Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About christopheryu
christopheryu
Communicator
Member since:
08-24-2016
10-03-2022
Community Statistics
| Posts | 72 |
| Solutions | 1 |
| Karma Given | 34 |
| Karma Received | 6 |
| Member Since | 08-24-2016 |
Activity Feed
- Got Karma for Why is coalesce working only for one of the two fields I am combining, depending on the sequence the fields are being combined?. 10-05-2022 04:24 AM
- Got Karma for How do you re-arrange the trellis layout in reverse alphabetical order?. 06-05-2020 12:50 AM
- Got Karma for xyseries in full mesh: How to have it fill values A to Z with Z to A or vice versa?. 06-05-2020 12:50 AM
- Karma Re: Can I use join by using multiple fields from the main search to match a single field on the subsearch? for somesoni2. 06-05-2020 12:49 AM
- Karma stats vs eventstats for zacksoft. 06-05-2020 12:49 AM
- Karma How to search what values are missing in my lookup table? for raomu. 06-05-2020 12:49 AM
- Karma Re: How to search what values are missing in my lookup table? for somesoni2. 06-05-2020 12:49 AM
- Karma Re: How can I have multiple search results in one alert as joining with | gives only result of last search only? for DalJeanis. 06-05-2020 12:49 AM
- Karma Re: How to compare all time average of a field value vs average for specified time range for kamlesh_vaghela. 06-05-2020 12:49 AM
- Karma Re: How can I create a column that counts how many Field Bs there are per Field A? for gcusello. 06-05-2020 12:49 AM
- Karma Re: Count number of field value per source and show as table for niketn. 06-05-2020 12:49 AM
- Karma How can I change my Splunk.com username? for dryanyhoo. 06-05-2020 12:48 AM
- Karma Re: How can I change my Splunk.com username? for Richfez. 06-05-2020 12:48 AM
- Karma Re: Display the "others" or the rest after showing top results for somesoni2. 06-05-2020 12:48 AM
- Karma How can I get drill down working for a trellis chart. for ksextonmacb. 06-05-2020 12:48 AM
- Karma Re: How to ignore case sensitive input in lookup files? for bschaap. 06-05-2020 12:48 AM
- Karma Re: How to ignore case sensitive input in lookup files? for lguinn2. 06-05-2020 12:48 AM
- Karma How to ignore case sensitive input in lookup files? for greeshmak. 06-05-2020 12:48 AM
- Karma Re: How to use values in lookup table not as fields but as search strings? for woodcock. 06-05-2020 12:48 AM
- Karma Re: How can I get drill down working for a trellis chart. for niketn. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 1 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
04-25-2019
01:15 PM
Thank you for posting answer. As additional question, can I set an initial value for this toke, like all values or "*"?
... View more
04-16-2019
01:21 PM
Okay, there was a typo on my code. Your suggestion produced the same results as my original search and added a new row at the bottom labeled values(RouterA)
... View more
04-16-2019
12:17 PM
yes I did.
... View more
04-16-2019
09:28 AM
thanks but your suggestion produced no results.
... View more
04-15-2019
01:36 PM
1 Karma
I have a search that calculates latency in a full-mesh network, where each router has a direct connection to all of the other routers in the network. Latency is bidirectional, in other words latency between AAA-CCC is the same as CCC-AAA. I am able to generate a table but only AAA-CCC latency is showing and CCC-AAA is blank (this can be reversed depending on how source and destination was setup). How can I have CCC-AAA to show the same value as AAA-CCC instead of blank?
search ...
| eval Route=RouterA."_".RouterZ
| eventstats perc03(RTT) as RTT_03p, perc98(RTT) as RTT_98p BY Route
| where RTT >= RTT_03p and RTT <= RTT_98p
| stats min(RTT) as Latency values(RouterA) values(RouterZ) by Route
| xyseries values(RouterA) values(RouterZ) Latency
This is what I am getting:
values(RouterA) |AAA|BBB|CCC
AAA                    |       |027|012
BBB                    |       |      |    
CCC                   |       |010|    
This is what I want to see:
values(RouterA) |AAA|BBB|CCC
AAA                    |       |027|012
BBB                    |027|       |010
CCC                    |012|010|    
Thank you in advance!
... View more
03-21-2019
12:25 PM
Thanks but the search result shows a table of all the routers, with each row having a date and router. I'm thinking of just doing a dc(router) by day and drill down that will pull up results using the previously posted question I referenced.
... View more
03-21-2019
08:19 AM
Thanks for the response. Was actually thinking of using a time picker but based on what you said, looks like search needs an overhaul. I guess 7 days would do.
