cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
cyvi01
Path Finder
Member since: ‎08-08-2019
‎05-28-2024
Community Statistics
Posts 14
Solutions 2
Karma Given 0
Karma Received 0
Member Since ‎08-08-2019
Activity Feed
View All

Re: What is the splunk search query to find oldest...

by in Splunk Search
‎11-15-2022 03:14 AM
‎11-15-2022 03:14 AM
| tstats earliest(_time) AS _time WHERE index=bla is enough ... View more

Re: How do you find the earliest event in an index...

by in Splunk Search
‎11-15-2022 02:50 AM
‎11-15-2022 02:50 AM
| stats earliest(_time) AS Earliest_Time | eval Earliest_Time=strftime(Earliest_Time,"%Y-%m-%d %H:%M:%S") can be replaced by a simple  | stats earliest(_time) AS _time Splunk formats _time by default which allows you to avoid having to reformat the display of another field dedicated to time display. ... View more

Re: EVAL tag in simple XML with replace regular ex...

by in Dashboards & Visualizations
‎11-10-2022 04:00 PM
‎11-10-2022 04:00 PM
Thank you as your point is not the solution but helped me a lot to know what to do : <eval token="exclude_uri">"cs_uri_sterm!=\"".replace($exclude$,"\\s+","\" cs_uri_sterm!=\"")."\""</eval>   It looks like that empty (which is perfect). or like that if filled :  ... View more

EVAL tag in simple XML with replace regular expres...

by in Dashboards & Visualizations
‎11-10-2022 06:41 AM
‎11-10-2022 06:41 AM
Hi, I´m facing a problem. I´m trying to solve my current issue via 2 different approaches but i´m unfortunately unable to complete any of these solutions. I´m trying to provide a dashboard with a form whose some of the fields to fill should allow users to sort data using multiple inclusions or exclusions to fit what each and every team works with. Solution 1 : By using an EVAL tag in the XML code  and use the variable in the main basesearch like "index=test $exclude_uri$ | stats count BY cs_uri_sterm" I tried something like and use a panel to display the result :     <form> <fieldset submitButton="true"> <input type="text" token="exclude" searchWhenChanged="true"> <default></default> <change> <eval token="exclude_uri">replace(replace(trim(exclude), "\\s+", " "), "(\\S+)", "cs_uri_sterm!=\"\1\"")</eval> </change> </input> </fieldset> <row> <panel> <html> <p>Token:<b>$exclude_uri$</b></p> </html> </panel> </row> </form>     However i´m facing several issues : - for some reasons multiple whitespaces are removed by default even though i decide to remove the replace and trim functions dedicated to that. Why ? - \1 does not seem to be recognized. For some reasons a lot of people do not need \\ but it seems like i need them but this does not work for \\1 anyway, only for \s+ and \S+. Any reason ? How can i make this work ?   On the other side, it does work if i implement the same in a makeresults test search as follows :     | makeresults | eval exclude="/assets/* /api/* " | eval exclude_uri=replace(replace(trim(exclude), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ")     providing :     _time exclude exclude_uri 2022-11-10 15:21:17 /assets/* /api/* cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*"     Why is it different ? Solution 2 : Use a Makeresults like above and use the output of it as a direct filter in my basesearch I tried that but im not able to find a proper solution :     index=test [ | makeresults | eval | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | table exclude_uri ]     I should get something like index=test cs_uri_sterm!="/assets/*" cs_uri_sterm!="/api/*" if the user filled "/assets/* /api/*" in the form text input. I have also tried the same with a MV field.      index=text [ | makeresults | eval exclude_uri=replace(replace(trim($exclude$), "(\S+)", "cs_uri_sterm!=\"\1\""), "\s+", " ") | makemv delim=" " exclude_uri | mvexpand exclude_uri | table exclude_uri ]     Nothing works. Spent few hours trying to look at solutions. Even tried to see if i could use something like search ... IN or where something. Any advice ? I really need this. Javascript may be my solution, i don´t know. Kind of stuck here. ... View more
Labels

How to automatically create services in ITSI with ...

by in Splunk ITSI
‎08-08-2019 08:12 AM
‎08-08-2019 08:12 AM
Hello, Let me describe what i´m trying to do. I have a base search with multiple KPIs to monitor K8S pods and clusters. I have also 2 CSV import searches : - One to create the pods entities with additional info field with format cluster_name#metadata.namespace. index=payment_k8s sourcetype="kube:objects:pods" | rename metadata.name AS pod, metadata.namespace AS namespace | eval entity = cluster_name."#".namespace | fields pod entity One for the list of services to be created. index=payment_k8s sourcetype="kube:objects:namespaces" status.phase="Active" | rename metadata.name as namespace | eval entity=cluster_name."#".namespace, ServiceTemplate="PAY:K8S", env=if(cluster_name="payment_bma","bg","ge"), ServiceTitle="PAY.".upper(env).".K8S.".namespace | stats latest(metadata.requestResourceVersion) by ServiceTemplate,ServiceTitle,entity,env I have manually created a service and based on this service i created a service template named PAY:K8S. Each service should represent a K8S namespace. The entities in these services will be the pods belonging to the respective namespace. In each service, i should have an Entity Rule like |Info| entity matches cluster_name#namespace (which is the "entity" field in the base search and in the first CSV Import search above). I do not want to edit the match manually because i want to create the services automatically without having to go into every single service to update this Entity Rule. How can i do that ? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎05-28-2024 08:31 AM