Activity Feed
- Posted Re: Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-18-2020 02:03 AM
- Posted Re: Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-14-2020 10:19 PM
- Posted Re: Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-14-2020 09:08 AM
- Posted Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-14-2020 07:16 AM
- Tagged Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-14-2020 07:16 AM
- Tagged Editing the Parent ID's of a Splunk Table Panel on Splunk Search. 09-14-2020 07:16 AM
- Tagged Blocking New Events from getting triggered based on the status of the Earliest Event on Splunk Search. 08-17-2020 03:59 AM
- Tagged Blocking New Events from getting triggered based on the status of the Earliest Event on Splunk Search. 08-17-2020 03:59 AM
- Posted Blocking New Events from getting triggered based on the status of the Earliest Event on Splunk Search. 08-17-2020 03:58 AM
- Got Karma for Re: No Splunk download for MacOS 10.15.1 (Catalina). 06-05-2020 12:51 AM
- Got Karma for Re: No Splunk download for MacOS 10.15.1 (Catalina). 06-05-2020 12:51 AM
- Karma Re: How can I give the to the users to save their selected input filter on a dashboard page? for niketn. 06-05-2020 12:49 AM
- Got Karma for Re: Certification: do i need to attend official Splunk courses ?. 06-05-2020 12:49 AM
- Got Karma for How to pass multiselect input values to a drilldown target?. 06-05-2020 12:48 AM
- Got Karma for How to pass multiselect input values to a drilldown target?. 06-05-2020 12:48 AM
- Got Karma for Re: How to pass multiselect input values to a drilldown target?. 06-05-2020 12:48 AM
- Karma Re: splunk detects _time right, but displays it wrong for jmallorquin. 06-05-2020 12:47 AM
- Posted Re: Certification: do i need to attend official Splunk courses ? on Security. 03-18-2020 05:49 AM
- Posted Re: No Splunk download for MacOS 10.15.1 (Catalina) on Installation. 02-21-2020 03:43 AM
- Posted Re: How can I give the to the users to save their selected input filter on a dashboard page? on Dashboards & Visualizations. 07-10-2018 12:07 AM
Topics I've Started
Subject | Karma | Author | Latest Post |
---|---|---|---|
0 | |||
0 | |||
0 | |||
0 | |||
2 | |||
0 |
09-18-2020
02:03 AM
@ITWhisperer , @niketn Thanks for providing a solution to this issue. The Accessibility checker software has a set of standards through which it compares the content in a webpage and marks issues based on those standards. So well firstly I cannot update the standards for accessibility because they are universally accepted and secondly I also don't have access to update the rules so either way, this wouldn't be a feasible solution. But thanks again for the suggestions. Appreciate it.
... View more
09-14-2020
10:19 PM
@niketn Thanks for the response. When an accessibility checker scans the page it is marking these ids as errors for not being unique. So like I mentioned earlier it needs to be updated somehow. Option 1: How to use nested id's? Option 2: If possible can you help me out with the JS code for this? A sample code could be helpful and I could use that as a reference to update any other id's. To replicate this, just make a sample table in Splunk --> Inspect using Chrome Dev Tools --> You should be able to notice the duplicate id's. Since there could be more than one table on the page, a sample JS code covering this aspect would be an added benefit.
... View more
09-14-2020
09:08 AM
@niketn The use case for the above change is to meet the WCAG accessibility standard of having Unique Element Id’s in the Splunk Dashboard Page. Its only when I edit the id’s mentioned in the screenshot (using Chrome Dev Tools )that the issue is going away but this is just temporary. I was able to add Id’s to panels like “panel id=“panel_1” etc but that doesn’t seem to solve this problem as all Statistics related tables in the page have the same id of statistics assigned to them. (Some base file is assigning this value to all of them but which one ? ) I would want to know where this edit needs to be made permanently? I don’t have backend access ( we are on Splunk Cloud ) but I would like to know suggestions of how this can resolved.
... View more
09-14-2020
07:16 AM
Everyone, I am trying to edit the ID values for the "div" tags mentioned in the above screenshot so that they are unique i.e the first one would be id="statistics" and the second id would be id="statistics_1" etc. I am getting the code above when I inspect a table panel in Splunk but not aware of how this can be edited. Can you suggest how this change is possible?
