Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About w564432
w564432
Explorer
Member since:
08-06-2019
2 weeks ago
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 0 |
| Member Since | 08-06-2019 |
Activity Feed
- Posted Re: Bulk-deleting expired search jobs on Splunk Search. 2 weeks ago
- Posted Bulk-deleting expired search jobs? on Splunk Search. 11-18-2021 11:19 AM
- Posted Re: Building multisearch dynamically on Splunk Search. 10-01-2021 02:13 PM
- Karma Re: Building multisearch dynamically for PickleRick. 10-01-2021 02:13 PM
- Karma Re: Building multisearch dynamically for PickleRick. 09-28-2021 10:47 AM
- Posted Re: Building multisearch dynamically on Splunk Search. 09-28-2021 10:43 AM
- Posted Building multisearch dynamically on Splunk Search. 09-28-2021 09:51 AM
- Karma Re: How to allow user to enter a value that doesn't exist in a dropdown for mayurr98. 06-05-2020 12:50 AM
- Karma Re: How to allow user to enter a value that doesn't exist in a dropdown for niketn. 06-05-2020 12:50 AM
- Posted How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Tagged How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Tagged How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Tagged How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Tagged How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Tagged How to use a value without including it in search results on Splunk Search. 10-28-2019 02:31 PM
- Posted Re: Display x-axis scale for a field that isn't _time on Splunk Search. 10-24-2019 03:52 PM
- Posted Re: Display x-axis scale for a field that isn't _time on Splunk Search. 10-24-2019 12:45 PM
- Posted Display x-axis scale for a field that isn't _time on Splunk Search. 10-24-2019 08:37 AM
- Tagged Display x-axis scale for a field that isn't _time on Splunk Search. 10-24-2019 08:37 AM
- Tagged Display x-axis scale for a field that isn't _time on Splunk Search. 10-24-2019 08:37 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
Not sure actually, I am actually not the admin of our cluster but I know both of those things (reassign captain, rolling restart) have happened between then and now either due to other issues or updates. Either way it seems to have cleared up some time ago now...
... View more
11-18-2021
11:19 AM
Hello,
We have an application pulling search results from a scheduled search using Splunk API periodically, but encountering an issue where there is an excess of expired jobs (5000+) which are being kept for 1 month+ for some reason. Because the application has to look through each of these jobs it's taking too long and timing out.
We tried deleting the expired jobs through the UI but they keep popping back up/not going away. Some of these now say "Invalid SID" when I try to inspect them. Is there any way we can clear these bulk, preferable without resorting to UI (which only shows 50 at a time)?
... View more
Labels
- Labels:
-
search job inspector
10-01-2021
02:13 PM
I meant to accept your post I replied to as solution, but accidentally hit my reply instead. Can I fix this?
... View more
09-28-2021
10:43 AM
That's wild. I always assumed earliest and latest were static parameters, and nothing in the documentation seems to suggest you can do something like (earliest=X AND latest=Y) OR (earliest=A AND latest=B). Is there some general concept I am missing on how Splunk parses parameters which should make this obvious? Or is it just specific to this one thing? Like you mentioned you lose the series labeling you get for free with multisearch, but you could patch this up with an eval although I'd imagine the performance suffers. But still this is a great, relatively simple solution!
... View more
09-28-2021
09:51 AM
This is mostly just a curiosity, motivated by this post on how to compare a particular time interval across multiple larger time periods. Effectively the solution seems to be to generate a list of time intervals and run map subsearches on each entry. When I have multiple time periods that I'd like to run stats on, I typically use a multisearch command followed by a chart, as follows: | multisearch [ index=potato et=<et1> lt=<lt2> | eval series=1 ]
[ index=potato et=<et2> lt=<lt2> |eval series=2 ]
.
.
.
