Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About christianhuber
christianhuber
Path Finder
Member since:
12-12-2016
06-25-2020
Community Statistics
| Posts | 16 |
| Solutions | 0 |
| Karma Given | 36 |
| Karma Received | 5 |
| Member Since | 12-12-2016 |
Activity Feed
- Karma Re: what happens if license volume limit is exceeded? for nilbak1. 06-05-2020 12:50 AM
- Got Karma for Re: Sort results down to the millisecond. 06-05-2020 12:50 AM
- Karma Re: monitor - File& directories - file is not getting updated on recent changes for nickhills. 06-05-2020 12:49 AM
- Karma Re: How to index full json data and automatically extract fields without using field extraction for nickhills. 06-05-2020 12:49 AM
- Karma How to sort on single value in trellis? for timmym123. 06-05-2020 12:49 AM
- Karma Re: How do I filter my search using inputlookup with a CSV file? for javiergn. 06-05-2020 12:48 AM
- Karma Re: Eval If Statement for dwaddle. 06-05-2020 12:48 AM
- Karma Re: transaction that ends if a certain value changes for cmerriman. 06-05-2020 12:48 AM
- Karma Re: Pick colours for certain value for niketn. 06-05-2020 12:48 AM
- Karma Re: Pick colours for certain value for cmeerbeek. 06-05-2020 12:48 AM
- Karma Comparison between Future date and current date for dsiob. 06-05-2020 12:48 AM
- Karma Re: How to run multiple universal forwarders on a single Linux host? for mattymo. 06-05-2020 12:48 AM
- Karma Is there a way to resolve multiple incidents at once in Alert Manager? for gbhaghavatula. 06-05-2020 12:48 AM
- Karma Re: After installing Splunk Add-on Builder, why do I receive error "Unable to initialize modular input "validation_mi""? for BainM. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to resolve multiple incidents at once in Alert Manager?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to resolve multiple incidents at once in Alert Manager?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to resolve multiple incidents at once in Alert Manager?. 06-05-2020 12:48 AM
- Got Karma for Re: Is there a way to resolve multiple incidents at once in Alert Manager?. 06-05-2020 12:48 AM
- Karma Re: How to add upper and lower boundaries to a sparkline? for Dohrendorf_Cons. 06-05-2020 12:47 AM
- Karma How to prevent URL encoding of an external field in my Simple XML dashboard drilldown? for alaztiest. 06-05-2020 12:47 AM
Topics I've Started
10-18-2018
08:13 AM
1 Karma
theoreticaly you just could create a new field out your timestamp and sort your events after that field
2018-10-17 17:53:42.8332 -> 201810171753428332
2018-10-17 17:53:42.8215 -> 201810171753428215
2018-10-17 17:53:42.8198 -> 201810171753428198
the _time field will not support miliseconds.
| sort _time, your_new_field
... View more
10-12-2018
04:02 AM
how do you delete the data in splunk ? (step 2)
with crcSalt = , splunk remembers the file name, so if you like to reindex that file, take another filename (e.g. filename_v2).
What is the exacte use case why you need to reindex this files ? maybe with a better understandig I can provide you some ideas how to solve your problem.
... View more
10-12-2018
03:56 AM
which version do you look at ?
... View more
12-12-2017
12:22 AM
Hi,
I'am aware of the date format, the translation to epoch time is desired, input date contains various time formats and converting it to epoch has some nice advanteges as you get a integer value and can easily calculate.
Unfortunatly the column name is defined and i can't just give them another name.
thanks for your reply
... View more
12-11-2017
07:39 AM
Hi Guys
context:
i want a table grouped by region, count per region and quarter in a table
for example
Region, Cases 02/2017, Cases 01/2017
1, 200456, 30489
2, 3208342, 9123123
search (label_q1 and label_q2 are created at runtime in my_nasty_search and containing the label for the last quarters):
my_nasty_search
| stats first(label_q1) as label_q1, first(label_q2) as label_q2, sum(total1) as total1, sum(total2) as total2, count(region) as count_region by region
| eval Cases {label_q1} = total1
| eval Cases {label_q2} = total2
This gives me as an result a table with the following columns
Region, count_region, label_q1, label_q2, total1, total2, Cases Q1/2017, Cases Q2/2017
which is absolutly okay, but i prefer to have the last two columns sorte by my predefined order (Q2/2017; Q1/2017;Q4/2016 ... ) but all new fields get arange by splunk. Because of the variable columnname i can't just resort them with the fields command, as fields doesn't accept variable column names.
