Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About twh1
twh1
Communicator
Member since:
12-14-2016
06-05-2020
Community Statistics
| Posts | 80 |
| Solutions | 6 |
| Karma Given | 12 |
| Karma Received | 2 |
| Member Since | 12-14-2016 |
Activity Feed
- Karma [BUG] Why SPLUNK Dashboard export PDF resolves Tokens but Scheduled PDF does not for arayapati83. 06-05-2020 12:49 AM
- Karma Re: User a token with where and like for tiagofbmm. 06-05-2020 12:49 AM
- Karma Re: How do you change the cell color based on partial value? for mayurr98. 06-05-2020 12:49 AM
- Karma Add yesterday's date to scheduled report email subject for cnicholls. 06-05-2020 12:48 AM
- Karma Re: Display Date on Dashboard panel for niketn. 06-05-2020 12:48 AM
- Got Karma for What is the difference between a Pivot and a report?. 06-05-2020 12:48 AM
- Got Karma for How to track the editing history of a dashboard?. 06-05-2020 12:48 AM
- Karma Re: Field Extraction from space-aligned fields in multi-line events for landen99. 06-05-2020 12:47 AM
- Karma Re: single search multiple table in splunk? for MoorthyRajendra. 06-05-2020 12:47 AM
- Karma How to collect Apache logs in Splunk without a forwarder? for sloshburch. 06-05-2020 12:47 AM
- Karma Re: Compare a date field with current date for reed_kelly. 06-05-2020 12:46 AM
- Karma Re: Merge two fields into one field for lguinn2. 06-05-2020 12:46 AM
- Karma Re: limit timechart average values to two places for martin_mueller. 06-05-2020 12:46 AM
- Karma Re: Show result of multiple queries as rows of single Table (one query=one row) for somesoni2. 06-05-2020 12:46 AM
- Posted Re: Matching value from two multi-value field on Splunk Enterprise Security. 04-02-2020 01:04 AM
- Posted Matching value from two multi-value field on Splunk Enterprise Security. 04-01-2020 11:21 PM
- Posted How to control Report time range on Splunk Enterprise Security. 02-18-2020 10:53 PM
- Tagged How to control Report time range on Splunk Enterprise Security. 02-18-2020 10:53 PM
- Posted Accessing Saved Report output in json from Splunk Rest API on Getting Data In. 11-10-2019 09:29 PM
- Posted Re: Not able to generate timechart from a multivalue field on Splunk Search. 07-15-2019 08:32 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-02-2020
01:04 AM
Hi @to4kawa ,
I have multi value field not NULL value field. If i have only 1 multi-value field, I can use mvexpand and get the output. But I have multiple multi -value field, for which I need row with respective value.
I have made little change in output now. Hope this will bring more clarity to my question.
... View more
04-01-2020
11:21 PM
I am working with MS-Exchange data. I am taking recipient email value and matching with user lookup for other details. Same email have multiple matching values in lookup table. I want only matching records in same row, instead of repeating it.
Ex.: I have an email xyz@abc.com in log. I have 3 records matching in user lookup like below.
email first last id type
xyz@abc.com Ram Singh 1001 T
xyz@abc.com Ram Singh 1042 C
xyz@abc.com Ram Singh 1063 T
I am using below line to match recipient value and get other details from lookup.
| stats values(recipient) as recipient count by _time sender
| mvexpand recipient
| eval recipient=lower(recipient)
| lookup users email AS recipient OUTPUT id type first last
I am getting output like below.
sender recipient id type first last
abc@xyz.com xyz@abc.com 1001 T Ram Singh
1042 C
1063 T
But I am expecting result like this, so that i can perform some conditional action.
sender recipient id type first last
abc@xyz.com xyz@abc.com 1001 T Ram Singh
abc@xyz.com xyz@abc.com 1042 C Ram Singh
abc@xyz.com xyz@abc.com 1063 T Ram Singh
If I am using mvexpand command, it's providing wrong output rows.
... View more
02-18-2020
10:53 PM
I have some saved Splunk reports. I am calling these reports every hour by JAVA API call. If any hour due to some issue my query failed, I am updating that entry in table. Next hour, while running this query, i want to run for last 2 hour time range, instead of 1 hour.
Is there any way, I can control time range of saved search. I didn't have any time field in my report.
I am using Splunk Enterprise Security 7.2.5.1 .
