard or hit 'refresh' in IE, it reverts back.
Yes, search head clustering is being used.
... View more
12-05-2016
02:04 PM
2 Karma
I keep having issues where Splunk will remove the space after: field - ... which then messes up the query.
I edit the source and place one or two spaces between 'field' and '-' and which will then show correct output but then when I close the dashboard, it reverts back and removes the spaces to | field-
Am I missing something or is there a way to fix this issue? I suppose I could do a |fields and list all the fields I want to keep but that shouldn't be the answer.
Any suggestions as to why this is occurring? I have several dashboards doing this.
... View more
11-18-2016
06:54 AM
Excellent! Thank you.
... View more
11-17-2016
03:30 PM
Is there a way to change the time duration calculated to a more readable format?
Trying to go from something like this : "40+09:01:43" to something more like "40 days + 09:01:43"
... View more
11-01-2016
01:47 PM
wowzers ... I'm not even sure how to incorporate that into my simple dashboard 🙂 There must be a simpler way to get the same result such as with an |appendpipe or some other feature.
... View more
11-01-2016
01:31 PM
ok ... I don't have a need to total columns of numbers so this wouldn't apply. I know I can add a column to my output for the sake of using one of these functions but I don't want to add a column that displays a '1' for every record just so I can get a grand total count at the bottom.
... View more
11-01-2016
01:22 PM
No, that only totals up columns. I have no column to total that will give a total count.
... View more
11-01-2016
01:13 PM
I can't seem to figure out a way to add a bottom row for a total count of results (records) to the end of the results without adding another column for a count and then totaling that column. There must be an easier way.
I can't use |stats count which is the number I'm looking for because that suppresses the details of the results.
Using |stats count by ....(all my fields needed in output) works but it adds an unwanted column for the count. If I try to use |fields - count that breaks the total count.
I know there must be a way for this - please help!
... View more
10-25-2016
01:00 PM
cool - thank you sir!
... View more
10-25-2016
12:44 PM
.. one small addition if you don't mind .. is there also a way to add a label for the last totals row produced from :
| appendpipe [stats avg(*) as * | foreach * [eval "<>"=round('<>') ] ]
... View more
10-25-2016
12:28 PM
Wowzers! That's something I've never seen or heard of before ... you're awesome!
... View more
10-25-2016
12:16 PM
Would there be a way to round the final totals from using [stats avg(*) as * ] ?
... View more
10-25-2016
11:29 AM
Great!! Your final answer fixes everything - thanks!
... View more
10-25-2016
11:04 AM
Almost there. I found a way to add the correct total for each column with another appendcols but noticed that the final totals were lost - with the |appendpipe [stats avg(* ) as *]
Here's what I have now but missing the final totals:
index=
| bucket _time span=1d
|convert ctime(_time) AS date timeformat="%Y/%m/%d"
| stats count by host date
| appendpipe [| stats avg(count) as count by host | eval date="Host Avg" ]
| xyseries host date count
| appendcols [search index=
| stats count as "Total Count" by host ]
| appendpipe [stats avg(* ) as *]
... View more
10-25-2016
10:21 AM
I see - it's including the avg(count) # into the total count but how can I exclude the avg count from the total?
... View more
10-25-2016
10:15 AM
.. oops .. my fault ... getting results now and the avg. is correct and in a new column but the total column is now showing an incorrect total for the time span for each row.
... View more
10-25-2016
10:09 AM
hmmm .... returns 0 results
... View more
10-25-2016
09:01 AM
I can't seem to find a solution for this. I've created a chart over a given time span. I've been able to add a column for the totals for each row and total averages at the bottom but have not been able to figure out how to add a column for the average of whatever the selected time span would be.
What I have so far ....
index=*
| bucket _time span=1d
|convert ctime(_time) AS date timeformat="%Y/%m/%d"
| chart count over host by date
| addtotals
| appendpipe [stats avg(* ) as *]
... View more
10-14-2016
06:37 AM
Works great - thanks!
... View more
10-13-2016
02:01 PM
I'm trying to join information from a metadata search to a lookup file. It works using a subsearch such as this:
| metadata type=hosts index= | join type=left host [|inputlookup myfile.csv |rename fieldx as host]
My metadata host field may contain an IP or a name. My lookup file contains two fields - one with the IP and another with the hostname. Can I join the two files so that if the metadata host field is an IP it joins the lookup file based on the IP field and when the metadata host field contains a hostname it joins based on the hostname field?
I can do this by running two different searches - one join for IP and one join for hostname and combine the two results in a dashboard, but I was wondering if I could join the records based on either value of the host field in one search.
Any input is greatly appreciated!
... View more
09-01-2016
06:57 AM
thanks but that's still limiting to 100 hosts
... View more
08-31-2016
01:33 PM
This isn't quite what I'm looking for.
This results with the devtype being listed for every host. I'm trying to show each devtype once and then show each host and the times for each host.
... View more
08-31-2016
01:31 PM
LIst(x) has a limit of returning the first 100 - that's the issue at hand
... View more
08-31-2016
12:56 PM
Not quite what I'm looking for. I'm trying to get each unique devtype to display once and show all the hosts within that location and the times for each host - only there's hundreds of hosts for each devtype:
Example:
devtype host time1 time2
Dell host1 10:00:00 11:00:00
HP host2 10:00:00 10:30:00
host3 12:00:00 13:00:00
host4 12:30:00 14:00:00
IBM host5 07:00:00 08:00:00
host6 07:00:00 08:00:00
... View more
08-31-2016
12:31 PM
3 Karma
I'm having problems with getting all the values to display when using this:
|stats count, values(host) as Host, list(Time1), list(Time2) by devtype
It shows me a count of all the hosts for each devtype. There can be hundreds of hosts for each devtype, so it's only displaying the first 100 results for the Time1 and Time2 fields which I know is a limitation for list but I can't use values for the time fields because there can be duplicate values and won't work.
Anyone have a suggestion for another way of getting everything to display??
... View more