I am happy for any suggestions, also if looking at the context I'am just on the wrong path.
Thx
Christian
... View more
08-04-2017
01:00 AM
Hi,
try to see at the documentation http://docs.splunk.com/Documentation/Splunk/6.6.2/Data/Configureeventlinebreaking. I use for my json sources the following configuration.
[source::json_input]
KV_MODE = json
TRUNCATE = 0
BREAK_ONLY_BEFORE_DATE = false
LINE_BREAKER = **** your Line_Breaker ****
According to the Documentation this is not really correct, as it says with should_linemerge=true (which is default, so you don't have to add it) you should use BREAK_ONLY_BEFORE instead of LINE_BREAKER. Anyway for me it works. With the configuration above.
The Truncate is only to asure that splunk doesn't truncate larger json arrays.
... View more
08-04-2017
12:41 AM
Hi
i use this usually to close all open tickets after the testing period to start with a clean sheet. If you plan to regulary close the incidents you should probably work with the auto resolve options. You see this options when you configure a Alert Manager trigger.
or the dirty way you just schedule the search above to run at a specific interval of your choice.
Christian
... View more
08-03-2017
06:53 AM
assuming you want to break before "id": try this
LINE_BREAKER=\{\s+\"id\"\:
And maybe try to start first without the SEDCMD-remove_prefix and SEDCMD-remove_suffix.
... View more
08-03-2017
06:39 AM
4 Karma
Hi,
I am not sure if this is the solution to your problem but i close my incidents with this command.
index=alerts | table _time incident_id | dedup incident_id | modifyincidents status="Resolved" comment="autoclose"
it may take a moment uppon how many open incidents you have.
... View more
07-07-2017
07:09 AM
thank you. my post bellow was submitted at the same time. This worked for me.
... View more
07-07-2017
07:06 AM
okay I solved the problem by using the following code, unser if this what you should to in css. But it worked for me.
<html>
<style>
.ccat-Not.running{
fill: rgb(255,0,0) !important;
stroke: rgb(255,0,0);
}
.ccat-Running{
fill: rgb(0,255,0) !important;
stroke: rgb(0,255,0);
}
</style>
</html>
... View more
07-07-2017
06:58 AM
I'am having the same issue. But the fill option is ignored. The stroke color works perfect but not the fill.
It still takes the element.style fill color. Any Idea ?
... View more
07-07-2017
12:54 AM
I will try this, a give feedback. At the first glance it looks pretty good for me.
... View more
07-07-2017
12:54 AM
Hi,
Thanks but I think the problem will resists as, the maxpause is still making sure that after 140s no event receives, a new transaction is started.
... View more
07-05-2017
05:33 AM
Hi all,
I'am sure there was already someone that had this problem and there is probably a answer right in front of me. But with all the effort reading trough splunk answer I couldn't find a proper solution.
My Log file:
12:00:00 name=SENSOR1 value=true
12:02:00 name=SENSOR1 value=true
12:03:00 name=SENSOR1 value=true
12:04:00 name=SENSOR1 value=false
12:05:00 name=SENSOR1 value=false
12:10:00 name=SENSOR1 value=false
12:11:00 name=SENSOR1 value=true
12:12:00 name=SENSOR1 value=true
12:13:00 name=SENSOR1 value=true
12:14:00 name=SENSOR1 value=true
12:15:00 name=SENSOR1 value=false
What I would like to have as e result:
12:00:00 name=SENSOR1 value=true duration=240
12:04:00 name=SENSOR1 value=false duration=420
12:11:00 name=SENSOR1 value=true duration=240
My Current Search :
value=true | transaction value, name maxpause=140s |append [search value=false | transcation value, name maxpause=140s]
Which gives me
12:00:00 name=SENSOR1 value=true duration=180
12:04:00 name=SENSOR1 value=false duration=60
12:10:00 name=SENSOR1 value=false duration=0
12:11:00 name=SENSOR1 value=true duration=180
So I know the Problem I have is the maxpause, how can I handle that problem ? If I'am increasing the maxpause it will combine events that shouldn't be together. But I still would like to have one event for as this is in my case one transaction, and it's possible that a sensor doesn't send regularly a status value.
any help or link to a already answered question would be nice
Christian
... View more
06-14-2017
06:23 AM
I downvoted this post because there is a newer and better answer
... View more