... View more
Labels
- Labels:
-
Other
08-17-2020
03:58 AM
Everyone, Needed help on an issue of event blocking for a Splunk setup which would receive events from a Web page that would be passed forward to a Splunk Webhook alert to get triggered. There would be many events coming to Splunk from this Webpage with events like the following (Latest event received is placed on top) : ID Process Name Receive Time Trigger Status 2 xyz 17th Aug 4PM Queued 1 abc 17th Aug 3PM Queued My requirement is as follows: 1. If any new event comes to Splunk with the same process name I need to block the event from getting triggered by the WebHook alert. 2. This new event should be permanently blocked. 3. If the older event changes its state to Completed then any OTHER new event (not blocked in step 2) should be eligible to get triggered by the WebHook alert. To summarize : If during the time duration of the older event's Status change from "Queued to Completed" any new event gets sent to Splunk it needs to be blocked permanently. But if the older event's Status changes to Completed AND THEN any other new event comes to Splunk then they need to flow ahead to the Web Hook trigger. Let me know your inputs
... View more
Labels
- Labels:
-
Other
Teknet9,
The recent updates to Splunk certification have made the trainings recommended as can be verified from the certification handbook provided by Splunk https://www.splunk.com/pdfs/training/Splunk-Certification-Candidate-Handbook.pdf
... View more
02-21-2020
03:43 AM
2 Karma
Rob,
To resolve this issue you would need to do the following :
After receiving this error message go to System Preferences > Security and Privacy > General > Under Allow Apps downloaded from AppStore and identified developers you should see the error message which was displayed earlier. Click Open Anyway and that should let you install Splunk.
... View more
07-10-2018
12:07 AM
Thanks for the quick response. This is how I have coded the multiselect currently
prefix (
suffix )
valuePrefix ticket_states="
valueSuffix "
delimiter OR
Also, I noticed that the inputs were getting saved to the lookup file upon changing them i.e they weren't dependant on the "Save Inputs" button. I am not sure if that is how it is supposed to work.
Let me know.
... View more
07-09-2018
11:36 PM
@niketnilay
If possible could you let me know how this approach can be implemented for multiselect inputs ? It is working for dropdown inputs.
... View more
05-10-2018
03:15 AM
Thank you woodcock.
There seems to be slight improvement in speed when I use rex instead of split. I think I will use rex since you would need to write lesser code.
As mentioned in my comment to somesoni2, for the scenario mentioned above is retrieving data from the lookup table the fastest way ? Let me know.
... View more
05-10-2018
03:12 AM
Thank you somesoni2. Yes the hours charged are in a lookup table.
Just to clarify I wanted to know if there was any other way to accomplish what I am doing above, but without using lookups. If there isnt then I will stick to this approach.
... View more
05-09-2018
02:31 AM
Everyone,
The events on splunk for me have data in the following format :
ticket_num,actual_start_time,finish_time,assigned_to.
For Example :
A particular ticket number IN1234 has a start time of "January 1 2018" and finish time of "January 5 2018" along with whom the ticket was assigned to, for example, "A". This particular ticket may have been worked by "A" and also by "B" and "C". "A" might have charged 5 hours to the ticket, "B" - 3 hours and "C" - 2 hours.
The file consisting of the hours charged by "A","B" and "C" is in the format of :
"Resource Name","Date Charged in mm/dd/yyyy" ,"Hours Charged","Ticket Number"
"A",01/02/2018,5,IN1234
"B",01/04/2018,3,IN1234
"C",01/05/2018,2,IN1234
The current approach I am following to utilize the hours charged values is to :
1) Since IN1234 is only going to be present once in the indexed data (one event); I use the ticket_num to lookup with the file mentioned above.
2) I get a multivalued field like below :
| table ticket_num name date_charged effort
IN1234 "A" 01/02/2018 5
"B" 01/04/2018 3
"C" 01/05/2018 2
3) I do an mvzip --> | eval Test = mvzip(name,date_charged) -->
"A",01/02/2018
"B",01/04/2018
"C",01/05/2018
4) I do another mvzip -- | eval Test = mvzip(Test,effort) -->
"A",01/02/2018,5
"B",01/04/2018,3
"C",01/05/2018,2
5) I do a mvexpand on Test, so now I have 3 events like the following
|table ticket_num Test
IN1234 "A",01/02/2018,5
IN1234 "B",01/04/2018,3
IN1234 "C",01/05/2018,2
6) I use Split on Test and use mvindex to assign values
| eval Split = split(Test,",")
| eval name = mvindex(Split,0)
| eval date_charged = mvindex(Split,1)
| eval effort = mvindex(Split,2)
Using the above I can now use the data I retrieved from the lookup.
I wanted to know if there was a better alternative for the "Lookup" approach used above as there are many restrictions to this method, slower searches with an increase in tickets being one of them.
Let me know.
... View more
10-04-2017
10:45 AM
DalJeanis,
Could you suggest of a way in which I could split-by a field in the data for the backlog ? For example for a given month a ticket qualified for Backlog having a Ticket type of "Incident" and another ticket with a ticket type of "Service Request".
