Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About varma364
varma364
Path Finder
Member since:
02-27-2015
a month ago
Community Statistics
| Posts | 142 |
| Solutions | 0 |
| Karma Given | 8 |
| Karma Received | 0 |
| Member Since | 02-27-2015 |
Activity Feed
- Posted Re: How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-17-2024 12:41 PM
- Posted Re: How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:59 PM
- Posted How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:24 PM
- Tagged How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:24 PM
- Tagged How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:24 PM
- Tagged How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:24 PM
- Tagged How to create a stacked horizontal or vertical bar chart in Splunk? on Dashboards & Visualizations. 12-10-2024 12:24 PM
- Posted Re: How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 02:55 PM
- Posted How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Tagged How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Tagged How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Tagged How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Tagged How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Tagged How to Apply Dynamic Regex Matching in a Multisearch Using Values from a Lookup Table? on Splunk Search. 12-05-2024 01:02 PM
- Karma Re: Effective way of merging 2 splunk searches? for richgalloway. 11-17-2024 07:06 AM
- Karma Re: Is there an effective way of merging 2 splunk searches? for richgalloway. 02-05-2024 08:42 AM
- Posted Re: Effective way of merging 2 splunk searches? on Splunk Search. 07-14-2023 12:29 PM
- Posted Is there an effective way of merging 2 splunk searches? on Splunk Search. 07-14-2023 10:09 AM
- Tagged Is there an effective way of merging 2 splunk searches? on Splunk Search. 07-14-2023 10:09 AM
- Tagged Is there an effective way of merging 2 splunk searches? on Splunk Search. 07-14-2023 10:09 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
12-17-2024
12:41 PM
Yes, thank you @bowesmana
... View more
12-10-2024
12:59 PM
Thanks for the response @PickleRick , I have copied the charting options to my html and still see single line as below. Although when I copied the fill code as a new panel it is working as expected. Do I need to change anything to make the charting options work for my search ?
... View more
12-10-2024
12:24 PM
Hi All, I’m trying to create a stacked Vertical bar chart in Splunk, where each bar represents a unique field (e.g., SWC), and the bar is segmented into multiple colors based on a specific status field (e.g., RAG_Status with values Green, Amber, and Red). Here’s what I’m trying to achieve: • Each horizontal bar corresponds to a unique SWC. • The bar is segmented based on the RAG_Status (e.g., Green, Amber, Red). • The length of each segment represents the count of records for that combination. • I want the segments to be stacked within the bar, with distinct colors for Green, Amber, and Red. Sample Query: | inputlookup example_data.csv
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWC Visualization Requirements: 1. Chart Type: Vertical Bar Chart. 2. Stacked Mode: Each bar should show Green, Amber, and Red segments stacked horizontally. 3. Color Scheme: • Green: #28a745 • Amber: #ffc107 • Red: #dc3545. Screenshot for Reference: The above is an example of horizontal but I am looking for vertical. Current Issue: I’m unable to configure the Splunk visualization settings or XML code to properly display this data as a Vertical stacked bar chart. Either the entire bar shows as one solid color, or the segments are not stacking as expected. Any guidance or sample XML code to achieve this would be greatly appreciated! Current XML code:- <dashboard version="1.1" theme="light">
<label>SWC KPI Performance and RAG Distribution_new</label>
<row>
<panel>
<title>RAG Status Distribution by SWC</title>
<chart>
<search>
<query>| inputlookup example_data.csv
| eval RAG_Status = case(
KPI_Score >= KPI_Threshold, "Green",
KPI_Score >= (KPI_Threshold - 5), "Amber",
KPI_Score < (KPI_Threshold - 5), "Red"
)
| chart count BY SWC RAG_Status
| sort SWC</query>
<earliest>@d</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="charting.chart">column</option>
<option name="charting.chart.stackMode">stacked</option>
<option name="charting.seriesColors">#28a745,#ffc107,#dc3545</option>
<option name="charting.legend.placement">right</option>
<option name="charting.axisTitleX.text">SWC</option>
<option name="charting.axisTitleY.text">count</option>
</chart>
</panel>
</row>
</dashboard> Current situation:- Thanks in advance!
... View more
Labels
- Labels:
-
chart
-
Classic dashboard
-
panel
-
table
-
timechart
12-05-2024
02:55 PM
thank you for the response and I’ve updated the query now.
... View more
12-05-2024
01:02 PM
Hello Splunk experts, I’m currently trying to create a search using a multisearch command where I need to dynamically apply regex patterns from a lookup file to the Web.url field in a tstats search. When I use my current approach, it directly adds the regex value as a literal search condition instead of applying it as a regex filter. For example, instead of dynamically matching URLs with the regex, it ends up as if it’s searching for the literal pattern. I have a lookup that contains fields like url_regex and other filter parameters, and I need to: 1. Dynamically use these regex patterns in the search, so that only URLs matching the regex from the lookup get processed further. 2. Ensure that the logic integrates correctly within a multisearch, where the base search is filtered dynamically based on these values from the lookup. I’ve shared some screenshots showing the query and the resulting issue, where the regex appears to be used incorrectly. How can I properly use these regex values to match URLs instead of treating them as literal strings? Search :- | inputlookup my_lookup_file | search Justification="Lookup Instructions" | fields url_regex, description | fillnull value="*" | eval url_regex="Web.url=\"" . url_regex . "\"" | eval filter="source=\"my_sourcetype\" " . "filter_field=" . " \"" | eval search="| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype=\"" . filter . " by Web.url Web.user" | stats values(search) as search | eval search=multisearch [ mvjoin(search, " | ") ] . " | stats count by search" As highlighted in the yellow from above I wanted to have the regex matching string instead of the direct regex search from events? Also, lastly, once the multisearch query generates another search as output, how can I automatically execute that resulting search within my main query? Any guidance would be greatly appreciated!
... View more
Labels
- Labels:
-
field extraction
-
fields
-
join
-
stats
-
subsearch
07-14-2023
12:29 PM
Thanks @richgalloway for the response. Also, is there any other way other than using append, union or map since using those impacting the search execution time?
... View more
07-14-2023
10:09 AM
How do I merge the below 2 complex queries? Let me know if it's possible in Splunk? Search 1: -
index=ABC (eventtype=X OR eventtype=Y) log_subtype=DEF field_A="*SQL*"
| stats values(A) as A values(B) as B values(C) as C BY X, Y
| where B > 2
| search NOT [|inputlookup test_1.csv | fields X ]
| search NOT [|inputlookup test_2.csv | fields X ]
| eval name="search_1"
Search 2: -
index=ABC (log_subtype="GHI" OR log_subtype="JKL") (severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44"
| stats values(D) as D values(E) as E values(A) as A BY X, Y
| eval name="search_2"
I succeeded on merging the 2 searches up to some extent (up to stats command)
index=ABC (log_subtype="DEF" OR log_subtype="GHI" OR log_subtype="JKL")(((eventtype=X OR eventtype=Y) field_A="*SQL*") OR ((severity="medium" OR severity="high" OR severity="critical") action=* NOT (field_B="Unknown(5000007)" AND action="blocked") NOT dest_ip="11.22.33.44" ))
| stats values(A) as A values(B) as B values(C) as C values(D) as D BY X, Y
I am not sure on how I can apply where condition and exclusion lookups from search 1 while combining as they are specific to search 1 and do not want to apply those to search 2?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|
