Activity Feed
- Got Karma for eval and where function - it does not work if there is a dot in the field name. do I need to escape the dot?. 06-05-2020 12:48 AM
- Karma Feature Request: How to embed a dashboard (not a report) that is updated every hour in a webpage? for lquinn. 06-05-2020 12:47 AM
- Karma Pie chart - rounding percent values for IgorB. 06-05-2020 12:46 AM
- Karma Escape JSON data at index time for darinmoon. 06-05-2020 12:46 AM
- Got Karma for Re: REST API - JSON Invalid format. 06-05-2020 12:46 AM
- Got Karma for Re: Can we use wildcard characters in a lookup table?. 06-05-2020 12:46 AM
- Got Karma for Re: Can we use wildcard characters in a lookup table?. 06-05-2020 12:46 AM
- Karma Re: How can I search for a missing field? for hulahoop. 06-05-2020 12:45 AM
- Karma Can Index on Satellite stay In sync with Index on Planet Earth? for mzorzi. 06-05-2020 12:45 AM
- Karma Re: Can Index on Satellite stay In sync with Index on Planet Earth? for lukejadamec. 06-05-2020 12:45 AM
- Posted Splunk on Splunk - are there logs on Lookup csv file operations (add/delete) on Knowledge Management. 11-08-2017 09:53 PM
- Tagged Splunk on Splunk - are there logs on Lookup csv file operations (add/delete) on Knowledge Management. 11-08-2017 09:53 PM
- Tagged Splunk on Splunk - are there logs on Lookup csv file operations (add/delete) on Knowledge Management. 11-08-2017 09:53 PM
- Tagged Splunk on Splunk - are there logs on Lookup csv file operations (add/delete) on Knowledge Management. 11-08-2017 09:53 PM
- Posted Re: Pie chart - rounding percent values on Dashboards & Visualizations. 08-02-2017 10:15 PM
- Posted Re: Column chart, when set x axis text orientation to 45 degree, first text name always shorten. Please advise or fix. on Dashboards & Visualizations. 07-05-2017 07:37 PM
- Posted Re: Column chart, when set x axis text orientation to 45 degree, first text name always shorten. Please advise or fix. on Dashboards & Visualizations. 07-05-2017 07:34 PM
- Posted Re: Column chart, when set x axis text orientation to 45 degree, first text name always shorten. Please advise or fix. on Dashboards & Visualizations. 07-05-2017 07:33 PM
- Posted Column chart, when set x axis text orientation to 45 degree, first text name always shorten. Please advise or fix. on Dashboards & Visualizations. 07-05-2017 06:27 PM
- Tagged Column chart, when set x axis text orientation to 45 degree, first text name always shorten. Please advise or fix. on Dashboards & Visualizations. 07-05-2017 06:27 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
11-08-2017
09:53 PM
Issue statement:
I have a lookup csv file uploaded, with permission of read/write for a user group. Today the file disappeared!
Question:
Is there splunk log on Lookup csv file operations (add/delete)? If yes, where are they and I guess I can ask admin to make it searchable in Splunk.
Thanks.
... View more
08-02-2017
10:15 PM
I downvoted this post because i tried, it does not work.
... View more
07-05-2017
07:37 PM
@oda thanks it works!
@Splunk could you add this to the bug queue? 🙂
... View more
07-05-2017
07:34 PM
Hi @adonio, sorry had to post my reply in main comment as only there allows me to attach picture. Could you please advise?
Thanks.
... View more
07-05-2017
07:33 PM
@adonio, I created another column chart from GUI wizard, and pasted all options tags in your code to the column chart source code, but still seeing first column text being shortened.
at the same time, I confirmed that if I change the orientation to horizontal, the name can be displayed correctly.
Could you further advise? The Splunk Enterprise version in my company is 6.5.2, if this helps.
... View more
07-05-2017
06:27 PM
Hi, as in attached pic.
My use case is that I have a column chart with reasonably many columns, so that if I do not set orientation to 45 degree, all names are shortened to "xxx...yyy"
But after setting orientation to 45 degree, my boss found that the first column, no matter how short the name is, will always be shortened to "xxx...yyy". I tried to switch to several different data set, and problem still persist.
In the attached pic example, the "Ada...itz" is only 10 characters in length; the "Anthony xxxxxx" is 14 characters in length, but it is not shortened.
Could you please advise if I configured the chart wrong, or could you please help to fix this problem?
Thanks.
