Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About gokadroid
gokadroid
Motivator
Member since:
10-06-2016
04-12-2025
Community Statistics
| Posts | 480 |
| Solutions | 113 |
| Karma Given | 121 |
| Karma Received | 235 |
| Member Since | 10-06-2016 |
Activity Feed
- Got Karma for Re: How to use regex to extract field?. 01-12-2026 05:34 PM
- Got Karma for Re: How to search for a range of IP addresses (example: 10.10.10.32 through 10.10.10.96)?. 01-12-2026 05:33 PM
- Got Karma for Re: How to search for a range of IP addresses (example: 10.10.10.32 through 10.10.10.96)?. 07-17-2025 07:49 PM
- Got Karma for Re: How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.. 07-31-2024 08:08 AM
- Got Karma for Re: How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.. 07-31-2024 08:07 AM
- Got Karma for Re: How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.. 07-31-2024 08:07 AM
- Got Karma for Re: How to search a lookup table and return the matching term?. 02-15-2024 10:08 AM
- Got Karma for Re: How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.. 07-10-2023 09:13 AM
- Got Karma for Re: How to pull a audit trail logs who made changes from so and so dates, and i want to create a alert for that.. 07-10-2023 09:13 AM
- Got Karma for Re: How to combine multiple searches and output results into one CSV file?. 02-09-2022 06:05 AM
- Got Karma for Re: inputlookup compare the field values in my logs with lookup table. 03-30-2021 05:37 PM
- Got Karma for Re: How to use rex to extract JSON text in "msg" keyValue pair?. 03-10-2021 07:36 PM
- Got Karma for Re: How to use rex to extract JSON text in "msg" keyValue pair?. 03-10-2021 07:36 PM
- Posted Re: How to use rex to extract JSON text in "msg" keyValue pair? on Splunk Search. 03-10-2021 07:20 PM
- Got Karma for Re: How to use rex to extract JSON text in "msg" keyValue pair?. 12-20-2020 02:06 PM
- Karma Re: How to use regex to extract field? for kiran331. 10-04-2020 07:01 PM
- Got Karma for Re: How to build a trend chart that compares today's result with previous day, week, and month for the same time frame?. 09-19-2020 07:23 PM
- Got Karma for Re: How to search for a range of IP addresses (example: 10.10.10.32 through 10.10.10.96)?. 07-07-2020 11:07 AM
- Karma Re: Head scratcher regex for elliotproebstel. 06-05-2020 12:49 AM
- Karma Re: Trying to get the domain from multiple email recipients using rex for micahkemp. 06-05-2020 12:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
11-08-2016
05:16 PM
1 Karma
What you would require to do is extract the base url from the url field and count on them like this:
yourQuery to return field url
| rex field=url "^(?<baseUrl>[^\/\s]+)"
| stats count by baseUrl
See the extraction of baseUrl from url here
... View more
11-08-2016
05:02 PM
It depends on what function do you want to use to round of : floor , ceil etc. and then rounding off before you convert via tostring . Something like this:
my search
|eval field_in_hhmmss=tostring(ceil(avgDurationPerpid), "duration")
| table id field_in_hhmmss
OR
my search
|eval field_in_hhmmss=tostring(floor(avgDurationPerpid), "duration")
| table id field_in_hhmmss
... View more
11-07-2016
11:48 PM
Can you please try this:
your base query earliest=-14d@d latest=-d@d
| timechart count span=7d
| eval _time=strftime(_time+7*24*60*60, "%Y-%m-%d")
1) For last 14 days (excluding the current day) earliest=-14d@d latest=-d@d is used to filter events strictly..
2) Timechart will tend to group the event as -14th day till -8th day and -7th day till -1st day keeping the date as -14th day and -7th day respectively. | eval _time=strftime(_time+7*24*60*60, "%Y-%m-%d") command is just to shift those -14th day and -7th day date to -8th day and yesterday respectively and give in the format you required for table.
3) If you wanna use current day as well, adjust the earliest and latest accordingly as remember if you take earliest as -14d and current as todays day technically they are 15days . Timechart will then end up making three rows. In this case summing up the last two rows will actually be incorrect as the last row will represent data only for the single day which is todays day and consequently the sum will be of 8days and not 7.
If you want to try it, use |head 2 in the end to get rid of that one extra day.
Example:
your base query earliest=-14d@d
| timechart count span=7d
| eval _time=strftime(_time+7*24*60*60, "%Y-%m-%d")
| head 2
... View more
11-07-2016
01:30 PM
Why don't you rex the space into a comma first and then split on comma only:
your base query to give you word
| rex mode=sed field=word "s/\ /,/g"
| split now on comma here
... View more
11-07-2016
01:21 PM
1 Karma
Since Standard deviation is calculated using average so I am assuming your field called fieldsAvg is the average of all the five fields. Which also makes me feel we can tweak your situation as follows:
- Make a new field called myField which has values from all the five fields. So if you have 3 events with 5 field values each, this new field will have 15 values to take care of all 5 fields for all 3 events.
