Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mcantrell
mcantrell
Explorer
Member since:
08-24-2011
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 10 |
| Member Since | 08-24-2011 |
Activity Feed
- Karma Re: Time from subquery lost when joining to lookup table for gkanapathy. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Re: Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Got Karma for Re: Sideview Utils not found after SoS 2.0 upgrade. 06-05-2020 12:46 AM
- Posted Re: Time from subquery lost when joining to lookup table on Reporting. 06-11-2012 08:10 AM
- Posted Re: Time from subquery lost when joining to lookup table on Reporting. 06-09-2012 05:17 AM
- Posted Re: Time from subquery lost when joining to lookup table on Reporting. 06-09-2012 05:16 AM
- Posted Re: Time from subquery lost when joining to lookup table on Reporting. 06-08-2012 01:42 PM
- Posted Time from subquery lost when joining to lookup table on Reporting. 06-08-2012 12:36 PM
- Tagged Time from subquery lost when joining to lookup table on Reporting. 06-08-2012 12:36 PM
- Tagged Time from subquery lost when joining to lookup table on Reporting. 06-08-2012 12:36 PM
- Posted Re: Finding missing events on Dashboards & Visualizations. 06-05-2012 01:10 PM
- Posted Finding missing events on Dashboards & Visualizations. 06-05-2012 12:19 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 8 |
OK.. I think I have it now. There is a max option to the join command which defaults to 1. I adjusted it to match the number of days I was searching for and the all of the records are showing up.
... View more
Instead of:
*sent client_id Name count *
6/7/12 12:00:00.000 AM 20006 Client A 123
6/8/12 12:00:00.000 AM 20006 Client A 117
6/7/12 12:00:00.000 AM 20008 Client B 36
6/8/12 12:00:00.000 AM 20008 Client B 0
6/7/12 12:00:00.000 AM 20009 Client C 101
6/8/12 12:00:00.000 AM 20009 Client C 0
6/7/12 12:00:00.000 AM 20010 Client D
6/8/12 12:00:00.000 AM 20010 Client D
It appears that it probably doesn't work exactly like it would in SQL. Maybe there's a better approach to accomplish the same end.
... View more
Hmmmm, renaming the field helps a little. The date is available now but something is weird in how it's joining the records. It's finding the first match for each client and then dumping the other dates.
Example:
*sent client_id Name count *
6/7/12 12:00:00.000 AM 20006 Client A 123
6/7/12 12:00:00.000 AM 20008 Client B 36
6/7/12 12:00:00.000 AM 20009 Client C 101
6/7/12 12:00:00.000 AM 20010 Client D
... View more
The reason for the join is so that I also display the clients which don't have any matching events. Without the left join, they drop off the report.
Ultimately, I want to draw attention to clients which have low or no activity. I realize this is sort of the reverse of what splunk is meant to do but I've never been shy of driving a square peg through a round hole 😉
... View more
I have a report which I'm trying to enhance to use a lookup report. The existing query is doing a simple agg to count by date and identifier:
type="REST" resource="Order" status="FINISHED" | bucket span=1d _time | stats count by client_id, _time
_time client_id count
6/7/12 12:00:00.000 AM 20006 123
6/8/12 12:00:00.000 AM 20006 117
6/7/12 12:00:00.000 AM 20008 36
6/7/12 12:00:00.000 AM 20009 101
I'm using a lookup table to enhance the data but I also want to see records from the lookup table which had no events. Something like this:
_time client_id Name count
6/7/12 12:00:00.000 AM 20006 Client A 123
6/8/12 12:00:00.000 AM 20006 Client A 117
6/7/12 12:00:00.000 AM 20008 Client B 36
6/8/12 12:00:00.000 AM 20008 Client B 0
6/7/12 12:00:00.000 AM 20009 Client C 101
6/8/12 12:00:00.000 AM 20009 Client C 0
6/7/12 12:00:00.000 AM 20010 Client D 0
6/8/12 12:00:00.000 AM 20010 Client D 0
I thought I'd be able to accomplish this by using inputlookup and left joining to the results from the original query
| inputlookup client_lookup.csv | JOIN type=left client_id [type="REST" resource="Order" status="FINISHED" | bucket span=1d _time | stats count by client_id, _time]
When I do this, the date from the subquery is lost from the output:
client_id Name count
20006 Client A 123
20008 Client B 36
20009 Client C 101
20010 Client D
I obviously have my head stuck in RDBMS land! I'm sure there's probably a better way of doing this or I'm missing something obvious but I'm a little stuck at the moment. Any help would be greatly appreciated.
... View more
06-05-2012
12:19 PM
For instance, let's say I have a list of IP addresses that I expect should show up in an FTP log each day. If I don't see any activity for a few days, I want to report/alert on that. I know that seems a little bit out of the normal splunk use case but I'm wondering if it can be done.
It would seem that I need to get splunk to understand which IP addresses I expect before I can join it to a search which has the extracted IP. What's the best way of defining these IP addresses?
I've tried creating an XML web service which is consumed as a scripted input. I've been able to extract the fields with spath expressions but I'm not sure how to take the fields and join them to another search. Does this seem like a reasonable approach or am I over complicating this? I have a tendency to do that 😉
... View more
01-11-2012
08:58 AM
1 Karma
I tried the bump and it didn't seem to have any effect. I also noticed that SoS 2.1.0 was available so I upgraded and it still has the problem. I'll open a support case later today and update this thread.
... View more
01-10-2012
06:54 AM
1 Karma
We're on 4.2.4 running on windows. The browser is OS X Firefox 9.0.1.
Unfortunately, I do not remember the previous version of sideview. It was installed a few months ago if that helps. It was upgraded to 1.2.5.
... View more
01-06-2012
12:59 PM
8 Karma
I upgraded Splunk on Splunk and Sideview Utils to the latest versions and now SoS is erroring:
"This instance of Splunk does not have the Sideview Utils app installed."
Clicking the install sideview utils button tells me that I have it installed. Anyone else having this problem?
... View more
