Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About hanikawadhwa
hanikawadhwa
Explorer
Member since:
11-06-2019
06-05-2020
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 11-06-2019 |
Activity Feed
- Got Karma for Can not use earliest and eval together with map command. 06-05-2020 12:50 AM
- Posted Re: Timetable/Schedule is been given in lookup table, how to use it in splunk query on Splunk Search. 11-16-2019 06:57 AM
- Posted How to read different time slots from lookup table on Splunk Search. 11-15-2019 06:34 PM
- Tagged How to read different time slots from lookup table on Splunk Search. 11-15-2019 06:34 PM
- Tagged How to read different time slots from lookup table on Splunk Search. 11-15-2019 06:34 PM
- Posted Timetable/Schedule is been given in lookup table, how to use it in splunk query on Splunk Search. 11-14-2019 08:18 PM
- Tagged Timetable/Schedule is been given in lookup table, how to use it in splunk query on Splunk Search. 11-14-2019 08:18 PM
- Posted Re: How many inputlookup files can be read in a splunk query on Splunk Search. 11-14-2019 07:49 PM
- Posted How many inputlookup files can be read in a splunk query on Splunk Search. 11-12-2019 05:18 AM
- Tagged How many inputlookup files can be read in a splunk query on Splunk Search. 11-12-2019 05:18 AM
- Tagged How many inputlookup files can be read in a splunk query on Splunk Search. 11-12-2019 05:18 AM
- Posted Re: Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 09:19 AM
- Posted Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 07:49 AM
- Tagged Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 07:49 AM
- Tagged Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 07:49 AM
- Tagged Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 07:49 AM
- Tagged Can not use earliest and eval together with map command on Splunk Search. 11-06-2019 07:49 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
11-16-2019
06:57 AM
ASSET_NAME Date Starttime Endtime Hour of operation
A 2019-11-16 08:00:00 08:59:59 1
A 2019-11-16 09:00:00 09:59:59 2
A 2019-11-16 10:00:00 10:59:59 3
A 2019-11-16 13:00:00 14:00:59 4
B 2019-11-15 08:00:00 08:59:59 1
B 2019-11-15 11:00:00 11:59:59 2
B 2019-11-15 12:00:00 12:59:59 3
B 2019-11-15 13:00:00 14:59:59 4
C 2019-11-14 09:00:00 09:59:59 1
C 2019-11-14 10:00:00 10:59:59 2
C 2019-11-14 11:00:00 11:59:59 3
C 2019-11-14 17:00:00 17:59:59 4
My lookup table is something like this
... View more
11-15-2019
06:34 PM
Hi splunkers,
I have a situation to read different operational hours of same bin size for the last 3 days
Scenario:
9-10 10-11 11-12 12-13 13-14 14-15 15-16 .............23-24
Today 1 2 3 4 5
1 day before 1 2 3 4 5
2 day before 1 2 3 4 5
3 day before 1 2 3 4 5
As per Today's train scedule it will start at 10 operates till 12 after that it will take some rest and start again at 1 pm. Example: if today the train is in 1st hour of operation, i need to to count the alarmopened in 1st hour of operation for the last 3 days, divide it be 3 to compute average. If today's count of alarm opened is greater than the average, it will give alerts. The same happens for all hours of operation.
Question: My problem is how can I take the same time slot of previous last 3 days. If Now my train in 2nd hour of operation, how can I get the 2nd hour of operation for the last 3 days
Note: Bin size is same
everyday running for 5 hours
TIA
... View more
11-14-2019
08:18 PM
Hi Splunkers,
I am stuck in a situation where I have been provided an input lookup file containing operational hours of a train.
9-10 10-11 11-12 12-13 13-14 14-15 15-16 16-17 ...................23-24
Today 1 2 3 4 5
T-1 1 2 3 4 5
T-2 1 2 3 4 5
T-3 1 2 3 4 5
Bin Size is 1 hour in this case and schedule of the same train for the previous 3 days has been provided with the same bin size. Scenario: Today's schedule is that the train's 1st hour of operation is 9-10 and 2nd hour of operation is 10-11 and so on. everyday train is running for 5 hours. so in the table 5 hours of operations are mentioned.
