Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forΒ
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forΒ
- About mikclrk
mikclrk
Explorer
Member since:
β09-07-2016
β06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | β09-07-2016 |
Activity Feed
- Karma Re: Can you help me format a table that would generate the highest CPU users per hour over a day? for sideview. β06-05-2020 12:49 AM
- Got Karma for Can you help me format a table that would generate the highest CPU users per hour over a day?. β06-05-2020 12:49 AM
- Posted Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Tagged Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Tagged Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Tagged Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Tagged Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Tagged Make data in a stacked area chart 'float' on Splunk Search. β10-25-2018 07:30 AM
- Posted Re: Where to find dashboard source files in a Splunk 5.x distributed search environment on Unix? on Dashboards & Visualizations. β09-09-2018 09:58 PM
- Posted Re: Charting three things and something else... on Dashboards & Visualizations. β09-04-2018 08:07 PM
- Posted Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Tagged Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Tagged Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Tagged Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Tagged Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Tagged Charting three things and something else... on Dashboards & Visualizations. β09-03-2018 04:49 AM
- Posted Re: Can you help me format a table that would generate the highest CPU users per hour over a day? on Splunk Search. β08-30-2018 08:26 PM
- Posted Can you help me format a table that would generate the highest CPU users per hour over a day? on Splunk Search. β08-30-2018 05:32 AM
- Tagged Can you help me format a table that would generate the highest CPU users per hour over a day? on Splunk Search. β08-30-2018 05:32 AM
- Tagged Can you help me format a table that would generate the highest CPU users per hour over a day? on Splunk Search. β08-30-2018 05:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 |
β10-25-2018
07:30 AM
Any way to make one series in a stacked area chart invisible?
I've got a bunch of data I want to make a floating ribbon across the center of the page (it's a mean and it's confidence interval), so series 1 is the width of the confidence interval and series 2 is the height of the bottom of the confidence interval. Series 3 is an overlay for the mean. (series 1 is 2 * students t * sd, series 2 is mean - sd * students_t, series 3 is just the mean).
Setting the color of the second series to the background color sort of makes it look invisible, but it still appears in the legend and still reacts when the mouse is moved over it. I'd really like it just to 'not be there' - but still support the first series in the right place.
Any ideas?
... View more
β09-09-2018
09:58 PM
Check the dashboards permissions (apps -> your_app -> View Objects). Just found out that if sharing is set to private, it's not placed in the app local directory, but hidden somewhere else. Changing the sharing to App places the dashboard into the apps local/data/ui/views folder.
This was with Splunk 7.1.2 so it might not be entirely accurate for Splunk 5.
... View more
β09-04-2018
08:07 PM
Tried this. The key bit works, changing the series names, but the rex to split it back and the fields -key doesn't seem to do anything...
... View more
β09-03-2018
04:49 AM
G'Day.
I'm trying to get a search and chart working, but it doesn't want to play.
The events I'm using are generated hourly and are like this:
TROLLY=1 TROLLY_SIZE =150 BAG=1 CONTENTS=15
TROLLY=1 TROLLY_SIZE =150 BAG=2 CONTENTS=25
TROLLY=1 TROLLY_SIZE =150 BAG=3 CONTENTS=10
TROLLY=1 TROLLY_SIZE =150 BAG=4 CONTENTS=10
TROLLY=1 TROLLY_SIZE =150 BAG=5 CONTENTS=15
TROLLY=1 TROLLY_SIZE =150 BAG=6 CONTENTS=20
TROLLY=1 TROLLY_SIZE =150 BAG=7 CONTENTS=25
TROLLY=2 TROLLY_SIZE =100 BAG=1 CONTENTS=15
TROLLY=2 TROLLY_SIZE =100 BAG=2 CONTENTS=15
TROLLY=2 TROLLY_SIZE =100 BAG=3 CONTENTS=10
TROLLY=2 TROLLY_SIZE =100 BAG=4 CONTENTS=10
TROLLY=2 TROLLY_SIZE =100 BAG=5 CONTENTS=15
TROLLY=2 TROLLY_SIZE =100 BAG=6 CONTENTS=20
TROLLY=2 TROLLY_SIZE =100 BAG=7 CONTENTS=10
What I've got at the moment is something that draws an area fill graph of the total contents of all the bags for the selected Trolly. (At the point of time above, Trolly 1 holds 120 items and Trolly 2 holds 95 items.
| search TROLLY=$tk_trolly$ | chart sum(CONTENTS) over day_hour by BAG
What I want to add is a line that shows the TROLLY_SIZE (basically a straight line at items=150 if Trolly 1 is selected and at 100 if Trolly 2 is selected). There may be more or less than 7 bags in a trolly.
