×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bonnlbbelandres
Path Finder
Member since: ‎11-24-2016
‎06-05-2020
Community Statistics
Posts 14
Solutions 2
Karma Given 2
Karma Received 1
Member Since ‎11-24-2016
Activity Feed
View All

Re: Can you alert for if a field value is changed ...

by in Alerting
‎01-08-2019 08:26 PM
‎01-08-2019 08:26 PM
ohh yes I forgot to remove the >=0 here is the correct code, (base search) server_name=dfw* earliest=-1h@h | search EventCode="60001" OR EventCode="60002" | transaction server_name| eval EventCode = mvdedup(EventCode) | eval back_to_normal = if(mvfind(EventCode,"60001") > mvfind(EventCode,"60002") ,"true","false") | where back_to_normal = "true" ... View more

Re: Why Splunk can't index very large csv files

by in Getting Data In
‎08-02-2017 07:35 AM
2 Karma
‎08-02-2017 07:35 AM
2 Karma
My suspicion is that you have a malformed CSV (missing/extra commans, merged lines, etc.). How are you sending this CSV to Splunk? Why are you not using it as a lookup instead (how often does it change)? ... View more

Re: How to extract part of a text from log events?

by in Splunk Search
‎08-02-2017 07:36 AM
‎08-02-2017 07:36 AM
Thank you. I will look into it. ... View more

Re: How to add Boolean operators on lookup files?

by in Splunk Dev
‎04-04-2017 11:04 AM
‎04-04-2017 11:04 AM
I suspect that a custom function -- whether in Python or another high-level language -- would meet your loong-term needs better than attempting to build a lookup-based assignment of category. My estimate here is based largely on the fact that you say you will use both AND and OR, depending on the category, any my observation that record processing order in splunk is not guaranteed under many circumstances. The caution I would have to underling here is that not everything which CAN be done, SHOULD be done. It might be technically feasible to write something like you request, for example, woodcock's KVstore suggestion could work. However, the order of magnitude of such a solution can rapidly get out of hand. The optimal case for this is going to n log n, but I'd expect most programmers who are posting a question like this would end up with an implementation that is less than optimal, possibly exponential. (ie, twice as many records generate four or more times as many operations. On the other hand, a custom function would be much more testable in terms of its operation, and take up a more-or-less a straight-line order of magnitude (with roughly n log n for the number of categories) on the lookup, which is the best you can hope for. ... View more

Re: In a dashboard, is it possible to permanently ...

by in Dashboards & Visualizations
‎11-29-2016 08:54 AM
‎11-29-2016 08:54 AM
Hi, thanks for your reply. But i don't think it's the answer i am looking for. I needed a feature that would retain the the "count indicator (in black)" once you hover your cursor pointer on the charts in the dashboard. ... View more

Re: eval if clarification

by in Splunk Search
‎11-24-2016 09:13 AM
1 Karma
‎11-24-2016 09:13 AM
1 Karma
Yes you can do that similar to my example below: In my example below, abc is the new variable I create. processState is another variable which will have active or ft , on which I am checking for status. Based on active status, I use another variable cpuUsage which will have more than one kind of value and get assigned to abc . If status is not active then I put "NA" |eval abc=if(processState="active", cpuUsage, "NA") So similarly you can make your own case which should work fine. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to
View All