Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About xploresplunk
xploresplunk
New Member
Member since:
06-15-2019
06-05-2020
Community Statistics
| Posts | 29 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 06-15-2019 |
Activity Feed
- Posted Re: How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-02-2019 05:54 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 01:22 PM
- Posted How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Tagged How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Tagged How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Tagged How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Tagged How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Tagged How to display data as a timeline in a table with correct timezone? on Getting Data In. 07-01-2019 01:18 PM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 01:12 PM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 12:45 PM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 11:18 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 10:59 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 10:58 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 10:12 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 08:35 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 06:05 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 07-01-2019 06:02 AM
- Posted Re: Using join, earliest, table and latest. on Splunk Search. 06-28-2019 06:47 AM
- Posted Re: Help using earliest, latest and finding the first occurrence of string on Splunk Search. 06-27-2019 12:14 PM
- Posted Re: Help using earliest, latest and finding the first occurrence of string on Splunk Search. 06-27-2019 12:04 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
07-02-2019
05:54 AM
Times still don't match. Is there another way to change the time through the search?
... View more
07-01-2019
01:18 PM
I want to display my data as a timeline in a table. However, I noticed that the information that I'm analyzing has a timestamp that corresponds to a different timezone. I want to be able to display the time in my current timezone, which is US/Central. Is there a shortcut to modify the time? I thought about just subtracting the hours, but I don't know how to take into account when it is daylight saving time.
... View more
07-01-2019
01:12 PM
Are there any other ways to approach this? I had tried using match before and it never really worked. It only worked whenever I used: search=xxx ... conversation="*hello*"
| stats earliest(_time) as first_hello by name
| eval first_hello=srtftime(...) ]
I just can't figure out how to both searches at the same time because I run in the error I stated on the question. Thank you so much for your help!
... View more
07-01-2019
12:45 PM
index=xxx source=xxx sourcetype=xxx
| eval type = case(
match(conversation, "hello"), "first_hello",
match(messages, "how"), "first_how",
true(), null())
| multireport
[ stats first(call_time) AS call_time BY name]
[ stats earliest(_time) AS call_time BY name type | eval {type}=call_time | fields - type call_time ]
| stats list(*) AS * BY name
... View more
07-01-2019
10:59 AM
The words 'hello' and 'how' are under the events of different fields. Are there any other ways to achieve what Im trying to?
... View more
07-01-2019
10:58 AM
Yeah, this works for me. However, when I use my own information and fields it doesnt work. This is a shot in the dark, but maybe because match is expecting a sourcetype? I dont know if I misunderstood
... View more
07-01-2019
08:35 AM
Yeah, I believe I did exactly the same. The table is only displaying the name and call_time.
... View more
07-01-2019
06:05 AM
Could you explain a little bit more what you're doing here? I don't think this is doing what I'm trying to obtain. I am trying to create a table that displays name, call_time, first_hello and first_how. I can successfully obtain call_time by using the latest() function. My error happens when trying to obtain the timestamp of first_hello and first_how. I need to use the earliest() function for both, and I don't know why, but they're both storing the same time. Let me know if I need to clarify anything else
... View more
07-01-2019
06:02 AM
When I use | stats earliest(_raw)" or "| stats earliest(conversation), the table doesn't even show up anymore. Any other ideas on how to approach this?
... View more
06-28-2019
06:47 AM
Hello, I tried using this and the table doesn't even show anymore. It says that no results were found. Any other ideas? Thank you so much for your help
... View more
06-27-2019
12:14 PM
I was able to figure out a lot of it. I'm running into a problem when using earliest(_time) several times: https://answers.splunk.com/answers/755758/using-join-earliest-table-and-latest.html?minQuestionBodyLength=80
... View more
06-27-2019
12:04 PM
Could you refer to this post? https://answers.splunk.com/answers/755758/using-join-earliest-table-and-latest.html?minQuestionBodyLength=80
It explains my issue a little bit more. I tried using min and it still doesnt work. Thank you so much
... View more
06-27-2019
09:30 AM
This doesnt work. Earliestevent1,2,3 are displaying the same time. Utilizing earliest(_time) works for me, but when I use it twice the time doesn't update. For example if the first occurrence of the word "example1" is at 1:22 and the first occurrence of the word "example2" is at 1:07 then both store 1:07 as the time stamp. Is there any way to fix this? Can I clear earliest(_time)? I want to get the first time that "event1" was written and the first time "event2" was written and save them in two different values. Im trying to create a timeline so I need the specific times for each.
