Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About philallen1
philallen1
Path Finder
Member since:
09-10-2013
06-05-2020
Community Statistics
| Posts | 39 |
| Solutions | 1 |
| Karma Given | 22 |
| Karma Received | 14 |
| Member Since | 09-10-2013 |
Activity Feed
- Got Karma for Re: Automatically Refresh Dashboard. 11-23-2021 03:41 PM
- Karma Re: How do I sum 2 field extractions if only one field extraction exists per log? for wpreston. 06-05-2020 12:47 AM
- Karma Re: why isn't JSChart / radialGauge drilldown working for sideview. 06-05-2020 12:46 AM
- Karma Re: How can you restrict a timechart to display only weekdays? for somesoni2. 06-05-2020 12:46 AM
- Karma Re: How can you restrict a timechart to display only weekdays? for gfuente. 06-05-2020 12:46 AM
- Karma Re: Remove chart axis labels for Simon_Fishel. 06-05-2020 12:46 AM
- Karma Re: Ignore some duplicate events for sdaniels. 06-05-2020 12:46 AM
- Karma Re: Creating a simple chart from extracting specific string for _d_. 06-05-2020 12:46 AM
- Karma Sideview Utils passing Pulldown value to SavedSearch for Parameshwara. 06-05-2020 12:46 AM
- Karma Re: Plotting instances of logs onto chart for alacercogitatus. 06-05-2020 12:46 AM
- Karma Re: How can you restrict a timechart to display only weekdays? for martin_mueller. 06-05-2020 12:46 AM
- Karma why isn't JSChart / radialGauge drilldown working for kingsizebk. 06-05-2020 12:46 AM
- Karma Re: ignoring extracted value for araitz. 06-05-2020 12:46 AM
- Karma ignoring extracted value for sumitnagal. 06-05-2020 12:46 AM
- Karma Re: Chart only plots 500 results for lguinn2. 06-05-2020 12:46 AM
- Karma Re: Chart only plots 500 results for nekb1958. 06-05-2020 12:46 AM
- Karma Re: Automatically Refresh Dashboard for jonuwz. 06-05-2020 12:46 AM
- Karma Re: Rename results doesn't work for lukejadamec. 06-05-2020 12:46 AM
- Karma Re: streamstats multiple moving averages for jonuwz. 06-05-2020 12:46 AM
- Karma Re: Sum max(count) from multiple hosts for somesoni2. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
12-05-2014
05:36 AM
Hey wpreston
Acutally, it has randomly decided to work! (No idea what made it work - Splunk seems to be quite temperamental). So this is my final query:
...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault) | chart count(currency) as CurrencyCount by currency
Thanks a lot for your help!
... View more
12-05-2014
05:26 AM
Hi wpreston. Thanks for the comment, however it doesn't seem to be working. It returns each currency in one column but the CurrencyCount is 0 for each currency. Any other ideas are welcome!
... View more
12-05-2014
02:36 AM
Hi
So I've used Field Extractions to name 2 different fields in my logs: "dealtCurrency" and "dealtCurrencyDefault".
The dealtCurrencyDefault field will ALWAYS appear in my logs. However, the dealtCurrency field appears only in some logs. When the dealtCurrency appears, my regex ignores the dealtCurrencyDefault field altogether. So, my regex only ever gives me one field back - dealtCurrencyDefault (if there is no dealtCurrency), and dealtCurrency (if there is dealtCurrency).
I'm now trying to create a chart that displays the "currency" along the x axis and the "number of occurrences" along the y axis.
How can I write a search query that creates this chart?
I've tried things along the lines of:
...| eval currency=coalesce(dealtCurrency,dealtCurrencyDefault)
| chart sum(currency ) as suma by currency
This gives me all the currencies, but it doesn't sum them to create the "number of occurrences" field (I just get empty field for the suma column).
Any ideas? Should I be using 'buckets'? Not really sure how to use them...
Thanks!
(Also not sure if the title is accurately describing this - so please feel free to suggest a more suitable one)
... View more
09-01-2014
03:43 AM
I'm not sure if I need to put these @ signs in to get people's attention, so I'm giving it a go!
@ppablo_splunk
@sk314
@lguinn
@strive
... View more
09-01-2014
02:04 AM
Hi guys
Thanks for the responses. Here are some sample logs.
