cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
govindsinghrawa
Path Finder
Member since: ‎10-05-2016
‎06-05-2020
Community Statistics
Posts 14
Solutions 3
Karma Given 16
Karma Received 5
Member Since ‎10-05-2016
Activity Feed
View All

Re: Field Extraction issue

by in Splunk Search
‎10-14-2016 11:00 PM
‎10-14-2016 11:00 PM
Hi @rajgowd The above regex which I gave is to extract fields. Once the fields are extracted then you can use them i your commands. Now coming to visulaizations. Visualizations can only be created depending on how you end your search, for example : if you end your search with timechart command then you will immediately have visualization options for line, bar etch. Example: yourBaseSearch | timechart count by yourField If you have statistics being generated as aggregations like min, max, sum etc you can plot them using timechart, chart etc. ... View more

Re: How to search the count of an event for the la...

by in Splunk Search
‎10-08-2016 03:28 PM
‎10-08-2016 03:28 PM
tested it as an answer post . seems to be working . ... View more

Re: Field Extraction issue

by in Splunk Search
‎10-08-2016 01:15 PM
‎10-08-2016 01:15 PM
Below Regex can be used in field extractor in write your own regular expression syntax: ^(?< protocol>[\S]+)\s*?(?< field1>[\S]+)\s*?(?< field2>[\S]+)\s*?(?< hostOrIp1>[^:]+):(?< hostOrIp1Port>[\S]+)\s*?(?< hostOrIp2>[^:]+):(?< hostOrIp2Port>[\S]+)\s.*?(?< state>[\S]+) During search time this regex can also be used with rex to extract fields if fields are not already extracted: yourBaseSearch |rex field=_raw "^(?< protocol>[\S]+)\s*?(?< field1>[\S]+)\s*?(?< field2>[\S]+)\s*?(?< hostOrIp1>[^:]+):(?< hostOrIp1Port>[\S]+)\s*?(?< hostOrIp2>[^:]+):(?< hostOrIp2Port>[\S]+)\s.*?(?< state>[\S]+)" | table hostOrIp1, hostOrIp2 NOTE: Please remove the space in each of the tags, example "< protocol>", "< field1>" etc. ... View more

Re: How to search the count of an event for the la...

by in Splunk Search
‎10-07-2016 05:17 PM
‎10-07-2016 05:17 PM
will it not just return for 1st and 2nd hour and not for 60 minutes ago from now. I will try though but seems not to be complete. Thanks a lot for helping out though ... View more

Re: How to search the count of an event for the la...

by in Splunk Search
‎10-07-2016 05:10 PM
‎10-07-2016 05:10 PM
seems to work, thanks ... View more

Re: How to search the count of an event for the la...

by in Splunk Search
‎10-07-2016 05:10 PM
‎10-07-2016 05:10 PM
getting data for all hours and not just one hour of today and yesterday same hour ... View more

How to search the count of an event for the last s...

by in Splunk Search
‎10-07-2016 04:41 PM
‎10-07-2016 04:41 PM
How to get the count of an event (say logins) in last sixty minutes and the count of same event for same hour yesterday? Result should be as: Today hh:mm:ss Count Yesterday hh:mm:ss Count ... View more

Re: lookup is not working

by in Splunk Search
‎10-06-2016 01:12 AM
‎10-06-2016 01:12 AM
Firstly if the events don't have the data u r looking for then why will the fields show up, as if it were to be then by that logic all the fields which are in "search x" should show up in "search y" as "search y" doesn't have any event from "search x" and yet is supposed to show them. In short no event data, so no fields for that data. ... View more

Re: lookup is not working

by in Splunk Search
‎10-06-2016 12:51 AM
‎10-06-2016 12:51 AM
interesting fields by default will come if they span 20% event coverage. Click at All fields (just top right to Selected fields). which opens the field selector and checkbox the fields specifically as all fields should be present there. Up vote if u think it works. 🙂 ... View more

Re: How do you format code in a question comment?

by in #Random
‎10-06-2016 12:41 AM
‎10-06-2016 12:41 AM
Eureka!!!! ... View more

Re: How do you format code in a question comment?

by in #Random
‎10-06-2016 12:41 AM
‎10-06-2016 12:41 AM
let me try hello world ... View more

Re: lookup is not working

by in Splunk Search
‎10-06-2016 12:32 AM
1 Karma
‎10-06-2016 12:32 AM
1 Karma
If your Lookup definition is "serverrole_lookup" then you should use as follows: *** base search | lookup serverrole_lookup host as host1 OUTPUT environment as env, role as myRole*** where host field is in lookup table whereas host1 is an extracted field environment is in lookup table whereas env is random name you choose for field to show up as interesting field role is in lookup table whereas myRole is random name you choose for field to show up as interesting field In case of automatic lookup defined (if done correctly) you can use the output fields (environment and role) directly like: *** base search | stats count by environment, role**** ... View more

Re: How to modify my search to show users who have...

by in Splunk Search
‎10-06-2016 12:02 AM
1 Karma
‎10-06-2016 12:02 AM
1 Karma
try this if your user name field is say "userName": index=bluecoat category="Translation" OR category="Pornography" | stats dc(category) as distinctCategory by userName| where distinctCategory>=2 ... View more

Re: How to edit my regular expression to extract a...

by in Splunk Search
‎10-05-2016 09:52 PM
3 Karma
‎10-05-2016 09:52 PM
3 Karma
Your answer should work but alternatively you can try as below: O_name%\d{3}[A-Za-z](?P< my_field >[^\%]+) where the string starts with O_name% then waits for 3 digits with \d{3} then an alphabet A to Z or small case a to z with [A-Za-z] then the field extraction (?P< my_field >[^\%]+) to stop reading at a % then a + to match non % as many times till you hit a % NOTE: Added space between < and my_field and > as the formatting on the website wasn't allowing without space <.my_field> ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
Karma given to