- Calculate the stdev on this new field
your base query to return field1,field2,field3,field4,field5
| eval myField=mvzip(field1, mvzip(field2, mvzip(field3, mvzip(field4, field5))))
| mvexpand myField
| rex max_match=0 field=myField "(?<numbers>\d+)"
| stats stdev(numbers) as stdDeviation
... View more
11-07-2016
12:22 AM
I am not sure how befitting it is in your scenario but if Idea is just to avoid writing OR(s) between 50 patterns to search then can you try this:
1) Make a csv file of all your pattern and upload it as a lookup say patterns.csv which has fieldname (say) PatternField
PatternField
Login status is
Account details flow for Apple Phone for user Id
Payment status and
Account details flow for Android Phone for user Id
finger print status of User id
Transfer account status
After that use the below query to complete your search by replacing your sourcetype names for "A", "B", "C" and so on:
sourcetype=A OR sourcetype=B OR sourcetype=C ([|inputlookup patterns.csv | fields PatternField | return 50 $PatternField ] )
Hope this helps.
... View more
11-06-2016
06:30 PM
Is it the colour token that is not getting set, or is it being set incorrectly. The correct format of colour token is:
"BLUE": 0x0000FF, "GREEN": 0x00FF00, "RED": 0xFF00FF, "YELLOW": 0xFFFF00
Take special note of how the field name is within double quotes followed by a colon and the the hex code followed by a comma before the next one starts "BLUE": 0x0000FF, .
Once all the above Names and codes came into my string in valuesP all I needed to do is take care of following tags of dropdown:
<fieldForLabel>valuesP</fieldForLabel>
<fieldForValue>valuesP</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
Thereafter this piece of code in chart should work (take a note of { } around my token name:
<option name="charting.fieldColors">{$colourToken$}</option>
... View more
11-06-2016
01:53 PM
1 Karma
Let me have a stab at it, with something similar I achieved where I didn't need a lookup as I generated the codes based on the fields which appeared in events.
My data had events where one "Name" field value only had one "Code" field value. i.e. Name1 always had Code1 ( Name RED always had Code #FF00FF) in all the events. :
Oct 31 2016 00:00:00; Name= RED; Code= #FF00FF; IP=10.120.10.22
Oct 31 2016 00:00:01; Name= GREEN; Code= #00FF00; IP=110.120.10.22
Oct 31 2016 00:00:02; Name= BLUE; Code= #0000FF; IP=210.120.10.22
Oct 31 2016 00:00:03; Name= YELLOW; Code= #FFFF00; IP=180.120.10.22
Based on above events this is what I followed:
1) Create a hidden drop down input element.
2) In this dropdown's dynamic query create a string value, I called it valuesP , that will save all colourNames and colourCodes. These Name and Codes will be picked up from data field values of "Name" and "Code".
3) Format this valuesP string to suit the charting.fieldColors option, eg. for me the codes in valuesP were coming in #pppppp format but charting.fieldColors required colour in 0xpppppp format. (Might not be applicable for you)
4) Field valuesP was table(d) in dropdown, and set for fieldForLabel and fieldForVlaue . This sets the dropdown token which will be used to display colours. I called my dropdown token as colourToken .
5) Use the colourToken token in the charting.fieldColors option of chart.
Here is the dropdown code which was used.
<input type="dropdown" token="colourToken" searchWhenChanged="true" depends="$hideToken$">
<label>Hidden DropDown</label>
<search>
<query>... | eval colourCode="\"".Name."\": ".Code
| stats values(colourCode) as valuesP
| mvcombine valuesP
| rex field=valuesP mode=sed "s/ \"/, \"/g
s/\#/0x/g"
| table valuesP
</query>
</search>
<fieldForLabel>valuesP</fieldForLabel>
<fieldForValue>valuesP</fieldForValue>
<selectFirstChoice>true</selectFirstChoice>
</input>
Things to note in dropdown code:
- A dummy token called $hideToken$ was used to keep dropdown hidden all the time as this token will never be set.
