Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About randymoore
randymoore
Explorer
Member since:
06-30-2014
06-05-2020
Community Statistics
| Posts | 10 |
| Solutions | 1 |
| Karma Given | 9 |
| Karma Received | 1 |
| Member Since | 06-30-2014 |
Activity Feed
- Karma Re: How to use eventstats to get the max value after using timechart? for somesoni2. 06-05-2020 12:48 AM
- Karma Dealing with multiple fields from different sourcetype that have the same name for Kavey. 06-05-2020 12:48 AM
- Karma Re: How can we exclude weekends from the count of the number of days for the age of a ticket? for sundareshr. 06-05-2020 12:48 AM
- Karma Re: Display phone number value without commas? for gyslainlatsa. 06-05-2020 12:48 AM
- Got Karma for Re: How to quickly update transaction count on a dashboard?. 06-05-2020 12:48 AM
- Karma Re: How do I create and trigger an alert in real-time if EventA is not followed by EventB within an hour ? for lguinn2. 06-05-2020 12:47 AM
- Karma Re: How to format stats table results as rows of strings without column headers? for acharlieh. 06-05-2020 12:47 AM
- Karma Re: How do I change the time range of a saved search for a panel using a time picker? for joxley. 06-05-2020 12:47 AM
- Karma Can map visualizations' latitude, longitude, and zoom respond and adapt to the resultset returned, or on click of a button for a certain region?? for hylam. 06-05-2020 12:47 AM
- Karma Join a subsearch with the outer search without a common field for smashedpumpkins. 06-05-2020 12:46 AM
- Posted Re: How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 12:03 PM
- Posted How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Tagged How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Tagged How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Tagged How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Tagged How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Tagged How to edit my stats search to display certain fields based on a resulting value? on Splunk Search. 08-17-2016 11:09 AM
- Posted Re: Why is my scheduled Alert not emailing me a CSV file? on Alerting. 07-01-2016 07:10 AM
- Posted Why is my scheduled Alert not emailing me a CSV file? on Alerting. 06-27-2016 10:33 PM
- Tagged Why is my scheduled Alert not emailing me a CSV file? on Alerting. 06-27-2016 10:33 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-17-2016
12:03 PM
That's much closer than what I had going on! Thanks
The only thing is that this is going to be a table on a dashboard panel, and there will only ever be 1 line of data (the latest event) displayed. I don't really want the NOC folks to see a message field unless there is a problem (status!=OK). The reason being is that after time, human nature will just glance up at the panel and will always see a "message" column (even a blank one) and discount it as normal, even if there is data displayed there.
Successful operations should just display 2 columns Status and Rec_Cnt, Message is for when there is an issue.
... View more
08-17-2016
11:09 AM
I have some data that looks like:
Status Rec_Cnt Message
OK 723 File produced 723 records
ERROR 123 Directory does not exist
What I want is for Status = "OK" to only display the Status and Rec_Cnt fields. If the status!="OK" , then I want to display Status, Rec_Cnt and Message
so I tried
| ...base search...
| stats count by Status, Rec_Cnt
| where Status!="OK"
| stats count by Status, Rec_Cnt, Message
Which I didn't expect to work, and it did not. I know it is not that simple, but I am at a loss as to how to get what I am looking for.
Ideas on what I should try next?
... View more
07-01-2016
07:10 AM
The problem was solved by upgrading from 6.3 to 6.4. Everything works like it supposed to now.
... View more
06-27-2016
10:33 PM
Hello,
I'm stuck. I can't get a simple alert against the source=WinEventLog:Security to send me a CSV file. This is on Splunk Enterprise v 6.3
The search that I am trying to do is simple
source=WinEventLog:Security | stats count by host
For this test, I have it set up to run as a cron every 5 minutes, with the checkbox set to create a CSV and email it to myself. It runs as expected. I can view the results in the *Triggered Alerts * and see that it creates 124 lines that look like
host count
XX-APP01 31
XX-APP02 25
etc
However, no CSV is emailed to me.
Looking in python.log, sendemail does not generate an error message
When I change it to send a PDF via email, or show the results in-line via email, the email arrives within 10 seconds of the job running, with the 124 lines displayed. Based on this, I don't believe it is an email issue.
Can't figure out why a simple CSV will not be generated and emailed. What (or where) should I look next? Is there some Splunk config switch that I need to turn on (or off)?
... View more
06-12-2016
11:59 AM
1 Karma
Ran a stress test and using Accelerated Reports worked like I wanted it to. Thanks!
... View more
06-07-2016
09:35 PM
Looking into that next. Will update by the begining of next week hopefully.
... View more
06-07-2016
09:35 PM
Thanks for the pointer to Accelerated Reports. I enabled that for the dashboard panel. I'll time it over the next few days to see if it works as I expect.
... View more
06-07-2016
08:07 AM
Hello everyone,
We have a dashboard that displays the number of transactions for the day, as a single value panel. The search is very simple and easy as each transaction is a separate event in the log:
index=my_index category=transaction | stats count
The dashboard refreshes every 5 minutes. Which means that Splunk recounts them every 5 minutes to come up with the new count. What happens is that during our busy time of the year, the number of transactions arriving exceed 5 minute refresh time it takes Splunk to finish counting them.
What I would love is for Splunk to “remember” the last count of transactions (say it was 7,500,000) and start counting from there. That way, the count is accurate, and the Splunk processing is not as great (hopefully).
I just don’t know how to do that, or if it can be done. Any ideas?
... View more
04-13-2016
10:06 PM
Try this
index=myindex "Entered method XYZ"
| rex max_match=0 "(?P<Method>Entered method XYZ*)"
| eval count=mvcount(Method)
| stats sum(count) as Total by host
... View more
10-06-2015
04:37 PM
Pretty sure the title says it all.
Using Splunk Enterprise, if that makes a difference.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
Karma given to