Let's say as per current time I am in the 1st hour of operation so I need to consider the 1st hour of operation for the last 3 days count their alarmopened and divide it by 3 to get the average. If today, number of alarm opened in 1st hour of operation is more than the average calculated on the basis of 1st hour of operation for the last 3 days, it will give alerts.
Question: How I can mark the hour of operations of previous days. If today I am in 2nd hour of operation, how to get the count of alarm opened in 2nd hour of operation in previous 3 days?
Logically I am able to understand the scenario but can't think of implement in splunk. Please guide.
Hope my question is clear.
TIA
... View more
- Tags:
- splunk-enterprise
11-14-2019
07:49 PM
Thank you so much. I understand that uploading to an index is a better way.
... View more
11-12-2019
05:18 AM
Hi Splunkers,
I have been given a requirement where I need to read more than 10k input lookup files to get some results. My question: is it advisable or feasible to read this number of input lookup files?
scenario: every lookup files showing the operational hours of each trains for last 10 days.
(mon)9-10 (tues) 11-12 (wed )8-9 (thu)7-6 (fri) 1-2 (mon) 3-3:30 (tue )10-18 (wed)7-10 (thur) 9-18 (fri) 4-9
query requires to read all these input lookup files to consider operational hours of all the 10k trains.
Is there any other way to read all these files in a single query
TIA
... View more
11-06-2019
09:19 AM
Hi,
Thanks for reverting.I have a lookup table containing more than 1000 assets which ha stendenct to open an alarm
asset_name,DESCRIPTION,Bin_Duration,Bin_Size,Day
COM,Computer,5,span=1h,Monday
PA,Personal,10,span=2h,Saturday
Need to calculate average and threshold(average+3*standard deviation) to check any violation. if the alarm count is more than threshold, there is rule violation. But to calculate average and threshold for each asset, only their corresponding Days will be taken into account. Eg. COM, 5 Mondays will be considered to calculate average and threshold whereas for PA, 10 Saturdays.
I prepared a query
index=indx|lookup main asset_name as ASSET_NAME DESCRIPTION as DESCRIPTION|dedup ASSET_NAME DESCRIPTION | table ASSET_NAME, DESCRIPTION, Bin_Size, Bin_Duration, Day| map search="search index=indx earliest=-1d@h-$Bin_Duration$d@h ASSET_NAME=$ASSET_NAME$ DESCRIPTION=$DESCRIPTION$|timechart $Bin_Size$ count(Alarm) as Alarm|timewrap 1d series=short
| addtotals Alarm_s* fieldname=mysum
| eval avg1=(mysum-Alarm_s0)/$Bin_Duration$| foreach Alarm*
[eval diff_<<FIELD>>=pow('<<FIELD>>'-avg1,2)]
| addtotals diff* fieldname=std1
| eval std1=std1-diff_Alarm_s0
| eval std1 = pow(std1/$Bin_Duration$,0.5)| eval threshold= avg1+3*std1
| eval rule1=if(Alarm_s0 > threshold,1,0)
| eval assetName=$ASSET_NAME$|eval DESCRIPTION=$DESCRIPTION$ "
|rename assetName as ASSET_NAME avg1 as Average threshold as Threshold |table _time ASSET_NAME DESCRIPTION rule1.
In this query, I could not use Day field from lookup table.
If there is any other way to solve my problem, please suggest.
If I hard code the same query for a particular asset, its working properly.
TIA
... View more
11-06-2019
07:49 AM
1 Karma
Hi Splunkers,
How can i use earliest time and eval command together with a map command.
Earliest value and Day of the week is provided in a lookup table. In this case Am using eval for _time to get the day of the week sothat it can be mapped with the lookup table column (day of the week).
I tried some ways but could not use earliest and eval together with map.
Hope my question can be understood.
TIA
... View more
