Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About architkhanna
architkhanna
Path Finder
Member since:
01-18-2017
08-24-2022
Community Statistics
| Posts | 81 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 3 |
| Member Since | 01-18-2017 |
Activity Feed
- Posted How to efficiently delete data from index that has high volume? on Splunk Enterprise. 08-10-2022 01:36 AM
- Tagged How to efficiently delete data from index that has high volume? on Splunk Enterprise. 08-10-2022 01:36 AM
- Posted Why is Sankey chart showing inconsistency in values? on Splunk Search. 08-03-2022 12:48 AM
- Karma Re: To find out tickets moved from one queue to other for gcusello. 06-15-2022 01:27 AM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-15-2022 01:26 AM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-15-2022 12:08 AM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-14-2022 11:47 PM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-14-2022 02:54 AM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-14-2022 02:17 AM
- Posted Re: To find out tickets moved from one queue to other on Splunk Search. 06-14-2022 12:29 AM
- Posted How to find out tickets moved from one queue to other on Splunk Search. 06-13-2022 10:57 PM
- Posted Hide Splunk App from Apps list but have search enabled within on Dashboards & Visualizations. 09-01-2021 12:27 AM
- Posted Re: How to calculate how much splunk license is enough on Getting Data In. 07-11-2021 09:55 PM
- Posted How to calculate how much splunk license is enough on Getting Data In. 07-09-2021 05:02 AM
- Tagged How to calculate how much splunk license is enough on Getting Data In. 07-09-2021 05:02 AM
- Tagged How to calculate how much splunk license is enough on Getting Data In. 07-09-2021 05:02 AM
- Posted Re: Join two lookups to get accurate result count on Splunk Enterprise. 03-22-2021 10:21 PM
- Posted Join two lookups to get accurate result count on Splunk Enterprise. 03-22-2021 09:48 PM
- Posted Carry forward top dashboard filter values while navigating to next dashboard on Splunk Enterprise. 03-18-2021 09:20 PM
- Posted Re: Edit Splunk table column values on the UI on Splunk Search. 03-07-2021 08:30 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-10-2022
01:36 AM
Hi Splunkers , I have a splunk index with 3 source types corresponding to each ticket types. it has millions of record in last 10 months and we have now started re pulling all the data again due to 2 new fields which client wants to onboard. Since we do not want to keep the older records which does not have the new fields , We need to find out a way on how to identify the data eligible for deletion. Please note, all tickets have updates more than 1 times up to 50 times as well.
... View more
Labels
- Labels:
-
development
-
using Splunk Enterprise
08-03-2022
12:48 AM
I have a Sankey chart that shows comparison of SLA vs TurnAround for each priority of ticket. While values are correct on hovering on middle of the chart, but as I move towards the corner, I see different values. I'm unable to understand from where those values are picked up.(Since my search result has only 3 rows for Turnaround values) Any help would be appreciated. TIA!
... View more
- Tags:
- sankey
- visualisations
06-15-2022
01:26 AM
@gcusello Absolutely it helped. I get what I was looking for. Thank you so much for your patience and quick response.
... View more
06-15-2022
12:08 AM
Thank you @gcusello I do get some count now which is quite low than what I expected. I will validate it and let you know how it went. Just so you know , the dc_status gives either 1 or 2 value in the end and a ticket in sourcetype 2 can have as much as 10 hops between assignmentgroups plus sourcetype 1/ lookup can have duplicate entrues as well. I hope that is being handled in your last query. Although we need not have to worry about how many of these 10 hops it goes out ofassignmentgroup which is not present in sourcetype 1 /lookup1. Even if it does goes out once, it can be considered in my final count. Thank you!
... View more
06-14-2022
11:47 PM
Hi @gcusello I'm really not sure why have you used manager in your example this time. That is not be used anywhere in logic or for validation. And since nothing comes in > 1 clause , hence no results. I believe We just need to tweak our query you shared before this.
... View more
06-14-2022
02:54 AM
Hi @gcusello "I'm searching for tickets in the index (sourcetype2) that changed assignmentGroup and aren't in the lookup, is this the result you want or a different one? " --> No I would like to find out how many tickets are there in Sourcetype 2 which moved out from assignmentgroups present in Sourcetype 1(lookup)? How I validate is something Im mentioning below::: After using your query result , If I pick up any ticket and search it in sourcetype 2 (since it has all historic data as well ,because hops are made from one assignmentgroup to other) I will see list of changes that happened on that ticket. Ideally few assignmentGroup should be matching from this list to the lookup(Sourcetype 1) and few should not. But I see cases where none are matching, which is something wrong. I hope I'm clear this time.
... View more
06-14-2022
02:17 AM
Hi @gcusello , To clear it , sourcetype 1 is in lookup and sourcetype 2 is in index. I tried using your last search and it did return ticketnumber and assignmentgroup this time , however, when I picked assignmentgroup from this table and searched in sourcetype 1, it actually has a mix of ticket that has assignmentgroup moved but there are scenarios where none of the assignmentgroup from this result are present in sourcetype 1 at all . So something seems to be missing here.
