Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About to4kawa
to4kawa
Ultra Champion
Member since:
07-05-2019
12-03-2022
Community Statistics
| Posts | 3430 |
| Solutions | 471 |
| Karma Given | 222 |
| Karma Received | 605 |
| Member Since | 07-05-2019 |
Activity Feed
- Got Karma for Re: Display lines before and after the results of your string search. a week ago
- Got Karma for Re: change the color of row based on cell value in splunk without css or js. 3 weeks ago
- Got Karma for Re: change the color of row based on cell value in splunk without css or js. 01-16-2023 05:59 AM
- Got Karma for Re: Single Value visualization - Display text with color. 09-29-2022 02:47 PM
- Got Karma for Re: TOP 10 values. 08-14-2022 03:34 AM
- Got Karma for Re: Using a subquery result in 'IN' clause. 06-10-2022 06:58 AM
- Got Karma for Re: How to parse ADFS Authentication logs for CIM compliance: Mixed XML and KV extraction. 05-27-2022 11:52 AM
- Got Karma for Re: change the color of row based on cell value in splunk without css or js. 05-24-2022 01:43 AM
- Got Karma for Re: use of streamstats over transaction command. 05-11-2022 02:52 PM
- Got Karma for Re: Low ingestion thruput without queues blocked.. 02-23-2022 07:29 AM
- Got Karma for Re: how to avoid breaking event order of multi value field. 02-03-2022 06:47 AM
- Got Karma for Re: how to avoid breaking event order of multi value field. 02-03-2022 06:47 AM
- Got Karma for Re: Using a subquery result in 'IN' clause. 01-25-2022 12:32 PM
- Got Karma for Re: search IOC. 01-04-2022 11:13 PM
- Got Karma for Re: Exclude results from lookup table in search. 10-28-2021 01:28 AM
- Got Karma for Re: Using a subquery result in 'IN' clause. 10-18-2021 03:31 AM
- Got Karma for Re: Drilldown with Lookup table data. 09-30-2021 10:05 AM
- Got Karma for Re: Merging with similar strings without eval. 08-11-2021 01:51 PM
- Got Karma for Re: mvexpand multiple multi-value fields?. 07-27-2021 02:59 PM
- Got Karma for Re: Why are there 3 config file slashes?. 07-25-2021 11:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 3 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 |
06-11-2021
06:41 AM
1 Karma
The data and lookup samples are not obvious, so I am not sure. alert="Anonymous IP address" | lookup .... I suppose the order is this.
... View more
05-03-2021
07:53 PM
1 Karma
| makeresults
| eval _raw="ABCD"
| appendpipe [ eval _raw="DABC"
| appendpipe [ eval _raw="CBAB"]]
``` this is sample data ```
| eval _raw=split(_raw,"")
| rex ("?<yourData>A") If the data has features, it can be extracted using regular expressions.
... View more
05-03-2021
07:46 PM
1 Karma
index="idx_cibca_Application_prod" sourcetype="tomcat:runtime:log:jpma" AND ("Job Details job name:" OR "lastUpdatedTS" OR "Time taken for" ) host=Server_1 OR host=Server_2 OR host=Server_3 OR host=Server_4 OR host=Server_5 OR host=Server_6 OR host=Server_7 OR host=Server_8
| rex "(?<Job_Thread_Name>\S+Range)"
| rex "Job Details job name:(?<Job_Config_Name>.*) status:(?<JOB_STATUS>.*) timetaken:(?<TIMETAKEN>.*) minutes"
| rex "(?<DATE_TIME>^(\d+)-(\d+)-(\d+)(\s+)(\d+):(\d+):(\d+).(\d+))"
| lookup Application_Job_Thread_Name.csv Job_Thread_Name OUTPUTNEW Job_Name Job_Config_Name Frequency_Bucket_in_mins I don't have the log, so I don't know if it's accurate, but I think it will be faster except for the join.
