I may need to move my dashboard results to a server to create the outside link rather than creating a link from my laptop with localhost. I thought that was a simpler way to do it since in the video she uses a link that can be access from the outside to the report results. Thanks! Juan ... View more

Using the link from my browser address bar would limit others as it uses http://localhost:8000 Any other way to give access to my dashboard results? Thanks! ... View more

Hello Chris, Sharing a link so that others can see the dashboard. Here is a link on how it used to work (Splunk Education: Saving and Sharing Searches) https://www.youtube.com/watch?v=jiwt1ADzHd8 Thanks! Juan I looked at Embedded reports but there are no Embedded "Dashboards". Thanks! ... View more

Tom, Thanks for your input. It worked well! Juan ... View more

Hello ppablo, Splunk 6.2.1. Chris below answered my question. The Edit Tag under actions was a bit confusing since there is where you can now create a new tag. Thanks! Juan ... View more

Thanks ChrisG! The Edit Tag under actions was a bit confusing since there is where you can now create a new tag. Juan ... View more

Hello Somesh, In regards to performance using the different approaches, what do you think: Example 1 In these two examples using replace versus convert for eliminating ",": | gentimes start=-1 | eval currency_field="$9,843.00 ($2,479.99)" | table currency_field | makemv currency_field | mvexpand currency_field | replace "$" with "","($)" with "-" in currency_field | eval currency_field1=tonumber(replace(currency_field,",","")) | eventstats sum(currency_field1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")") Example 2 | gentimes start=-1 | eval currency_field="$9,843.00 ($2,479.99)" | table currency_field | makemv currency_field | mvexpand currency_field | replace "$" with "","($)" with "-" in currency_field | eval currency_field1 = convert rmcomma(currency_field) | eval currency_field1=tonumber(replace(currency_field,"","")) | eventstats sum(currency_field1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")") I appreciate your suggestion, I would need to research on how to implement SEDCMD in props.conf for my use case... but before I do that, in terms of performance, how does the above examples compare using SEDCMD option to eliminate ",", etc. for my use case? Thanks! Juan Thanks! Juan ... View more

Hello Somesh, Can an already uploaded CSV file be changed or edited? I would like to know other ways to treat currency ($ and negative in parenthesis) that gets moved as a string into Splunk, besides the two options below: 1. Convert currency to numeric before loaded into Splunk 2. Use replace in the search as you showed in your example Thanks! Juan ... View more

Hello Lisa, Can a CSV file already uploaded be changed or edited? I would like to know the best approach to treat currency ($ and negative in parenthesis) that gets moved as a string into Splunk, besides these two options: 1. Convert currency to numeric before loaded into Splunk 2. Do the conversion in the search Here is some sample data: Contract_Date Amount Vendor_Id Contract_Services "Sep 25, 2012","$9,843.00","CN99999","FS SERVICES" "Sep 25, 2012","$4,631.16","CN99999","FS SERVICES" "Sep 25, 2012","($52,479.99)","CN99999","FS SERVICES" Thanks! Juan ... View more

Somesoni, credit goes to you for being the first one to answer my question! Thanks! Juan ... View more

Hello Somesoni2, I appreciate your solution! thank you! I ran the query as follows: Replaced: | gentimes start=-1 | eval currency_field="$9,843.00 ($2,479.99)" For: | rename Amount as currency_field | rename Amount as currency_field| table currency_field | makemv currency_field | mvexpand currency_field | replace "$" with "","($)" with "-" in currency_field | eval currency_field1=tonumber(replace(currency_field,",","")) | eventstats sum(currency_field1) as Total | eval Total=if(Total>0,"$".tostring(Total,"commas"),"($".tostring(Total*-1,"commas").")") Thanks again! Juan ... View more

Thank you Somesoni! I will try this out. Juan ... View more

Here are three events with 4 fields from the .CSV file: Contract_Date Amount Vendor_Id Contract_Services "Sep 25, 2012","$9,843.00","CN99999","CS SERVICES" "Sep 25, 2012","$4,631.16","CN99999","CS SERVICES" "Sep 25, 2012","($2,479.99)","CN99999","CS SERVICES" The Grand Total would be the sum of "Amount" field = 11,994.17 ... View more

I found the following: Prior to 1972, this time was called Greenwich Mean Time (GMT) but is now referred to as Coordinated Universal Time or Universal Time Coordinated (UTC) I found this link to do the conversion: http://www.freeformatter.com/epoch-timestamp-to-date-converter.html For GMT: Thu, 31 Dec 2009 23:59:59 1262239200 For Local: 12/31/2009 23:59:59 gives 1262325599 How do you know which one to use? The other question is, since I am getting a variable named: "BEGIN DATE", how do I create an alias or rename it to: "begin_date"? Thanks! JK ... View more

Thanks! JK ... View more

eventtype=FAS |eval begin_month = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%m")|eval begin_Year = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%Y")|where begin_Year > 2009 OR (begin_Year = 2009 AND begin_month>8) ... View more

I tried: eventtype=FAS | rex "BEGIN DATE = (? \d+)/(? \d+)/(? \d+)" | where year>2009 OR (year=2009 AND month>8) but could not get any results. I am still curious as to why it didn't work. Then I took another route: eventtype=FAS |eval begin_month = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%m")|eval begin_Year = strftime(strptime('BEGIN DATE',"%m/%d/%Y") ,"%Y")|where begin_Year > 2009 OR (begin_Year = 2009 AND begin_month>8) Thank you for your comments! JK ... View more

The raw data looks like this: BEGIN DATE = 12/31/2009 (please note the space between BEGIN DATE) I tried the following and showed no syntax errors but did not get any results from the query. What am I missing? eventtype=FAS | eval 'BEGIN DATE'="(? \d+)/(? \d+)/(? \d+)" | where year>2009 OR (year=2009 AND month>8) ... View more

Iguinn, What alternatives are there to using "eventtype" if I cannot create one with the results of this query? Eventtype search string cannot be a search pipeline or contain a subsearch. Thanks! JK ... View more

martin_mueller, How do you extract the day, month and year as individual fields? Would you please provide an example? Thanks, JK ... View more