... View more
06-14-2022
12:29 AM
Hello @gcusello , Thank you for your response, I think we are very close to the solution here .I have updated the question to clear out the confusion if any And I used the below query :: index=your_index sourcetype=sourcetype2 | stats dc(assignmentgroup) AS dc_assignmentgroup values(assignmentgroup) AS assignmentgroup BY ticketnumber | where dc_assignmentgroup>1 | mvexpand assignmentgroup | search NOT [ search |lookup lookpuname assignmentgroup AS assignmentgroup_raw OUTPUT assignmentgroup manager | dedup assignmentgroup | fields assignmentgroup ] | table ticketnumber assignmentgroup Using this, I do not get anything in the table but the event counts, rest all is blank
... View more
06-13-2022
10:57 PM
I have a real time Splunk index pushing records into two source types. Source type 1 holds fields including assignmentgroup, manager name , entity etc. Source type 2 hold fields including ticketnumber , assignmentgroup,priority etc. Sourcetype 2 has tickets updates coming in and each ticket can move from one assignmentgroup to another assignmentgroup which may or may not be present in Source type 1 I would like to find out how many tickets are there in Sourcetype 2 which moved out from assignmentgroups of Sourcetype 1? In other words, how many tickets are present in Sourcetype 2 whose assignmentgroup doesnt belong to the assignmentgroup present in Source type 1. Any leads would be helpful. TIA! Just an update, this sourcetype 1 is actually pushed to a lookup file (that has same collumns as in Source type 1, Hence , I intend to use this lookup in the search query)
... View more
09-01-2021
12:27 AM
Hi , I have a splunk app in a cluster environment which I need to hide from list of apps from the UI. To do this, I have made the following changes in SH Deployer: [ui] is_visible = true This works fine, however, I can access the dashboard of this app, if I have the url handy (which is OKAY), the only problem here is, If I try to go to search url of the app, it gives 404 error. Any idea or leads on how to search index /navigate to search window of the app. TIA!
... View more
Labels
- Labels:
-
simple XML
07-11-2021
09:55 PM
Thank you for the prompt reply, however, we haven't started indexing the data and we do not know the size of the events yet. The estimate license needs to be confirmed beforehand( which sounds odd to me too). I would may be assume each event size as ~10kb ( since each record has around 200 fields) and calculate the size. Thank You.
... View more
07-09-2021
05:02 AM
I have a splunk Cluster where instances are of following configurations. --> 16vCPU --> 64GB Memory --> 400GB Disk Size. The source , from where my app pulls data , 150k records are generated each day. How do we confirm on the license part which needs to be installed for this scenario? Is there a straight away formula to calculate that? TIA.
... View more
03-22-2021
10:21 PM
hello, Thanks for the response. however, lookup 1 has ticket number and all possible fields related to the ticketing info, while lookup2 has just ticket number(which shall be present in lookup 1 as well but) and a few other columns that shall not be matching with lookup1.Also do note lookup 2 just has UNRESOLVED tickets while Lookup 1 has BOTH resolved and Unresolved. Motive here is to get accurate list of all unresolved and resolved tickets because lookup2 will have current unresolved tickets in source system while lookup1 will have tickets that has moved out of source but yet not flown into index with updates(and will never , hence they will remain unresolved always on dashboard)
... View more
- Tags:
- up 1
03-22-2021
09:48 PM
Hi, I have below scenario: kvlookup 1: has list of resolved as well as Unresolved tickets. This has many fields lookup2: has just unresolved tickets( pulled up from a scripted input, This shall contain tickets part of first lookup and is a subset of it). This has just ticket number and ticket states relevant from kvlookup1 How can I join both of these to have a complete list of accurate unresolved and resolved tickets. lookup1 will always have more records and is a superset of lookup 2
... View more
Labels
- Labels:
-
development
-
metrics
03-18-2021
09:20 PM
Hello , I have 5 dashboards in a Splunk Application with same set of filters on top of them. I am trying to figure out a way in which , If a user choses some filters on first dashboard , and they navigate to next dashboard, same filters values should remain intact and be applied again. And this should continue with subsequent filter change and dashboard changes. Not sure if at all this feature is possible in splunk or if anyone has done this before. Would like to hear some ideas on the same. Thanks in advance!
... View more
Labels
- Labels:
-
metrics
-
using Splunk Enterprise
03-07-2021
08:30 PM
We had that workaround in pace but client does not wish to navigate to lookup editor , find their entry and then edit it. Makes more sense to do it on the dashboard rather.
... View more
02-25-2021
04:32 AM
Hi, I have a panel in Splunk dashboard which is a table and has two columns. The first column is comment and second is date. I would like to make first column editable on the UI by user and save/output the same in a lookup. Any leads would be helpful. TIA!
... View more
01-18-2021
02:54 AM
Hi All, I am looking for a dashboard panel, where user can enter their comments in one column by typing themselves and in second column current date should come automatically. On click of submit , these value must save and shown to the user as well.( may be via lookup ? ) Your help is appreciated .TIA
... View more
Labels
- Labels:
-
field extraction
-
join
-
lookup
-
Other
-
stats
01-11-2021
02:00 AM
Yes I will keep on learning rather than judging others so soon. Thank you so much for your time and not being helpful at all. One quick suggestion: Do not waste your and my time here, since you are of no help anyways. And let others help in case they have some better solution.
... View more
01-11-2021
01:47 AM
Does not Work. Try hard next time. I am shocked how even answering multiple times you fail to implement this scenario. Happy Learning!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-24-2022
08:55 AM
|
Karma given to
