Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About _jgpm_
_jgpm_
Communicator
Member since:
11-02-2016
06-05-2020
Community Statistics
| Posts | 46 |
| Solutions | 0 |
| Karma Given | 90 |
| Karma Received | 4 |
| Member Since | 11-02-2016 |
Activity Feed
- Karma Too many distinct values for categorical feature in the Machine Learning Toolkit for jthairu_splunk. 06-05-2020 12:49 AM
- Karma Re: MLTK v2.4 returning max 1000 results and max_memory_usage_mb/max_model_size_mb options cause errors for yangzd. 06-05-2020 12:49 AM
- Karma Re: Why is trim not working when the field has "#"? for Flynt. 06-05-2020 12:48 AM
- Karma Where can I find a list of parameters for the PDFgen endpoint? for JohannLiebert92. 06-05-2020 12:48 AM
- Karma Re: Where can I find a list of parameters for the PDFgen endpoint? for JohannLiebert92. 06-05-2020 12:48 AM
- Karma Re: Why does coalesce command work in one calculated field search but not another? for martin_mueller. 06-05-2020 12:48 AM
- Karma Re: How can I remove a "tag=error" that mysteriously showed up? for mattymo. 06-05-2020 12:48 AM
- Karma Re: Why does error "Failed to load source for JointJS Diagram visualization" always show when choosing the JointJS visualization? for slapie_splunk. 06-05-2020 12:48 AM
- Karma Re: How to compare two columns from two searches and display the values that only exist in the 2nd column? for btd0000. 06-05-2020 12:48 AM
- Karma Re: Why is my universal forwarder not respecting my limits.conf config? for MuS. 06-05-2020 12:48 AM
- Karma Re: how to filter out columns in a chart after using a lookup and addtotals for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Should I use root events, root transactions, or root searches to set up my data model? for lguinn2. 06-05-2020 12:48 AM
- Karma Re: How to create a text input box in a dashboard that populates to all panels? for jkat54. 06-05-2020 12:48 AM
- Karma Re: how to append only two adjacent columns in a table? for sundareshr. 06-05-2020 12:48 AM
- Karma streamstats: reset_after function didn't work,[streamstats]: reset_after doesn't works for audherma. 06-05-2020 12:48 AM
- Karma Re: Different users see different version of same dashboard in Splunk for rjthibod. 06-05-2020 12:48 AM
- Karma Re: rex not finding the end of a string and the same rex works in other applications for woodcock. 06-05-2020 12:48 AM
- Karma Re: rex not finding the end of a string and the same rex works in other applications for koshyk. 06-05-2020 12:48 AM
- Karma Re: How to use mvfilter to get list of data that contain less and only less than the specific data? for somesoni2. 06-05-2020 12:48 AM
- Karma Re: can i pass a subsearch argument as a greater than relationship? for DalJeanis. 06-05-2020 12:48 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-23-2017
02:03 PM
Thanks! I'm still on v2.4 which is why I was linking to that. I don't know how I missed that part about mlspl.conf, I guess it was late in the day and I was rushing. I haven't tried it yet so I don't know if will solve my problem. I asked the question because I know sort is limited to 10k results unless you add the "0" option. I thought there was something similar. I don't think it would be a null value causing the drops because it would be highly unlikely that 5209 events drops to exactly 1000...but I could be wrong. That one is actually easy to test and doesn't require restarting splunk...
so I added
...| eval countNull=0 | foreach * [eval countNull=if(isnull('<<FIELD>>'), countNull +1, countNull) ]
To the main search script and countNull showed up as 0 for every single event. To validate that the spl works, I tried something that I know would work:
...| eval countNull=0 | foreach * [eval countNull=if(match('<<FIELD>>', "\d+"), countNull +1, countNull) ]
and countNull jumped up to something like ~40 for each event. So I don't think there are any null values. I did a quick visual scan too and I didn't find any but it wasn't exhaustive.
... View more
10-20-2017
05:12 PM
according to: http://docs.splunk.com/Documentation/MLApp/2.4.0/User/Configurefitandapply and http://docs.splunk.com/Documentation/MLApp/2.4.0/User/Customsearchcommands the fit command is supposed to be used like:
fit <algorithm> (<option_name>=<option_value>)* (<algorithm-arg>)+ (into <model_name>)? (as <output_field>)?
My SPL is:
fit RandomForestClassifier max_memory_usage_mb=10000 max_model_size_mb=500 "targetField" from "dataField1"...
and I get this error:
Error in 'fit' command: Error while initializing algorithm "RandomForestClassifier": Unexpected parameter: max_model_size_mb
The real problem is that I'm getting only 1000 results returned from 5200+ events. I want to get all events back. Can someone help me get all the results? Thanks.
... View more
10-19-2017
09:05 AM
https://answers.splunk.com/answers/370008/is-it-possible-to-turn-a-multivalued-field-with-an.html
... View more
10-19-2017
09:04 AM
Very powerful transaction. This should be a native command.
... View more
10-17-2017
10:08 AM
correction, your pwd has to be 'SPLUNKHOME/etc/apps/sentiment/bin' for it to work without errors.