As a background, the lookup is a list of probes that we have. So i would like to find out which probes did not report any event per day and hoping to look as far back as I would like to investigate, hence the time picker. There are 200+ probes that are in full mesh (21k links) reporting every five minutes (~37M events per day). Filtering using dc(Router) per day won't work either as probes are being added without me being informed.
... View more
03-21-2019
07:16 AM
I am using a search that was provided as an answer to a previously posted question - How to search what values are missing in my lookup table? https://answers.splunk.com/answers/612603/how-to-search-what-values-are-missing-in-my-lookup.html
I have a follow up question regarding the above and that is how do I check missing values per day over a period of time? Tried bin _time span=1d but did not work.
My query below (lookup file is probes.csv):
| fields Router
| eval from="feed"
| append
[| inputlookup append=t probes.csv
| table Router
| eval from="lookup"]
| stats values(from) as from by Router
| where mvcount(from)=1 AND from="lookup"
| fields Router
| sort -Router
So expecting an output in table format like this:
Date Router
3/21/19 RouterA
RouterB
3/1/19 RouterC
2/11/19 Router D
Thank you in advance!
... View more
- Tags:
- splunk-enterprise
11-13-2018
07:24 AM
1 Karma
I've seen similar issues being asked, but no solutions/updates on any and hoping that this has been already resolved?
| eval Month=strftime(_time,"%b")
| stats avg(rtt) by RouteRegion Month
| sort -RouteRegion
So, as an example, some of my RouteRegion values are APAC_APAC EUR_LATAM LATAM_MEA MEA_USA USA_USA (basically these regions are in full mesh). I want to re-arrange the trellis so that USA to USA and to other regions will be first but the sort function does not work on trellis.
... View more
10-31-2018
08:18 AM
Okay. How about the existing result that I have now from the background search that I did? This search is for the past three months (Aug to Oct). Can't I embed the link to the result I have now as a panel on the dashboard?
... View more
10-31-2018
06:55 AM
thank you for your response cusello. yes, the search takes around 4 hours to finish that is why I sent it to background and setup it up to email me. I then saved the result as a report but when I pull it up from the reports list, it does not show the completed result but rather runs the search again. Ultimately what I am trying to do is save the report with completed result as a dashboard panel so it does not run the search all over again when the dashboard gets pulled up.
... View more
10-31-2018
06:25 AM
Sorry if this is a duplicate question...so, I have an email with the link to the completed results from a search that was sent to the background. Obviously, when I click on the link it shows the completed result. How do I save the completed result as a dashboard panel? I tried saving it as a report but when I open the report the search runs again instead of showing the completed result. What am I doing wrong?
Thank you in advance!
... View more
08-24-2018
06:03 AM
thank you, I replaced that last stats command (5) with the table command I am using that I moved from the main search and adding also the ticket column
... View more
08-22-2018
12:44 PM
Multiple, can be up to hundreds. There are also other columns on the table from the main search and sometimes the circuit_id and/or parent_circuit columns are blanks (these values are derived from lookup table).
... View more
08-22-2018
12:22 PM
I have a search with the following table as output:
time customer circuit_id parent_circuit device_card
8:10 zzzzzzzz aaaaaaa bbbbbbbbbbb ccccccccccc
Is it possible to use the values of the fields "circuit_id", "parent_circuit" & "device_card" using join command (or whatever command will work) to match a single field "prineid" from another index (main) and sourcetype (tickets)? So basically the "prineid" field of index=main sourcetype=tickets can have the values of aaaaaaa OR bbbbbbbbbbb OR ccccccccccc. I want the output/table to include another column "ticket" which is a field from index=main sourcetype=tickets:
time customer circuit_id parent_circuit device_card ticket
8:10 zzzzzzzz aaaaaaa bbbbbbbbbbb ccccccccccc dddd
As additional info, the main search is an alert for an outage and the subsearch looks for any tickets that may have been already opened for the outage.
... View more
04-09-2018
03:14 PM
That worked (just changed LINK to Link) - thank you!
... View more
04-09-2018
02:14 PM
Sorry, for some reason I cannot post my code, so attaching photo instead (please post my code if you can).
Result shows "Active Links" which is the distinct count of Link with both PASS and FAIL KPI. I would also want to include distinct count of Link with FAILCOUNT.
Link is a subset of LINKREGION as shown below:
Link LINKREGION
Dallas-Tokyo USA-APAC
LosAngeles-Manila USA-APAC
Boston-Paris USA-EUR
Chicago-Frankfurt USA-EUR
Paris-Frankfurt EUR-EUR
Thank you in advance!