... View more
04-05-2021
03:24 AM
index=_internal | head 1 | fields _raw
| eval _raw="{\"data\":[{\"dimensions\":[\"HTTP_CHECK-F009EA2B6AA8E2C0\",\"SYNTHETIC_LOCATION-833A207E28766E49\"],\"dimensionMap\":{\"dt.entity.synthetic_location\":\"SYNTHETIC_LOCATION-833A207E28766E49\",\"dt.entity.http_check\":\"HTTP_CHECK-F009EA2B6AA8E2C0\"},\"timestamps\":[1617467520000],\"values\":[186]},{\"dimensions\":[\"HTTP_CHECK-F06A1F4F9C3252AD\",\"SYNTHETIC_LOCATION-1D85D445F05E239A\"],\"dimensionMap\":{\"dt.entity.synthetic_location\":\"SYNTHETIC_LOCATION-1D85D445F05E239A\",\"dt.entity.http_check\":\"HTTP_CHECK-F06A1F4F9C3252AD\"},\"timestamps\":[1617467520000],\"values\":[187]},{\"dimensions\":[\"HTTP_CHECK-F06A1F4F9C3252AD\",\"SYNTHETIC_LOCATION-833A207E28766E49\"],\"dimensionMap\":{\"dt.entity.synthetic_location\":\"SYNTHETIC_LOCATION-833A207E28766E49\",\"dt.entity.http_check\":\"HTTP_CHECK-F06A1F4F9C3252AD\"},\"timestamps\":[1617467520000],\"values\":[188]}]}"
| spath https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Configurefieldaliaseswithprops.conf If indexed_extractions is working properly, then the field alias in props.conf is sufficient. props.conf [smoketest_json_dyn_tcp] CHARSET=UTF-8 KV_MODE=json SHOULD_LINEMERGE=false category=Structured disabled=false pulldown_type=true TIME_FORMAT=%s%2N TIME_PREFIX=timestamps\":\[ LINE_BREAKER=(.){"dimensions|}(\])(}) TRANSFORMS-nulls=null1, null2 transforms.conf [null1] REGEX={\"data\".* DEST_KEY=queue FORMAT=nullQueue [null2] REGEX=^}.* DEST_KEY=queue FORMAT=nullQueue This one may also be good.
... View more
03-20-2021
02:37 AM
If you have SECCMD do what I'm doing and search in smart mode, you're basically good to go.
... View more
03-19-2021
05:13 PM
index=_internal | head 1 | fields _raw
| eval _raw="{\"logs_id\": \"4890d36f-5ee3-11eb-b3a5-852911ef9cd4\", \"securityContext\": { \"alternateId\": \"****@gmail.com\", \"id\": \"ramxghl092\", \"displayName\": \"****System\"},"
| rex mode=sed "s/((alternateId|displayName)\":\s*)\".*?\"/\1\"*****\"/g"
... View more
03-19-2021
05:01 PM
[testing]
LINE_BREAKER=([\r\n]+){\"transaction-id
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=1
TRUNCATE=0
MAX_EVENTS=1024 LINE_BREAKER is better.
... View more
03-19-2021
04:48 PM
index=_internal | head 1 | fields _raw
| eval _raw="IP=189.41.40.129,Produto=\"Test1\",Valor=179,00,Categoria=Banho,Campanha=1,Vendeu=1,MetododeCompra=1,Bandeira=1,Transportadora=2,Frete=18,57,\"_time\"2021/01/25 19:20:37.374\"
IP=201.0.205.197,Produto=\"Test2\",Valor=123,98,Categoria=Jogos,Campanha=1,Vendeu=0,MetododeCompra=0,Bandeira=0,Transportadora=5,Frete=12,58,\"_time\"2021/01/25 19:20:38.977\"
IP=187.125.147.178,Produto=\"Teste3\",Valor=139,90,Categoria=Cozinha,Campanha=1,Vendeu=1,MetododeCompra=1,Bandeira=1,Transportadora=3,Frete=14,27,\"_time\"2021/01/25 19:20:38.977\"
IP=187.115.202.233,Produto=\"Test4\",Valor=139,90,Categoria=Cozinha,Campanha=1,Vendeu=1,MetododeCompra=1,Bandeira=1,Transportadora=2,Frete=14,51,\"_time\"2021/01/25 19:20:39.579\"
IP=187.111.15.221,Produto=\"Test5\",Valor=164,00,Categoria=Banho,Campanha=2,Vendeu=1,MetododeCompra=1,Bandeira=1,Transportadora=1,Frete=16,81,\"_time\"2021/01/25 19:20:40.580\""
| multikv noheader=t
| fields _raw
| rex mode=sed "s/\"_time\"/Time=/ s/=(\d.*?)(?=,[A-Z])/=\"\1\"/g"
| rex "(?<time>\d{4}/.*)"
| eval _time=strptime(time,"%Y/%m/%d %T.%3N")
| kv
... View more
03-15-2021
03:36 AM
.... | streamstats window=2 first(eval(rtrim(Percent,"%"))) as p_perc by Priority | eval trend=rtrim(Percent,"%") - p_perc | eventstats last(trend) as Trend by Priority | eval Priority=Priority."_".Trend | xyseries Priority month Percent | rex field=Priority "(?<Priority>.*)_(?<Trend>.*)" There is only the image data, so I haven't tried it.