[ index=potato et=<etn> lt=<ltn> | eval series=n ]
| timechart count by series I suppose you could make it work by substituting the et's and lt's via subsearch, but it won't work if the number of time intervals, n, is also dynamically generated by some prior search. I know you can use a number of different techniques, but they all have different drawbacks. You could use map, which offers pretty much all the flexibility/dynamic-ness you need (I've abused it plenty of times doing things like map search=`searchstring($searchstring$)` ), but there are performance issues with this as subsearches can time out as it doesn't offer the same optimization as multisearch does when you just need to string multiple streams together. You can just search the entire timerange and use some eval logic to filter out the time intervals you need, but isn't this suboptimal since you're searching more events than you need? Multisearch seems to be great at streaming multiple different time intervals together and I'd love to have that optimization without At this point, would you just have to resort to REST to schedule searches? How would we tie the data together? I'm not very familiar with what is possible with REST as all of my experience is with just plain SPL. In a word, how do we stream events across multiple, dynamically generated time intervals without running into subsearch limitations?
... View more
Labels
- Labels:
-
timechart
10-28-2019
02:31 PM
I am running a map command off of an initial search. The map ends with a sendemail command which sends a table of results.
I would like to send a message that computes totals and other stats on this table -- however, I would not like to include this data as a totals row the table/search results, only in the message.
In other words, the whole email would look something like:
Subject: Alert condition triggered
Sum(Field 1) of type X results: 524
Table of results
-----------------------------------------------
| Field 1 | Field 2 | ...
...
...
...
I know this can be done by running yet another subsearch for the "message" parameter in Splunk. However, this means I'm effectively running the same search twice... when performance-wise it would be better to just run the stats off of the table after it is generated. I know how to implement this in a dashboard with base searches, but I would like to know how to do this in 1 search. I think the problem is that there is no "scope" outside of the search results to which I can write a variable. I can think of a clunky solution using lookup/outputlookup.
Is there some way to maybe pipe the table into a separate subsearch that generates a variable/token but does not actually append to the main search?
... View more
10-24-2019
03:52 PM
Sorry I was unclear. Basically,
Yes, I am charting by 5m over day, which results in a multi-time series timechart, which is a standard 5m timechart with several lines, each representing 1 particular day. It's not that I want then to bin by hours, but rather have the x-axis show just the hourly tick marks (or anything that would fit on the screen, really... better than being absolutely blank).
What happens is that the x-axis will try to display all 288 bins. Visualization using "timechart" handles this by displaying less frequent time intervals (obviously it isn't always hours, but in my case it likely will be). Visualization using "chart" just straight up refuses to display the x-axis bins altogether since there's no room (unless you zoom).
I am wondering if I can do this without using the timechart command, since because of the hacky way I'm using, every point in the time series needs to conform to 1 day (1971-1-1) which is not so pretty.
... View more
10-24-2019
12:45 PM
I tried that as well. It seems to break the visualization though...
... View more
10-24-2019
08:37 AM
Hi guys, I am trying to chart multiple days on the same line chart, kind of like in this example (https://docs.splunk.com/Documentation/Splunk/7.3.2/Search/Comparehourlysumsmultipledays) . However I am plotting 5m intervals and not hours like in the example above:
... | bin span = 5m _time | eval clock=strftime(_time,"%H:%M:%S") | chart avg(Total_ct) by clock,day
However, the x-axis labels aren't showing up because there are too many (288 of them). What I want is to have 5m data (and thus 288 intervals over the whole day) but still be able to see some labels on the x-axis. This is what Splunk is trying to show and failing, because of the pixel limit:
[ 00:00 00:05 00:10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23:55 ]
I would be okay if the x-axis looked like the following:
[ 0 1 . . . . . 23]
Note: it doesn't have to be an hourly interval, I just want some kind of labels to show up on the x-axis. As it is now, there are no labels and its really hard to tell at a glance what the times are unless I mouse over.
I did find a hacky way to get leverage the smart time-scaling display using timechart while also keeping the "chart by time over day" effect. This actually gives me an hourly scale with all 5m time interval data, but when I mouse over each point I see "1971-01-01" on each time (I basically converted all the days into one ridiculous day so I could overlay them).
... | eval clock=strftime(_time,"%H:%M:%S")
| eval reclock="1971-01-01"." ".'clock'
| eval day=strftime(_time,"%D")
| eval _time=strptime(reclock, "%Y-%m-%d %H:%M:%S")
| timechart span=5m cont=f avg(Total_ct) by day limit=0
Is there some way I can have my cake and eat it too?
... View more
08-06-2019
09:45 AM
I have a dropdown that reads from a lookup but would like to allow the user to enter in a value that doesn't exist in the dropdown. Is this possible?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