- Set the selectFirstChoice = true (just for safety, even though only one string is tabled in query, might not be required though)
- Dropdown token colourToken was used in the charting option of pie chart as:
<option name="charting.fieldColors">{$colourToken$}</option>
NOTE
- My base query that was used to create the pie chart created fields called "RED", "YELLOW" and so on (a static part which requires me to be aware of what colours will be coming in my data) as charting.fieldColors works on fields. Here was my query to plot pie chart:
...| stats count(eval(Name=="RED")) as RED, count(eval(Name=="BLUE")) as BLUE, count(eval(Name=="YELLOW")) as YELLOW, count(eval(Name=="GREEN")) as GREEN
Hope it helps 🙂
... View more
11-05-2016
05:04 PM
what script are you writing? does that scripting means doesn't give something locally for you to capture with comma first and then replace in consecutive lines of script?
Can you paste the sample code that you have written and what are trying you achieving out of it so to see if we can help.
... View more
11-05-2016
12:56 PM
If you have already regexed out your number in a field say "myNumberField" or the data with "," is in "myNumberField" then can you try this which will remove the "," from the field value:
your query to return myNumberField
| rex mode=sed field=myNumberField "s/,//g"
| table myNumberField
... View more
11-05-2016
10:27 AM
A license exceed on a day should not disable you "app options" but should generate a warning/violation. Read more about what might happen when you exceed your license usage here:
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Aboutlicenseviolations#What_are_license_violations_and_warnings.3F
... View more
11-05-2016
10:00 AM
your Base query to generate place , mag, depth
| eval mag=if(place="7km W of Cobb, California" OR place="1km SE of Loma Linda, California", mag+depth, mag)
| eval depth=if(place="7km W of Cobb, California" OR place="1km SE of Loma Linda, California", 0, depth)
| table place, mag, depth
... View more
11-04-2016
09:36 PM
Ok, interesting, maybe we are missing something...can you tweak this part of inner query as follows:
| dedup Server,CPU
| where CPU>70
| table Server
Change above lines to below lines to see if it actually returns something...and then complete your outer query.. this should work
| dedup Server,CPU
| where CPU>70
| return 10000 $Server
... View more
11-04-2016
09:04 PM
Check these:
1) Are really servers running at 70% now? Can you try to lower that value to | where CPU > 5 and see if it returns something.
2) Run inner query separately and see if you get values for Server fields.
3) Is value of host field in outer query and value of Server from inner query similar?? Like if inner Server field has values like "abc.domain.com", outer index field host should have values like "abc.domain.com" as well. Or at least the string "abc.domain.com" should be present in outer index events for outer query to search it and return events.
... View more
11-04-2016
08:37 PM
In order to form a query for this we should have a way to get all the servers which have greater than 70% CPU utilization and these servers should be searchable in index where you have process listed. If that is so you can proceed as follows:
outer search to get the host and process [ inner search which will return the hosts which have greater than 70% CPU Utilization and will be used as search strings in outer query ]
| completing the outer search to get the top processes
In your example, I am thinking the field Server is what has hostname and should be searchable in outer query as a host:
index= infra earliest=-15m source="Perfmon:Process" counter="% Processor Time" (instance!="_Total" AND instance!="Idle" AND instance!="System")
[| loadjob savedsearch="nobody:cdfs-infg:infra_saved_search"|stats latest(CPU) as CPU by Server
|eval CPU=round(CPU,2)
| dedup Server,CPU
| where CPU>70
| table Server ]
| eventstats avg(Value) as AvgValue by host,instance | top instance by AvgValue,host limit=10 showperc=f showcount=f| sort -host,-AvgValue
NOTE In the inner query I have used all the calculations which were sufficient to calculate | where CPU>70 . If you need to calculate total_memory>70 as well then some tweaks might be needed.
... View more
11-04-2016
08:32 AM
Since you wanted to work it like awk and looking at your new data:
Your word when separated by spaces comes at awk '{print $6}' , so use the field index6 after applying the rex as below to get that:
your base query
| rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)"
|stats count by index6
See here
OR
Your word when separated by ":" comes as the first word of awk -F":" '{print $4}' which needs another pipe of awk '{print $1}' since "Start" is the first word of 4th index, hence find that piece as index4 below after applying rex:
...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)"
| stats count by index4
See here.
... View more
11-03-2016
10:27 PM
I think what @somesoni2 has as regex will capture what u need in "Action" field. Can u see here that his regex works the way you want it, unless ur data is something else than the one u posted in question.