... View more
06-27-2019
09:28 AM
Utilizing earliest(_time) works for me, but when I use it twice the time doesn't update. For example if the first occurrence of the word "example1" is at 1:22 and the first occurrence of the word "example2" is at 1:07 then both store 1:07 as the time stamp. Is there any way to fix this? Can I clear earliest(_time)?
... View more
06-27-2019
09:19 AM
Is there any way to clear the earliest(_time)? Both of my fields are under the same index, source and sourcetype so that might be a difference between mine and yours. I tried the join individually and it does get the data that I need. I think when I use earliest(_time) it keeps saving the earliest earliest time. Is this possible?
... View more
06-27-2019
08:29 AM
No, there aren't. This shouldn't be happening anyways since I am looking at the data of a specific field. I cannot upload data because it's confidential. Does the join work for you?
... View more
06-27-2019
07:23 AM
For example, if the word hello was written at 2:54 and how was written at 1:22 then both, first_hello and first_how, are storing and displaying 1:22
... View more
06-27-2019
07:22 AM
Is there any way to clear the earliest(_time)? When I delete one join it works perfectly. I believe that it is storing the earliest time that the word 'hello' or 'how' was written, instead of the first time that each was written. In other words, the table is showing the same timestamp for first_hello and first_how. Thank you for your help
I dont really understand what you mean by relative_time?
... View more
06-27-2019
05:46 AM
I dont think this is doing what I'm looking for. Inside the 'join' youre not looking for the first instance of the word "hello" or "how". My join looks like this:
| join name
[ search index=xxx source=xxx sourcetype=xxx conversation="*hello*"
| stats earliest(_time) as first_hello by name
| eval first_hello=srtftime(...) ]
I wrote 'conversation="*hello*" ' because I want to look for the first value that contains the world 'hello' in a field named 'conversation'. Same thing for the second join.
As I wrote in the question, my problem is that both joins are storing the same timestamp and I dont understand what Im doing wrong.
Also, why are you renaming name as host and then again as name?
... View more
06-26-2019
02:53 PM
I am a new splunk user and I want to create a stats table showing different findings of an event using fields. However, I am running into error when I use the earliest command twice. Here's what I have so far:
index= xxx source=xxx sourcetype=xxx
| stats latest(name) as name, latest(call_time) as call_time
| eval call_time=strftime(...)
| table name, call_time
| join name
[ search index=xxx source=xxx sourcetype=xxx conversation="\*hello\*"
| stats earliest(_time) as first_hello by name
| eval first_hello=srtftime(...) ]
| join name
[ search index=xxx source=xxx sourcetype=xxx messages="\*how\*"
| stats earliest(_time) as first_how by name
| eval first_how=srtftime(...) ]
| table name, call_time, first_hello, first_how
My errors are the following:
1. Both first_hello and first_how, are displaying the same time.
2. As I added the 'join' I could tell that the number of statistics decreased. I want to find a way that it displays all the events and that if a certain time (or word) cannot be found then it will just stay blank. I don't know if this is possible. I can see how that contradicts the purpose of 'join' but I couldn't find another way to do it.
Clarifications:
1. When it comes to messages and conversations, I want to find the first time that each field had a value containing the specific word(hello and how correspondingly). These two fields contain values that look like paragraphs. In other words, I want to find the first time that xxname said hello in conversation and how in messages.
Goal:
Display a table that shows: name,TIME of the last call (corresponding to that name), TIME of the first time the word hello was said in the values of the conversation field, TIME of the first time the word how was said in the values of the messages field.
Let me know if I need to clarify anything else.
... View more
06-18-2019
07:30 AM
How would you get the time for which these two fields matched each other? Further, if it matches several times how would you get the first time they matched (earliest time)?
... View more
06-18-2019
06:11 AM
I've added a picture and I highlighted the word that I'm trying to get the time of (In that case, the earliest)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