Any hints on how to do it?
Charting avg(TROLLY_SIZE) get the line repeated for each BAG, sum(TROLLY_SIZE) gets me a line that's too big...
Mik
... View more
β08-30-2018
08:26 PM
The chart option kept coming back with no data found, but the streamstats approach worked fine.
Any thoughts of how to get trellis to draw me a bar chart (showing process and cputime) for each hour?
... View more
β08-30-2018
05:32 AM
1 Karma
G'Day
I've got some data I'm pulling out of some events with a search:
HOUR - Two digit hour of the day
PROCESS - Name of a running process
CPU_USAGE - The CPU the process used during the hour
What I want is a table with Hour in the first column, then the 10 processes with the highest CPU usage within that hour. Not the most popular process (which is what TOP seems to give me), but the ones with the highest CPU usage. So 240 rows it the finished table, 10 per hour.
I can get the top 10 in the first hour. I can get the 10 highest users, but I can't seem to get the highest 10 users within each hour.
Something like:
00 ProcessA 75%
00 ProcessB 60%
...
00 ProcessG 10%
01 ProcessC 90%
01 ProcessA 45%
01 ProcessG 40%
...
01 ProcessF 3%
02 ProcessB 80%
...
Any hints would be appreciated.
The second part is creating a chart to show the same...
... View more
β12-18-2017
07:12 PM
I've got a bunch of data records arriving from a remote analytic system. They all have timestamps and a unique key. There are potentially tens of thousands of them arriving each day.
So receiving and storing them as CSV with a search overlay is fine. Now I can produce reports on them.
The problem comes when the remote analytic system receives some 'late' data. At this point it wants to reissue the original record that it put out a few minutes ago. The reissued record will have the same timestamp and the same key as the original record.
So.
What will happen if I reformat all the records into JSON and dump them into a KV store? From reading the documentation about them only being searchable on the search head, having millions of documents in a KV store with a high rate of churn and frequent search activity probably isn't a good idea. Can I even get normal visualizations and searches to work with data in a KV store?
If I want to keep them in CSV format, then it appears I can't simply tell Splunk to replace the earlier record (as I can with ELK). Any thoughts on how I could configure the ingestion process to find and erase the earlier record? Preferably without killing performance by doing a search and delete for every record that comes in. Or how I could phrase a search so it'll only find the most recent version of each event record?
Mik
... View more
Automated transfer is fairly simple - just use FTP. Either at the end of your report generation script or set up a batch job with cron to watch a directory and ftp and new files up to your target server. Not really anything I'd expect Splunk to do.
... View more
β04-20-2017
08:20 PM
It seems that each .conf file has it's own set of rules for how and where it supports environment variables. Some support them anywhere, some only in certain fields, some simply don't. A little consistency would certainly make things less surprising.
... View more
β09-07-2016
07:47 AM
Ha! Logstash π Should be able to get it to spit out multiple files that Splunk can then monitor. More efficient just to live with a horde of IP ports though...
... View more
β09-07-2016
06:41 AM
OK, I've got a stream of, potentially, over 100 different event formats that I want to send into Splunk. Inside each event I specify the sourcetype I'd like splunk to use to process them - it's the only reliable way to determine the format of the rest of the fields, including such things as the timestamp and searchable fields.
They come in over a TCP port where they get a sourcetype of GENERIC. The stanzas in props.conf and transforms.conf then fire and correctly change the sourcetype to the one embedded in the event. But none of the rules I've tried coding to fire off of the now correctly set sourcetype will fire.
My conclusion after 2-3 days of poking around with Splunk and reading various questions and answers is that it's actually impossible. Can someone confirm that this is due to Splunks design - basically the transforms that process the sourcetype changes are done to late in the process for it to go back and honor the timestamp and field extraction rules for the new sourcetype?
CLONESOURCETYPE=$1 in the sourcetype setting transform doesn't seem to work (and, even if it did, I suspect wouldn't inject the cloned event back into the processing flow early enough to make a difference). There's no way to trigger a specific transform based upon a REGEX match (and the best that could do is run CLONESOURCETYPE=FORMAT1).
So, really, is one TCP port per sourcetype the only way to get this to work?
Even the SDKs don't seem to be able to intercept events before they are indexed.
Guess I'm going to get the award for most unwieldy app ever - 100+ tcp port definitions π π π
... View more