2014-08-29 16:09:00,830 INFO Order filled for 8=FIX.4.4|9=667|15=GBP|55=USD
2014-08-27 16:11:19,373 INFO Order filled for 8=FIX.4.4|9=667|55=USD
So the fields I am referring to are "15=..." and "55=...". I'm interested in the currency that each of these fields give.
The "15=..." field is the equivalent to my "a" field - i.e. it doesn't always exist. When it does exist I want the currency that it gives, otherwise I want the currency that "55=..." gives.
I hope that makes sense?
Phil
... View more
08-29-2014
09:05 AM
Hi
I have a problem in Splunk's regex and I can't figure it out for the life of me.
I'm going to simplify my problem a bit. Imagine this is my data:
|a|b|
If 'a' exists, I want my regex to pick out 'a' only, otherwise I want it to pick out 'b' only.
So in this case: |a|b| my regex should pick out 'a'. But, if for some reason 'a' didn't exist in my data, I want the same bit of regex to pick out 'b'.
|a|b| ---> should pick out 'a' only
|c|b| ---> should pick out 'b' only
'b' always exists, but 'a' sometimes doesn't.
Any ideas?
Thanks a lot!
Phil
... View more
12-03-2013
09:13 AM
This works. Thanks a lot. The timepicker on my dashboard still works too - although, obviously, won't display the chart very well on any time range less than a day.
... View more
12-03-2013
06:10 AM
Hi
Thanks for your help here, but I can't seem to get it working. When I use the query you suggested it doesn't give me any results. I understand what you're trying to do, but it just doesn't work for some reason. Any further ideas?
... View more
12-03-2013
04:12 AM
If I remove the 'by host' then the results from the search will be just the greatest value from the 4 hosts.
i.e. lonrs10000 = 5, lonrs20000 = 4, lonrs30000 = 2, lonrs30000 = 0
The answer would be 5, with your solution.
I need the answer to sum all of them, so the answer should be 5+4+2+0 = 11
I hope that makes sense?
... View more
12-03-2013
03:59 AM
Hi, thanks for your response. The search that you added doesn't add the numbers together though. It displays them as 4 separate values?
i.e. lonrs10000 = 5, lonrs20000 = 4... etc. Rather than total = 11.
Do you see what I mean?
... View more
12-03-2013
03:49 AM
Hi
I have 4 hosts. Each host collects error logs. Each log consists of a Counter, like so:
2013-12-02 11:23:26,512 INFO type=COUNTER error count=1
So every time there is an error, the count=n part of the log increases.
I want to plot the amount of errors over time. I've set up a field extraction, called ErrorCount, for the number within "count=n". Using max(count), I have used the following search:
"type=COUNTER" ErrorCount=* host=lonrs10000 | timechart max(ErrorCount)
However, I have 3 further hosts, with their own counters running. How can I edit my search to include the other 3 hosts data?
E.g. for a specific day:
the count of errors on host lonrs10000 = 5
the count of errors on host lonrs20000 = 4
the count of errors on host lonrs30000 = 2
the count of errors on host lonrs40000 = 0
The total for this specific day should be 11. I am looking to get the total number of errors as a result from my search.
.
Thanks a lot,
Phil
... View more
11-27-2013
06:38 AM
That works Martin. Thanks a lot guys.
... View more
11-27-2013
05:27 AM
Hi somesoni2
I couldn't get this to work...
My current search is:
sourcetype="UserLogs" UserName=%star% App=%star% "started in" OR "initialised in" | timechart count(App)
I've tried adding in your 'eval', 'where' and 'fields' commands in after and before the 'timechart' command, but with no luck...
... View more
11-27-2013
05:25 AM
Hi Dave
What exactly do you mean? I've tried googling what you suggest but can't fine anything. Could you give me a pointer to some documentation? I couldn't see anything in the 'bin' docs...
... View more
11-27-2013
04:02 AM
Your answer does what I want - so thanks a lot for responding so promptly.
I do have a slight issue: because I use a timepicker on my dashboard, the x axis gets very crowded when I select a wide time range. The other issue is when I select a small time range (i.e. last 24 hours) because the data is bucketed into 'days' I only get 1 point on my chart - whereas before the timechart would cleverly adjust the x axis into hours.
If there's a solution to exclude weekends from a timechart, rather than a chart, then I'm all ears still and will award karma points.
... View more
