Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About david_keough
david_keough
Explorer
Member since:
07-16-2019
Friday
Community Statistics
| Posts | 5 |
| Solutions | 1 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 07-16-2019 |
Activity Feed
- Posted Re: HEC / Webhook / Signed Event Webhook, OAuth on Getting Data In. Thursday
- Posted Re: Dynamic updating of multiple KV Store rows on Knowledge Management. 11-10-2020 04:09 AM
- Posted Dynamic updating of multiple KV Store rows on Knowledge Management. 10-27-2020 04:13 PM
- Karma Re: How to graph multiple series graphs with null values using both gaps and connect for to4kawa. 06-05-2020 12:50 AM
- Posted Re: How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-25-2019 10:32 AM
- Posted How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
- Tagged How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
- Tagged How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
- Tagged How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
- Tagged How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
- Tagged How to graph multiple series graphs with null values using both gaps and connect on Splunk Search. 11-21-2019 07:23 AM
Topics I've Started
Thursday
Same org as OP, different role. SendGrid - at this time only has webhook integration that uses OAUTH2 or Cryptographic Signaling with no ability to access header configuration to use the Splunk HTTP Event Collector tokens. The Token CAN be embedded in the URL target itself but might be able to be intercepted enroute before encrypted handshakes. If this happens another actor could potentially impersonate and flood the HEC with garbage data. Admittedly the attack surface is small and the damage is mostly ingestion and headache. It has less to do with PII protection and more so the non-repudiation factor in this case. If other Cloud based SaaS applications go this route then ingestion data from these will require cribl or some other other solution to serve as a receiver/validator before forwarding.
... View more
11-10-2020
04:09 AM
The last_time field is a numeric field that cannot accept a formatted time string value. This was preventing the new data from applying to the fields. There is no notification of failure when it fails. Either store the datetime as epoch numeric or as a formatted string str value. The function works and is essentially repaired. | inputlookup kvstoreA
| eval
joinField=test_name+rule_name+test_target
| join type=inner [
search index=a sourcetype=b NOT variable="ignore"
| dedup testName testTargetDesc ruleName
| eval
Event_last_time=_time,
Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"),
Event_test_name='alert.testName',
Event_rule_name='alert.ruleName',
Event_test_target='alert.testTargetsDescription{}',
joinField=Event_test_name+Event_rule_name+Event_test_target]
| where Event_last_time!=last_time
| eval
last_status=Event_last_status,
last_time=Event_last_time
| fields last_time last_status test_name rule_name test_target
| outputlookup kvstoreA append=True
... View more
10-27-2020
04:13 PM
tl:dr - questions I am looking to get answers for: 1. Is there a better way to do this? 2. Is it possible to dynamically declare and store the _key values that I want to update? --------------------------------------------------- I have a KV Store that holds statefulness data from a program that runs over 300 different tests. The KV Store presently string fields with data that I filled from a previous query with the last_status field set as the string "stub" while I'm working on getting it functional. The field names in the kvstore are: last_time last_status test_name rule_name test_target and of course the hidden _key field. I'm trying to update the last_time and last_status when the conditions are suitable. The suitable condition is when the test, rule, and target fields match a subsearch with the same values in their respective fields. I'm having issues with getting the KV Store to update. I've seen the following approaches suggested already from the questions I could find and the kb type articles. | inputlookup csvcoll_lookup | search _key=544948df3ec32d7a4c1d9755 | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True Which led me to finding a suggestion of | inputlookup csvcoll_lookup | where _key IN("544948df3ec32d7a4c1d9755","544948df3ec32d7a4c1d9756","544948df3ec32d7a4c1d9757") | eval CustName="Marge Simpson" | eval CustCity="Springfield" | outputlookup csvcoll_lookup append=True I have something similar to the following query (some vars and objects have have their names changed to some degree, but still represent the logic I'm trying to work with. | inputlookup kvstoreA
| eval
last_time=strftime(last_time,"%Y-%m-%dT%H:%M:%S"),
key=_key,
joinField=test_name+rule_name+test_target
| join type=inner [
search index=a sourcetype=b NOT variable="ignore"
| dedup testName testTargetDesc ruleName
| eval
Event_last_time=strftime(last_time,"%Y-%m-%dT%H:%M:%S"),
Event_last_status=case(eventType=="A","healthy",eventType=="B","unhealthy",TRUE(),"undefined"),
Event_test_name='alert.testName',
Event_rule_name='alert.ruleName',
Event_test_target='alert.testTargetsDescription{}',
joinField=Event_test_name+Event_rule_name+Event_test_target]
| where Event_last_time!=last_time
| eval
last_status=Event_last_status,
last_time=Event_last_time
| fields last_time last_status test_name rule_name test_target view_key
| outputlookup kvstoreA key_field=view_key append=True From what I have read and tested so far I am sure that I don't know how to extract the _key values in a dynamic way that can be applied to update specific entries in the table. 1. Is there a better way to do this? 2. Is it possible to dynamically declare and store the _key values that I want to update?
... View more
Labels
- Labels:
-
kvstore
11-25-2019
10:32 AM
I had the thought this morning to use stream stats to govern this. Your intuition was right. I had to modify the code a bit to get it to work. Line 103 had an extra comma that derailed the rest.
I adapted the code from 109 on to give me this
| streamstats avg(eval(if(CFE_RespTime!=-1,CFE_RespTime,0))) as "Response Time" avg(eval(if(CFE_RespTime==-1,0,null))) as "Threshold Violations" time_window=6m
| table _time "Response Time" "Threshold Violations"
It appears to have borne some great fruit though at higher resolutions it doesn't graph the individual points. It looks like its the better of the two worlds for this application.