... View more
11-10-2019
09:29 PM
I have some reports saved under search app. I want to access these report output via Splunk REST API in a java program. I am trying below rest API for accessing output in java program.
API: https://hostname:8089/services/saved/searches/report_name
I can get all related details of this report but unable to get actual output.
Can anyone help me getting the output of this report in json format.
... View more
07-15-2019
08:32 PM
Hi @FrankVl
Below is the output in table format. I want timechart based on PROC_VALUE field. (like avg/ min/ max)
TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
2019-07-14 15:13:20 DEV ALL KPI INSTANCE 10130 User Count 4
2019-07-14 15:13:20 DEV ALL KPI INSTANCE 10130 User Count 2
2019-07-14 15:08:20 DEV ALL KPI INSTANCE 10130 User Count 4
2019-07-14 15:08:20 DEV ALL KPI INSTANCE 10130 User Count 2
2019-07-14 15:03:20 DEV ALL KPI INSTANCE 10130 User Count 4
2019-07-14 15:03:20 DEV ALL KPI INSTANCE 10130 User Count 2
2019-07-14 14:58:20 DEV ALL KPI INSTANCE 10130 User Count 4
... View more
07-14-2019
04:56 AM
Hi @schose
I have already tried above query but it's showing me wrong output.
with table command I am getting value in PROC_VALUE like 2,1, 0, 2 but avg is coming like 20190712, which is wrong output.
... View more
07-14-2019
03:18 AM
Hi @FrankVl
I am using below query for timechart.
index="test_data" sourcetype="SAP:data" | rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S")
| eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";") | eval mvf2 = mvzip(mvf1, SYS_NAME, ";")
| mvexpand mvf2 | eval n=split(mvf2,";")
| eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2)
| lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE
| search SYS_NAME="*" PROC_TYPE=* PROC_PARA=* PROC_CODE=10130
| timechart span=5m avg(PROC_VALUE) as "Average Value"
I need avg/max/min of PROC_VALUE over the time.
... View more
07-14-2019
02:29 AM
I am getting my input in json format like below,
{"message":{"SID":"DEV","TIMESTAMP":1563095600,"PARAMS":[{"PROC_CODE":"10110","PROC_VALUE":" 2","SYS_NAME":"ALL"},{"PROC_CODE":"10010","PROC_VALUE":"20190712","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10020","PROC_VALUE":"125853","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10030","PROC_VALUE":"9","SYS_NAME":"sapbcsdev_DEV_00"},{"PROC_CODE":"10040","PROC_VALUE":"1","SYS_NAME":"sapbcsdev_DEV_00"}
I am printing this value in table by using below query.
index="test_data" sourcetype="SAP:data" | rename message.PARAMS{}.PROC_CODE as PROC_CODE, message.PARAMS{}.PROC_VALUE as PROC_VALUE, message.PARAMS{}.SYS_NAME as SYS_NAME, message.SID as SID, message.TIMESTAMP as TIMESTAMP
| eval TIMESTAMP=strftime(TIMESTAMP, "%Y-%m-%d %H:%M:%S")
| eval mvf1 = mvzip(PROC_CODE, PROC_VALUE, ";") | eval mvf2 = mvzip(mvf1, SYS_NAME, ";")
| mvexpand mvf2 | eval n=split(mvf2,";")
| eval PROC_CODE=mvindex(n,0), PROC_VALUE=mvindex(n,1), SYS_NAME=mvindex(n,2)
| lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE
| search SYS_NAME="*" PROC_TYPE=* PROC_PARA=*
| table TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
Below is the output of this query.
TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
2019-07-14 08:48:20 DEV ALL KPI ALL 10110 Number of App Servers 2
2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 INFO INSTANCE 10010 INSTANCE START DATE 20190712
2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 INFO INSTANCE 10020 INSTANCE START TIME 125853
2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 KPI INSTANCE 10030 Workprocess Dia Active Count 9
2019-07-14 08:48:20 DEV sapbcsdev_DEV_00 KPI INSTANCE 10040 Workprocess Upd Active Count 1
Now when I am trying to publish some trent using timechart like avg/ min/ max on PROC_VALUE, i am not getting proper output. I assume that still PROC_VALUE is behaving like multi value field.
... View more
07-08-2019
09:26 PM
Hi @jkat54
I am using a free version of Splunk Enterprise for POC. Do they provide the support for free version?