... View more
11-03-2016
08:26 PM
That should be easier if you already know what static values you have and what static values you want to output when user selects. Try this then:
<form>
<label>Answers</label>
<fieldset submitButton="false">
<input type="dropdown" token="thisIsDropdownToken" searchWhenChanged="true">
<label>This is DropDown Label</label>
<choice value="It is a year">2016</choice>
<choice value="It is a year">2017</choice>
<choice value="Month">July</choice>
<choice value="Month">June</choice>
</input>
<input type="text" token="thisIsTextBoxToken">
<label>This textBox's text will change</label>
<default>$thisIsDropdownToken$</default>
</input>
</fieldset>
</form>
... View more
11-03-2016
07:26 PM
1 Karma
Let me give it a shot taking these assumptions below:
1) You have a query that will return you two fields;
first field whose values you want to update as part of dropDown list. I will call this field thisWillBeDisplayedInDropDown
second field whose values you want to update in the text box depending on what user chose in dropdown list. I will call this field as thisWillBeUpdatedInTextBox
Example of one such query can be:
base query | stats count by thisWillBeDisplayedInDropDown, thisWillBeUpdatedInTextBox
You can then use "thisWillBeDisplayedInDropDown" field values to display in drop down list and depending on what value user selected, the value of "thisWillBeUpdatedInTextBox" field will be used to update in the textbox.
Taking above as a reference, please have a look at this code which should give you what you want:
<form>
<label>Dashboard Title</label>
<fieldset submitButton="false">
<input type="dropdown" token="thisIsDropdownToken">
<label>This is DropDown Label</label>
<search>
<query>This query will populate the dropdown| stats count by thisWillBeDisplayedInDropDown, thisWillBeUpdatedInTextBox</query>
<earliest>-4h@m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>thisWillBeDisplayedInDropDown</fieldForLabel>
<fieldForValue>thisWillBeUpdatedInTextBox</fieldForValue>
</input>
<input type="text" token="thisIsTextBoxToken">
<label>This textBox's text will change</label>
<default>$thisIsDropdownToken$</default>
</input>
</fieldset>
</form>
NOTE: Please ensure to click "Search On Change" in both the TextBox and DropDown Input settings when you are configuring the Inputs (just being cautious )
... View more
11-03-2016
05:51 PM
Given that:
1) There are multiple events associated with a single orderID where orderID acts as primary key to track these events.
2) orderID is considered success if even one event is successful
3) Looking for orderID with all of its associate events with status=failure
then can you try this:
your base query NOT [ your base query status=success | dedup orderID | table orderID ]
| dedup orderID
| table orderID
this should remove all the orderID related events from the search where you had atleast one success. The remaining ones are the ones with neither success nor partial success.
... View more
11-03-2016
03:00 PM
ok, lets tweak that bit then
|fillnull value="NULL" | search device!="NULL" AND dailyAvg!="NULL" AND threshold!="NULL" AND date!="NULL"
Only one can also work but lets use all of them to ensure all are non null.
... View more
11-03-2016
02:47 PM
did you not use search NOT NULL piece right at the end of the query?? That's should have got rid of all the NULL values.. If it solves and helps then please accept the answer and upvote..
... View more
11-03-2016
02:29 PM
Empty rows are from the events which do not have these values as part of event log line...the event lines which do not have this data (device, avg and threshold) will show up as blank. So in your initial search query to return events use unique values that will only filter out these lines in which you are interested from where you want to extract these four fields.
OR append these at the end of query
|fillnull value="NULL" | search NOT NULL
That's should solve the blanks.
As for duplicate events since it might be events have different time (but on same day) hence chances are that the data "date, device, average and threshold" appear duplicate but are actually difference events.
... View more
11-03-2016
02:10 PM
Looks like fields are not extracted...use the third option in my answer above which extracts the information first and then tables.
your query to return events
|rex "(?<date>\d{4}\/\d{2}\/\d{2})\s.*Device\=(?<device>[\S]+)\s.*Daily_AVG\=(?<dailyAvg>[\S]+)\s*Threshold\=(?<threshold>[\S]+)\s*"
| table device, dailyAvg, threshold , date
... View more
11-03-2016
01:58 PM
If all four fields are already extracted as date, device, daily_avg, threshold then all you need to do is
your query to return date, device, daily_avg, threshold
| table device, daily_avg, threshold, date
If date is not extracted then you can use _time
your query to return device, daily_avg, threshold
| eval date=strftime(_time, "%Y-%m-%d")
| table device, daily_avg, threshold , date
If the fields are not already extracted then extract them first as below and then table:
your query to return events
|rex "(?<date>\d{4}\/\d{2}\/\d{2})\s.*Device\=(?<device>[\S]+)\s.*Daily_AVG\=(?<dailyAvg>[\S]+)\s*Threshold\=(?<threshold>[\S]+)\s*"
| table device, dailyAvg, threshold , date
| fillnull value="NULL"
| search device!="NULL" AND dailyAvg!="NULL" AND threshold!="NULL" AND date!="NULL"
Updated the fillnull piece as per comments
See extraction here
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-12-2025
06:34 PM
|
Karma given to