Thank you.
... View more
11-21-2019
07:23 AM
Splunk 7.2.3
I have been trying to use timechart to graph synthetic transaction application response times.
The calculated data contains two series: RespTime and Violations. Graphing both of these series together appears to force an either or type situation relating to the use of either gaps or connect logic for null values within the series. This might be compounded or by span/bucket logic. I've experimented with several other graph types.
Any ideas moving forward would be appreciated.
The _raw data is in the following format:
GUID|APPid|Synthetic Transaction Host|DateTime|RespTime
My initial approach was to create two series based on the RespTime being a -1 value (indicating a violation) then graphing them both.
| eval Violations=if(CFE_RespTime=-1,CFE_RespTime,"")
| eval RespTime=if(CFE_RespTime=-1,"",CFE_RespTime)
| timechart avg(RespTime) as "Response Time" avg(Violations) as "Threshold Violations"
The second attachment has span=6m but it otherwise the same as the previous logic.
Without an explicit span the attached graph shows the issue I am trying to discuss / solve.
The desire is for either the Response Time series to be entirely connected OR for there to be gaps only at the location of the violations while not having the violations series connect over entirely separate violation values. If there are consecutive values within the violation series then the violation series should connect also.
Choosing connect also connects the violation series while choosing gap creates numerous gaps in the response time series.
Changing the span doesn't alleviate the issue as gaps may randomly show up depending on the specific timing of the hosts generating the data.
In the data below, the -1 values are threshold violations, when they are consecutive they should connect but when they are not there should be gaps in the data.
example table
_time RespTime
2019-11-21 08:45:33 1086
2019-11-21 08:39:56 1260
2019-11-21 08:39:56 1324
2019-11-21 08:40:11 1287
2019-11-21 08:40:16 1139
2019-11-21 08:40:16 1144
2019-11-21 08:33:28 1089
2019-11-21 08:19:56 1266
2019-11-21 08:19:57 1254
2019-11-21 08:20:11 1330
2019-11-21 08:20:15 1123
2019-11-21 08:20:16 1140
2019-11-21 08:13:28 1118
2019-11-21 08:03:27 1047
2019-11-21 07:59:56 1279
2019-11-21 07:59:56 1257
2019-11-21 08:00:08 1183
2019-11-21 08:00:15 1150
2019-11-21 08:00:16 1138
2019-11-21 07:43:28 1058
2019-11-21 07:29:56 1324
2019-11-21 07:29:56 1358
2019-11-21 07:30:11 1290
2019-11-21 07:30:15 1176
2019-11-21 07:30:16 1186
2019-11-21 07:09:56 -1
2019-11-21 07:09:57 2032
2019-11-21 07:10:09 1196
2019-11-21 07:10:15 1165
2019-11-21 07:10:16 1165
2019-11-21 07:03:28 1037
2019-11-21 06:59:56 1277
2019-11-21 06:59:56 1309
2019-11-21 07:00:09 1203
2019-11-21 07:00:15 1128
2019-11-21 07:00:16 1138
2019-11-21 06:53:28 1087
2019-11-21 06:49:56 1291
2019-11-21 06:49:56 -1
2019-11-21 06:50:11 1244
2019-11-21 06:50:15 1117
2019-11-21 06:50:16 1148
2019-11-21 06:43:28 1042
2019-11-21 06:39:56 1297
2019-11-21 06:39:57 1374
2019-11-21 06:40:14 6222
2019-11-21 06:40:15 1121
2019-11-21 06:40:16 1117
2019-11-21 06:29:56 1243
2019-11-21 06:29:56 1245
2019-11-21 06:30:11 1289
2019-11-21 06:30:15 1143
2019-11-21 06:30:16 1101
2019-11-21 06:19:56 1390
2019-11-21 06:19:56 1363
2019-11-21 06:20:09 1223
2019-11-21 06:20:15 1118
2019-11-21 06:20:16 1523
2019-11-21 08:49:56 -1
2019-11-21 08:49:56 1348
2019-11-21 08:50:11 1298
2019-11-21 08:50:15 1180
2019-11-21 08:50:16 1109
2019-11-21 08:29:56 1296
2019-11-21 08:29:57 1278
2019-11-21 08:30:08 1192
2019-11-21 08:30:15 1169
2019-11-21 08:30:16 1151
2019-11-21 08:23:28 1097
2019-11-21 08:09:56 1314
2019-11-21 08:09:56 1247
2019-11-21 08:10:08 1216
2019-11-21 08:10:15 1133
2019-11-21 08:10:16 1144
2019-11-21 07:53:28 1025
2019-11-21 07:49:56 1265
2019-11-21 07:49:56 1273
2019-11-21 07:50:08 1262
2019-11-21 07:50:15 1164
2019-11-21 07:50:16 1095
2019-11-21 07:39:56 1275
2019-11-21 07:39:56 -1
2019-11-21 07:40:08 1169
2019-11-21 07:40:15 1151
2019-11-21 07:40:16 1099
2019-11-21 07:33:28 1073
2019-11-21 07:23:28 1104
2019-11-21 07:19:56 1286
2019-11-21 07:19:57 1268
2019-11-21 07:20:08 1199
2019-11-21 07:20:15 1281
2019-11-21 07:20:16 1123
2019-11-21 07:13:28 1123
2019-11-21 06:33:28 1060
2019-11-21 06:23:27 1054
2019-11-21 06:13:27 1019
2019-11-21 06:09:56 -1
2019-11-21 06:09:56 1255
2019-11-21 06:10:08 1211
2019-11-21 06:10:15 1138
... View more
