About arusoft

Vas1 · ‎08-16-2023

Hi Bro did you got this If yes can you please explain me how to do it

iacine · ‎08-01-2023

Hello, I have the same error do you have resolved your issue ? Regards

arusoft · ‎09-01-2022

This is resolved . I got answer from Github Error setting up Splunk OpenTelemetry Collector for Kubernetes

somesoni2 · ‎03-31-2022

The subsearch with "makeresults" is generating custom time range, earliest and latest. Using it in the way mentioned here, will add (behind the scene) "earliest=<value> AND latest=<value>" in the subsearch using it. Since it happens behind the scene, syntax is not highlighted. | multisearch [search index="abc" ] [search index="xyz" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-30d@d") | eval latest=info_max_time | table earliest latest]] Below search doesn't work because, earliest and latest is being added as field and not as filter. index="xxx" | addinfo | eval earliest=relative_time(info_min_time,"-30d@d") | eval latest=info_max_time | timechart span=1d count

PickleRick · ‎01-28-2022

Yep, we're drifting way away from the main topic 🙂 Let me point out that there's no such thing as "most optimal". Either something is optimal or not. The ACID-ity in most part has nothing to do with the OP's problem. MD5 is not an injective function. Even in general case of any hashing algorithm it's a proper practice to check the actual value, although indeed the probablity of collision is very low, you need to cover much less than half of the number of different unhashed messages to "likely" hit a colision (in fact it's a square root of 2^n). So let's leave this topic alone for now 🙂

arusoft · ‎01-27-2022

@PickleRick I am already doing what you suggested. My second search has lot of duplicate data. So I was thinking that deduping in advance would speed up overall search. If that is not the case then I will continue doing what you suggested. My end goal is to find max date from second search based on common columns and then display the same with main search. I already got help from this community is its working fine. Thank You.

arusoft · ‎01-10-2022

Thanks @isoutamo for suggestion. But yes I already read that. Like you said, I guess contacting Splunk support is route to go.

bowesmana · ‎12-21-2021

@arusoft Note that using eventstats is not the fastest operation and if you have a clustered index environment, will cause the data to be pushed to the search head for the operation to run there. I couldn't immediately think of a way to avoid that, that would avoid some more complex logic involving creating complex fields and using mvexpand after a normal stats. Anyway, test as needed. One thing you should do before using eventstats is to use the fields command to minimise the data that will end up going to the search head. In the above, you would do | fields - EmailX EmailY DateLogin before the eventstats.

ITWhisperer · ‎12-20-2021

This is how reports work with dashboards. Essentially, the dashboard is loading a set of results from the (last execution of the) report, which it can then do further operations on, such as filtering by time.

arusoft · ‎12-15-2021

WoW.. this looks like is the solution . Thank you @ppig @johnhuang @ITWhisperer all for your solutions. All helped me learn something new today 🙂

arusoft · ‎12-05-2021

Thanks @PickleRick That's exactly what I understood might be going on. You explained very well. Its just that I don't like this feature name 🙂 Atleast for me its a bit confusing. My goal was to run a savedsearch/report on nightly basis. And then use the last run result in dashboards/reports etc. I guess like @richgalloway mentioned LoadJob is the what I should be doing.

PickleRick · ‎11-30-2021

Sure you can. You already had the answer here. https://community.splunk.com/t5/Splunk-Search/How-do-you-list-top-items-for-each-group/m-p/328349/highlight/true#M97747

gcusello · ‎04-09-2021

Hi @arusoft, sorry, no other way! If this answer solves your need, please accept it for the other people of Community. Ciao and happy splunking. Giuseppe P.S.: Karma Points are appreciated 😉

arusoft · ‎02-23-2021

I have search that looks something like that <<sarch string>>| chart sum(total) over AssingmentsByDay by PROBLEM_STATUS | addtotals This will group by AssingmentsByDay and have columns by PROBLEM_STATUS . The AssingmentsByDay is combination of AssignmentName and Day Here is an example how the results looks like AssingmentByDay Restored To Be Worked Waiting Waiting - Client Waiting - IT Work In Progress Total 02/22/21-at 21 hrs->>>-Assingment1 1 1 1 2 5 02/22/21-at 21 hrs->>>-Assingment2 1 1 02/22/21-at 21 hrs->>>-Assingment3 1 1 2 02/23/21-at 21 hrs->>>-Assingment1 2 2 4 02/23/21-at 21 hrs->>>-Assingment2 2 2 4 02/23/21-at 21 hrs->>>-Assingment3 2 2 4 Now how can I change color of font or background of group of rows based on Assignments Day as shown above. I really don't want to mix day with Assignment day, but I then not sure how to do get results similar to above. I basically want to group them by day and also color them by each day Thank You

arusoft · ‎08-12-2019

Wanted to update that for no reason next day my code didn't worked. I was getting some error message that I didn't saved to mention here. After searching online I added | format "(" "(" "" ")" "OR" ")" at the end of sub search and then it worked. And today its working with or without this additional line of code. So if your code too doesn't work then add this line as shown below. [ | inputlookup DummyFileWithOneRecord.csv | head 1 | eval earliest="07/17/2019:15:01:45" | eval earliest=strptime(earliest, "%m/%d/%Y:%H:%M:%S") | eval latest=earliest+600 | eval earliest=earliest-600 | table earliest,latest | format "(" "(" "" ")" "OR" ")" ] < Your actual search go here>

arusoft · ‎07-28-2019

wow.. it works. thank you 🙂

Posts	47
Solutions	2
Karma Given	31
Karma Received	3
Member Since	‎07-22-2019

Online Status	Offline
Date Last Visited	‎10-02-2022 11:10 PM

Why am I not getting metrics using splunk-otel-col...

How to resolve error when setting up Splunk OpenTe...

How to create servicenow ticket from Splunk alert?

How to subsearch/multisearch date based on minimum...

multisearch not allowing dedup individual search

Update CSV source without duplicates

DBScan Error in fit command: Memory limit exceeded

Join with conditions

use dashboard date filter for an embedded report

get bottom 3 duration within each group

Re: How to create servicenow ticket from Splunk al...

Re: Why am I not getting metrics using splunk-otel...

Re: Error setting up Splunk OpenTelemetry Collecto...

Re: subsearch/multisearch date based on minimum of...

Re: Update CSV source without duplicates

Re: multisearch not allowing dedup individual se...

Re: DBScan Error in fit command: Memory limit exce...

Re: Join with conditions

Re: use dashboard date filter for an embedded repo...

Re: get bottom 3 duration within each group

Re: using saved search in report without running i...

Re: How do you list top items for each group?

Re: How can I use lookup csv from another Index?

color by group

Re: how to search events within few minutes of giv...

Re: How to create static baseline on chart without...