... View more
07-06-2019
08:48 PM
Hi @woodcock ,
I have used time range as Last 60 min and also tried with Last 15 min by selecting chart type as Line chart. But still not getting data in visualization tab.
... View more
07-05-2019
10:45 PM
I used multiple appendcols(around 17) to print data in 1 of panel of the dashboard. Which was taking a huge time to complete the search. Due to this search only, I was not able to get the attachment. Once i removed that particular panel from my dashboard, i started getting pdf as expected.
... View more
07-05-2019
10:37 PM
I am trying to create a time series chart but not getting any data in visualization tab.
index="test_data" sourcetype="SAP:data" | lookup PROC_DETAIL PROC_CODE OUTPUT PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | search SYS_NAME="*" PROC_TYPE=* PROC_PARA=* PROC_CODE=10130 | timechart span=5m max(PROC_VALUE) as "Max Value"
I am getting data in statistics tab like below. But in visualization tab not showing any chart.
_time Max Value
2019-07-06 05:15:00 2
2019-07-06 05:20:00 2
2019-07-06 05:25:00 2
... View more
07-04-2019
09:13 PM
I have requirement to print product details in a table. where i am getting some value from the log and some i have print based on matching product code from lookup table.
I tried below query and I am getting result in proper format.
| inputlookup PROC_DETAIL | table PROC_CODE PROC_NAME PROC_PARA PROC_TYPE | join PROC_CODE [ search index="test_data" sourcetype="test:data" | table TIMESTAMP SID PROC_CODE PROC_VALUE SYS_NAME ] | fields TIMESTAMP SID SYS_NAME PROC_TYPE PROC_PARA PROC_CODE PROC_NAME PROC_VALUE
But when I am expanding time range to see more data, my result count is remaining same, as I am matching the value from lookup table. I want to main my log data as main search and for each event, i want value of PROC_NAME PROC_PARA PROC_TYPE should come from lookup table based on matching PROC_CODE.
... View more
04-11-2019
06:43 AM
Hi @dmarling ,
All there tables have different field names. I tried for union command, but it is merging all table columns and displaying the data.
... View more
04-11-2019
04:11 AM
I have 3 different searches. All are printing separate tables. I want to configure the single alert, which will contain all 3 table one after other. Is this feature available in Splunk 7.1? I want the email content like below.
table 1
**col1 col2 col3**
row1 row1 row1
row2 row2 row2
table 2
**col1 col2 col3**
row1 row1 row1
row2 row2 row2
table 3
**col1 col2 col3**
row1 row1 row1
row2 row2 row2
... View more
02-26-2019
01:36 AM
@ashajambagi ,
My query is working fine. But when I switch to visualization tab I am unable to see EventTime field value on X-axis. I am currently using Splunk 7.1.6 .
... View more
02-26-2019
12:43 AM
hi @vinod94 ,
I have copied the field name from event only. I am getting data in statistics tab properly. But while checking in visualization tab, not getting value on X-axis.
... View more
02-25-2019
09:17 AM
I have a tabular data like below.
**EventTime SQL CPU Utilization Other Process CPU Utilization Total CPU Utilization**
2019-02-24 10:00:48.0 0 3 3
2019-02-24 10:01:48.0 0 2 2
2019-02-24 10:02:48.0 0 1 1
2019-02-24 10:03:48.0 0 1 1
2019-02-24 10:04:48.0 0 2 2
2019-02-24 10:05:48.0 0 2 2
2019-02-24 10:06:48.0 0 2 2
2019-02-24 10:07:48.0 0 3 3
2019-02-24 10:08:48.0 0 5 5
2019-02-24 10:09:48.0 0 3 3
i tried to use the line chart and print EventTime on X-axis and rest values on Y-axis. I am able to get the values on Y-axis but X-axis not displaying the data of EventTime field. I used below query.
index=main sourcettype="SQL" host=ABC | eval Total_CPU_Utilization=(SQLCPUUtilization+OtherProcessCPUUtilization) | chart latest(SQLCPUUtilization) as "SQL CPU Utilization", latest(OtherProcessCPUUtilization) as "Other Process CPU Utilization", latest(Total_CPU_Utilization) as "Total CPU Utilization" by EventTime
Do I need to make any changes in my query?
... View more