It could also be the case that for the next month there was neither Incident or Service Request for backlog. So streamstats the way it has been applied now isn't giving me the correct results for example if Jan had 2 backlog (1 for each Ticket Type) and then Feb had none and March had 2; the 2 from Jan are getting added to March but Feb should also have had 2.
Maybe I would need to have null value fields for the Ticket Type of Service Request and Incident for each month even if the backlog count was 0 so that streamstats could work?
Let me know if this needs to be posted as a new question and I would then post it as such.
... View more
08-28-2017
06:42 AM
Thank you for correcting mistakes and for the help DalJeanis.
... View more
08-25-2017
05:20 AM
Yes DalJeanis, you are right about the previous code working in real life.
And yes during the course of these responses I also realized that a ticket, if opened in February and not closed in February itself, should also qualify as a Backlog for that month; something I missed in the original question.
So there are two scenarios for a ticket to be backlog:
1) Backlogs from previous months. Eg: a ticket opened in January and with no resolve date is a backlog for all the months following January,
2) Backlog when a ticket is opened in Feb for example and doesn't resolve in the same month.
I feel that both these scenarios have been looked into now.
I think the GraphStartDate's month is a matter of personal preference.
Thank you for following up on this DalJeanis.
... View more
08-23-2017
09:07 AM
Thank you for the response DalJeanis .
I did some modifications to line 11 as follows :
| eval MightBeLateDate = relative_time(StartDate,"+1mon@mon")
+1mon@mon was to define the threshold for late resolution of a ticket to be the start of the next month.
Also to line 15 as follows :
| eval GraphStartDate=relative_time(StartDate,"@mon")
@mon was to define the graphing month to be the month the ticket was started to be worked on.
I had one question though; for the dates you have given as examples the backlogs should have been ;
For February , 4 backlogs
1st ; Start = 5th Feb and End = 15th March
2nd; Start = 15th Feb and End = 15th April
3rd; Start = 12th Feb and End = 1st April
4th; Start = 5th Feb and End = NULL
For March; 3 backlogs
1st from the above would not be a backlog since it got resolved in March.
2nd; Start = 15th Feb and End = 15th April
3rd; Start = 12th Feb and End = 1st April
4th; Start = 5th Feb and End = NULL
For April; 1 backlog
2nd and 3rd from the above would get dropped off since they resolved in April,
4th; Start = 5th Feb and End = NULL
For May and June; 1 Backlog for each month. (This isn't getting charted in the graph though. Can you suggest what I could do to chart the one backlog which must be here ?)
4th; Start = 5th Feb and End = NULL [ This ticket started in Feb and until May and June this ticket didnt close; this must be a Backlog ]
For July ;
4th; Start = 5th Feb and End = NULL
5th; Start = 5th July and End = NULL
Are the changes I have done correct ? Because in the code which you have written the backlogs are being charted from March(3) and April(1) which is correct but Feb and July weren't .
Additionally could you let me know how I could chart the Backlog from Feb (not closed ticket) in the months of May and June ?
... View more
08-21-2017
07:28 AM
Everyone,
I would like to know of suggestions for charting backlogs by month.
So a backlog in my scenario are tickets which have, for example, a "start_time" < August 1st, 2017 AND resolve_time > August 31st, 2017 i.e. tickets which were started being worked on before August 1st but didn't resolve even after August 31st.
This would need to be charted for each month; starting from Nov 1st, 2012 until now.
For now, I am trying the following code :
index="my_index"
| eval time_sub = strptime(start_time,"%d/%m/%y %H:%M:%S")
| eval time_res = strptime(resolve_time,"%d/%m/%y %H:%M:%S")
| eval Backlog_check = if((time_sub < 1501545600 AND time_res > 1504223999),"Backlog","Resolved")
| stats count by Backlog_check
The problem with this approach is that I am only getting the counts for the month of August 2017. I could replace 1501545600 to be substituted by a token value from the time range picker eg. $time.earliest$ and for 1504223999 by $time.latest$ and make this more dynamic but then the search would run only for the values passed down by the time range picker tokens which is not what I completely need.
A clean approach to resolve this would be helpful.
... View more
06-06-2017
04:39 AM
Thank you for the alternative mwarman. I will look into implementing this as well when I get the chance to.
... View more
04-28-2017
01:59 AM
1 Karma
This finally resolved Jeffland. Thank you.
I was using the following for drilling down to another page using Simple XML :
<lnk>
<![CDATA[ ticket_review?form.severity=$row.severity$&form.ticket_id=$ticket_id$&form.time.earliest=$time.earliest$&form.time.latest=$time.latest$ ]]>
</lnk>
</drilldown>
So the above needed to be removed from the Simple XML and then the .js code started working. I think preventDefault means : Stop the drilldown to the search page; because clicking on the table without having the .js code would go to the search page. Adding the .js code would stop this.