... View more
10-17-2017
09:55 AM
this is an answer a long time coming, but you have to point to the right "train".
python has to be declared in the location SPLUNKHOME/bin/python
train has to be declared in the location SPLUNKHOME/etc/apps/sentiment/bin/train.py
demo has to be declared in the location SPLUNKHOME/etc/apps/sentiment/training_data/demo
model name has to be declared as lowercase "demo"
Then it works. It should look something like this:
Training Directory: SPLUNKHOME/etc/apps/sentiment/training_data/demo/train
names = ['SPLUNKHOME/etc/apps/sentiment/training_data/demo/train/-1.txt', SPLUNKHOME/etc/apps/sentiment/training_data/demo/train/1.txt']
+++++4k
++++len data = 9501
corpdir = 'SPLUNKHOME/etc/apps/sentiment/training_data/demo/train'
loaded 9501 reviews from SPLUNKHOME/etc/apps/sentiment/training_data/demo/train
Original Token Count: 5876
After removing rare: 5493
After removing weakly correlated: 156
...
... View more
10-04-2017
12:44 PM
1 Karma
The way I speed up my dashboard results is by creating an intermediate csv.
[ Long tedious search ] --> | outputcsv csvname.csv --> Dashboard source "... <search> <query> | inputcsv csvname.csv ..."
Loading a csv is near instantaneous.
... View more
09-26-2017
02:12 PM
The auto-help on contingency told me that you add "usetotals=F" as the last option will get rid of the TOTALS row.
... View more
08-22-2017
04:49 PM
Is there a way to delete the CRCs of the previous indexing activity? I deleted the index and the data input and basically tried to start over but my files won't index again.
... View more
03-09-2017
11:46 AM
when I run anomalydetection probable_cause for me is the name of the field that is the outlier.
I'm trying to understand probable_cause_freq, max_freq, and log_Event_prob. The first 2 are [0,1] but the last one is [-21,11] and I can't find detailed documentation on the topic. I've only found \detectinganomalies and the MLTKcheatsheet.
My query is:
|inputcsv test.csv | anomalydetection "STD_A" "STD_B" action=annotate
Thank you!
... View more
03-06-2017
10:58 AM
worked as well. I reduced it to this
(?ms)(\x{F0B7})?(?P<encode2>[A-Z][^\.]*\.)[\x22”]? (?P<decode2>[A-Z].+)
which worked. Bonus points for showing me how to use inline regex flags within the expression.
... View more
03-06-2017
10:57 AM
worked with the fewest changes.
... View more
03-04-2017
12:41 PM
I'm on 6.4.3. I'm trying to template a text parser in Splunk that will basically delimit sentences in many different use cases. If there is a better way of doing this, please let me know.
As far as I can tell, this is a rex issue specific to Splunk. I use regex101.com to proof my regex before using them in Splunk. This works almost 100% of the time. Here is one of the edge cases that I can't figure out.
This is the _raw:
Wi-Fi delivery to cars remains a major target application for European car makers, in spite of the regulatory challenges in Europe.
Xxxxx Xxxxxx was demonstrating its solution already available in 400,000 Xxxx vehicles shipped in Europe. Among other applications:
This is the rex expression:
| rex field=_raw "(\x{F0B7} )?(?P<encode>[A-Z].+?[.])[\x22”]?[ ](?P<decode>[A-Z].+)" |
This is encode:
Wi-Fi delivery to cars remains a major target application for European car makers, in spite of the regulatory challenges in Europe.
This is decode:
Xxxxx Xxxxxx was demonstrating its solution already available in 400,000 Xxxx vehicles shipped in Europe.
I can't get the last Among other applications: to appear in decode. I've tried adding $, replacing the .+ with explicit characters. Almost all attempts result in encode capturing the whole _raw and decode being null.
I don't want to just drop the last bit of text, I want to capture 'em all. Can someone help me out with the regex before I pull out my hair?
Thanks.
... View more
02-28-2017
03:54 PM
I actually didn't use epoch time and after careful review of the results, I didn't lose any events. I don't use the _time field so that may have something to do with it.
... View more
02-20-2017
12:01 PM
On a small test dataset (~1M events) I went from 115 seconds to 82 seconds. That's not bad. Thanks @DalJeanis!
... View more
02-17-2017
03:27 PM
I haven't run your code because I'm trying to practice just reading it. I haven't used makeresults yet. I usually just "|stats count as $rename$" and then eval what I want to rename. So you use table instead of "fields - "?
I like the way you did it with format and rex/sed. I do think there is some optimization here but it's a don't-care since the operations take so little time.
If this works, you are saving me from a
index=* | DateStart="12/14/2016" AND TimeStart>"1:38:27 PM" AND TimeEnd<"1:38:27 PM"
to a
index=* DateStart="12/14/2016" AND TimeStart>"1:38:27 PM" AND TimeEnd<"1:38:27 PM"
which could be huge.
Internet upvote for you sir. I will test this over the weekend.
... View more
02-17-2017
03:02 PM
am I missing your close bracket? I didn't run it, but I don't see it.
... View more
02-17-2017
01:37 PM
I've looked into format and it doesn't look like I can replace the "=".
I want to change
( ( DateStart="12/14/2016" AND TimeEnd="1:38:27 PM" AND TimeStart="1:38:27 PM" ) )
to
( ( DateStart="12/14/2016" AND TimeEnd<"1:38:27 PM" AND TimeStart>"1:38:20 PM" ) )
Thanks in advance for any suggestions on how to fix this.
I'm on 6.4.3.
... View more
02-17-2017
01:19 PM
I did something very similar to this but my concept was based on 2 dropdowns. The first one does a
|inputcsv foo.csv
and then the user selects the value where the fieldlabel/fieldvalue gets assigned to the token $test
the next dropdown does
|inputcsv foo2.csv | search tag="$test$"
which then filters down foo2.csv to only show the tags related to the value selected in the dropdown. The selection sets the token $Choice. This works fine.
I wasn't able to make a third dropdown work.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