... View more
03-14-2018
01:53 PM
| appendcols [search | stats count as TOTAL by router] worked by I like yours better as it is faster 🙂 Thank you!
... View more
03-14-2018
12:55 PM
this solved it:
| stats count by router source | xyseries router source count
but I would like to add another column that would show the total count, any suggestions?
... View more
03-14-2018
12:36 PM
thank you for response but your suggestion showed all the fields and their values by source router.
... View more
03-14-2018
11:30 AM
I have a field named "router" that has multiple values and have three sources. I would like to count the router values for each source and put them in a table.
So the three "source" values are syslogs, enviro and triggers and "router" have multiple values (e.g, ABCD, EFGH, KLMN). I would like to put in a table the total count of distinct "router" value for each source as shown below:
router syslog enviro triggers
ABCD 3 4 8
EFGH 2 5 9
KLMN 3 7 8
thank you in advance!
... View more
02-06-2018
02:23 PM
Thank you for the response. Still not capturing all the results I want. I am vetting results by doing this search:
| search [| inputlookup triggers | fields alert_msg]
| rename alert_msg as query
Using the above search, 6 events are being returned. Using your suggested search,
| eval alert_msg=mvappend(narrative, alarm_type)
| search [| inputlookup triggers | fields alert_msg]
Only 5 are being returned, missing one event "Major alarm set, CB 1 ESW PFE Port Fail" that has a narrative field matching value on the lookup table. If i change my search to this:
| eval alert_msg=mvappend(narrative, alarm_type)
| search [| inputlookup triggers | fields alert_msg] OR narrative="Major alarm set, CB 1 ESW PFE Port Fail"
| table alert_msg
All 6 events are being returned, with "Major alarm set, CB 1 ESW PFE Port Fail" being one of the new alert_msg field value. Also, I need to keep the alert_msg field for use on further data processing.
... View more
02-05-2018
02:52 PM
1 Karma
I have two existing fields - "narrative" and "alarm_type" that I am trying to combine into a new single field "alert_msg", which is a header on my lookup table. However, my search is only returning one of the two existing fields depending on the order they are placed on my coalesce command. Searches shown below:
index=foo sourcetype=bar
| eval alert_msg=coalesce(narrative, alarm_type)
| search [| inputlookup triggers | fields alert_msg]
| table alert_msg
returns existing "narrative" field only:
alert_msg
Major alarm set, FPC 3 Major Errors
Switching the fields' sequence on the coalesce command:
index=foo sourcetype=bar
| eval alert_msg=coalesce(alarm_type, narrative)
| search [| inputlookup triggers | fields alert_msg]
| table alert_msg
returns existing "alarm_type" field only:
alert_msg
%DAEMON-3-JTASK_SCHED_SLIP
This is the result I am expecting:
alert_msg
%DAEMON-3-JTASK_SCHED_SLIP
Major alarm set, FPC 3 Major Errors
... View more
12-15-2017
12:05 PM
In addition, I would be counting the total number of each extracted string from a set of logs so not sure if the strings should be extracted as a single field? Illustration below:
event log 1 extracted strings:
S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001
event log 2 extracted strings:
S3R.VPLS92966
BDEDBK76V00
P125018_NNI_QBKW5ZP
event log 3 extracted strings:
BDEDBK76V00
P125018_NNI_QBKW5ZP
EDBK49MH0001
Desired result:
string count
S3R.VPLS92966 2
EDBK766V0001 1
P125018_NNI_QBKW5ZP 3
EDBK49MH0001 2
BDEDBK76V00 2
... View more
12-15-2017
11:55 AM
Sorry, this is more of a regex question but can't figure it out myself. I would like to extract a string preceded by the specific characters "Leg x Seg" where x can be any number. The strings to be extracted can have alpha numeric, dots, or underscore characters. Also, find only the first extraction match so there are no duplicate values per log. So from the single event log example below, the strings I'm looking to extract are:
S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001
Event:
Summary Leg 3 Seg S3R.VPLS92966 Site PBY CNGHDR JuniperJUNIPER_MX SLOT 3 CARD 2 PORT 0 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 3 Seg S3R.VPLS92966 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 1 PORT 1 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 2 Seg EDBK766V0001 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 14 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO virtualswitchVirtualSeries SLOT 1 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT virtualswitchVirtualSeries SLOT 1 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT Leg 1 Seg P125018_NNI_QBKW5ZP Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 1 TAGTYPE transparent TAG 0 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Leg 1 Seg P125018_NNI_QBKW5ZP Leg 2 Seg EDBK766V0001 Leg 3 Seg S3R.VPLS92966
Thank you in advance!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-03-2022
10:39 AM
|
Karma from