... View more
03-12-2021
04:02 PM
1 Karma
sample: index=_internal earliest=0 sourcetype=splunkd_*| bin span=1d _time | stats sum(eval(len(_raw))) as bytes by _time sourcetype
| eval KB=round(bytes/1024,2)
| streamstats window=3 avg(KB) as trend by sourcetype
| fields - bytes
| xyseries _time sourcetype KB trend try bin and stats , not timechart
... View more
03-12-2021
03:47 PM
Splunk column chart cannot be displayed with two values on x-axis. This is not possible because the chart is trying to separate the time and host values.
... View more
03-12-2021
03:16 PM
Incorrect query. Aggregate by stats, not by timechart If you use autoregress and eval, you should be fine.
... View more
03-11-2021
12:29 PM
index=_internal | head 1 | fields _raw
| eval _raw="{\"squadName\":\"Super hero squad\",\"homeTown\":\"Metro City\",\"formed\":2016,\"secretBase\":\"Super tower\",\"active\":true,\"members\":[{\"name\":\"Molecule Man\",\"age\":29,\"secretIdentity\":\"Dan Jukes\",\"powers\":[\"Radiation resistance\",\"Turning tiny\",\"Radiation blast\"]},{\"name\":\"Madame Uppercut\",\"age\":39,\"secretIdentity\":\"Jane Wilson\",\"powers\":[\"Million tonne punch\",\"Damage resistance\",\"Superhuman reflexes\"]},{\"name\":\"Eternal Flame\",\"age\":1000000,\"secretIdentity\":\"Unknown\",\"powers\":[\"Immortality\",\"Heat Immunity\",\"Inferno\",\"Teleportation\",\"Interdimensional travel\"]}]}"
| spath
| fields - _*
| rename *{}.* as *_*
| rename *{} as *
| table *
``` this is sample data```
``` from here, the logic ```
| eval tmp="val"
| transpose 0 header_field=tmp
| streamstats window=1 count(val) as count
| eventstats max(count) as count
| appendpipe [ eval column="count", val=count]
| fields - count
| dedup column
| transpose 0 header_field=column
| fields - column
| eval count=mvrange(0,count)
| mvexpand count
| rename count as _count
| foreach * [ eval <<FIELD>> = mvindex(<<FIELD>>,_count)]
| fields - _count It counts fields dynamically, so it could be used anywhere.
... View more
03-11-2021
01:59 AM
your search
| streamstats count as session
| mvexpand col1
| streamstats count as session2 by session
| rename col1 as _col1
| foreach col* [ eval <<FIELD>> = if(session2=1,mvindex(split(<<FIELD>>,","),0),mvindex(split(<<FIELD>>,","),1)) ]
| fields - session*
| rename _col1 as col1
... View more
03-01-2021
03:14 AM
TIME_PREFIX = DE_IDENTIFICATION_DATE\"\s*:\s*\" not TIMESTAMP_FIELDS=DE_IDENTIFICATION_DATE
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-03-2022
01:33 AM
|
Karma from
Karma given to