Another answer from you helped in resolving this.
https://answers.splunk.com/answers/492942/table-drilldown-disable-link-conditionally.html
... View more
01-17-2017
03:29 AM
That was it.. The input id wasn't set at all.. Thanks a lot jeffland, appreciate your effort as well as the followup.
There still seems to be one issue though.. The default drilldown is not getting prevented.. i.e there are two pages now.. one with the multiselect search string(default) and another one which is showing up due to the js code you provided.
... View more
01-16-2017
09:37 PM
jeffland,
Apologize for the delay in response. I got sometime to implement this today. I was able to have a look at the "e" object. The error I am facing in the console is as follows :
Uncaught TypeError: Cannot read property 'val' of undefined
at constructor.eval (eval at globalEval (common.js:1), <anonymous>:21:59)
at triggerEvents (common.js:205)
at constructor.trigger (common.js:205)
at triggerEvents (common.js:205)
at child.trigger (common.js:205)
at triggerEvents (common.js:205)
at child.trigger (common.js:205)
at eventsApi (common.js:205)
at child.trigger (common.js:205)
at child._emitDrilldownEvent (common.js:317)
The console is also highlighting this line of code :
tokenString += returnUrldValues(sourceMultiselect.val(), "form.targetMultiselectTokenName");
It would be helpful if I received a response. Thank you.
... View more
12-19-2016
09:07 PM
1) Yes the id in Simple XML is severity_table.
2) I opened the Console window on the first page in Chrome and the following is error is what I receive.
http://localhost:8001/en-US/splunkd/__raw/servicesNS/admin/MyAppName/static/appLogo.png
Failed to load resource: the server responded with a status of 404 (Not Found)
3)You mentioned that I would now be able to get the left most cell value.. But the left most cell doesnt have the value which I need. I might need to change the order of the table to get this working.
Mainly if modifying the URL works I could then focus on 3) and try to get that working as well. Thanks for following up jeffland.
... View more
12-19-2016
01:56 AM
var clickEventGenerator = mvc.Components.get("severity_table");
The above is the modification I did to the code. severity_table is a table on the first page through which the value for severity is found.
Eg. If I click on the first row of severity_table I should get the corresponding value of severity from the first row , click on second row I should get the corresponding value of severity from the second row.. and so on.
Any click on the severity_table should start the drilldown to the next page along with the corresponding values for severity and other values like the multiselect inputs. The multiselect inputs are coming from a different panel than the severity table. And in the next page the values of the first page are passed and populated to new panels.
... View more
12-16-2016
05:02 AM
Jeffland,
I was busy in some work so I wasn't able to implement the code until today.
So I modified the code as you mentioned and the URL is still not updating with what I would like it to be. It is showing the default URL. I am trying to modify this for an app which has already been built. So is the URL hard coded ? I am just guessing.
Like I mentioned earlier I don't have much knowledge about coding in js. So I felt
for(var .. was incorrect since a few examples of .js I saw had only for( ..
Do you have any suggestions regarding this ? Thank you.
... View more
12-09-2016
02:23 AM
Ok so I did as you mentioned and the default drilldown is still working it isn't getting prevented. The old URL is still populating.
I have done the following changes. Are these correct ? I have marked the changes I did in bold.
require([
"splunkjs/mvc",
"splunkjs/mvc/utils",
"splunkjs/mvc/simplexml/ready!"
],
function(mvc, utils) {
var tokens = mvc.Components.get("default");
var sourceMultiselect = splunkjs.mvc.Components.getInstance("multiselect");
var clickEventGenerator = **table** // where your click comes from, e.g. a button or your table
clickEventGenerator.on("click", function(e) {
e.preventDefault(); // Stop default drilldown behavior
// Create token string from time tokens and multivalue inputs
var tokenString = "";
tokenString = "&form**.time.earliest**=" + tokens.get("**time.earliest**") + "&form.**time.latest**=" + tokens.get("**time.latest**"); // Use your other own static tokens here, e.g. severity
**tokenString = "?form.severity=" + tokens.get("row.severity");**
tokenString += returnUrldValues(sourceMultiselect.val(), "form.**ticket_id**"); // Add dynamic (mutlivalue) tokens here
// Handle click event regularly
var url = "**http://localhost:8001**/en-US/app/**ticket_analysis/ticket_review**" + tokenString;
utils.redirect(url, false, "_blank");
});
// Returns concatenation of all entries in multiVals with prefixed targetTokenName
function returnUrldValues (multiVals, targetTokenName) {
var string = "";
for (var i = 0; i < multiVals.length; i++) {
string += "&" + **ticket_id**+ "=" + multiVals[i];
}
return string;
}
});
-- Also is for(var .. correct ?
... View more