... View more
- Tags:
- splunk-enterprise
06-29-2017
02:28 AM
sorry to add more background on why my use case cannot use search.
This is b/c I want to create an eval field from above Extracted1 field in data model UI, where I cannot rename the transaction field before I do eval...
The code I put in the eval field setting is like below:
case(RootTransaction1.Extracted1="abc", "xyz",
true(),""123")
... View more
06-29-2017
02:11 AM
1 Karma
because problem reported in link text
In my transaction data set DataModel1.RootTransaction1, now there is a "RootTransaction1.Extracted1" field.
I tried to run below query with "where" command (my use case does not allow me to use search command), and all do not work.
| from datamodel:DataModel1.RootTransaction1 |where RootTransaction1.Extracted1 = "abc"
| from datamodel:DataModel1.RootTransaction1 |where "RootTransaction1.Extracted1" = "abc"
| from datamodel:DataModel1.RootTransaction1 |where RootTransaction1\.Extracted1 = "abc"
| from datamodel:DataModel1.RootTransaction1 |where "RootTransaction1\.Extracted1" = "abc"
The only way working is to rename the field.
| from datamodel:DataModel1.RootTransaction1 |rename RootTransaction1.Extracted1 as Extracted1 |where Extracted1 = "abc"
but this is sub-optimal solution. How can I do eval and where with fields with dot in the middle?
... View more
- Tags:
- splunk-enterprise
06-29-2017
02:03 AM
you advised the reason is to "differentiate between event fields" and Transaction fields.
Fine if that is the reason.
but in the transaction search, only "RootTransaction1.Extracted1" field exist and "Extracted1" field is gone. What is there to be differentiate against, please? I would say nothing to differentiate from, at least nothing on search consumer's point of view. So why bother renaming?
... View more
06-23-2017
01:45 AM
It just bugs me that this is not behavior for "Root Event", but only "Root Transaction". Both are Data Model data sets.
Behavior is not consistent without obvious reasons behind.
... View more
06-23-2017
12:36 AM
Say if I have a DataModel1.RootEvent1 set up, with fields extracted:
- Extracted1
- Extracted2
then I adds a transaction data set DataModel1.RootTransaction1, with settings like maxspan=30, etc.
Then if I search:
|from datamodel:Datamodel1.RootTransaction1
The events return will not have "Extracted1" field, but only "RootTransaction1.Extracted1" field!
My question is: Splunk must have some use case to rename fields in the RootEvent data set. What is the use case?
If not, can this renaming behaviour just be removed?
Thanks.
... View more
- Tags:
- splunk-enterprise
06-11-2017
07:15 PM
1 Karma
My 2 cents: if you intentionally output invalid JSON, why not just not output in JSON-like at all? So that people would have less confusion and can workaround accordingly.
... View more
06-09-2017
02:45 AM
your samples all only have double backslash "\", and it won't have any problem by themselves. I think the main post is having problem when single backslash"\" in the JSON msg.
... View more
06-09-2017
12:31 AM
got it solved finally. The answer is transaction.
reference: https://docs.splunk.com/Documentation/Splunk/6.5.3/Search/Identifyandgroupeventsintotransactions
sourcetype=foo condition1=xxx condition2=yyy |transaction field1 field2 field3 maxspan=5s maxpause=1s |where eventcount>100
Then you will see the events themselves.
... View more
05-24-2017
06:00 AM
Thanks so I searched with your suggested query, it seems good but it returns a table. How can I modify it to make it return events themselves?
sourcetype=foo condition1=xxx condition2=yyy | timechart count span=1s | trendline sma5(count) as moving_count_events |where burst=9999999
... View more
05-23-2017
06:22 AM
Thanks.
I tried this search, but strangely 9 seconds are spent on parsing the search. Is it normal for sub-search?
918.18 startup.handoff
... View more
05-23-2017
05:59 AM
My use case is:
There is sourcetype1, which has tradeID field; also sourcetype2, which also has tradeID field.
I think sourcetype2 should be a subset of sourcetype1, and I want to do reconciliation.
How to write a search so that it returns all tradeID in sourcetyp1, but not in sourcetype2?
Thanks.
... View more
- Tags:
- splunk-cloud
05-17-2017
08:59 PM
yes worked. Thanks. So where and eval require explicit indication of strings/numbers?
... View more
05-17-2017
08:44 PM
Firstly, with below search, there are events returned:
|from datamodel foo.fooo |search Counterparty=abc TransactionType=xyz
But with below "where", it does not return any events
|from datamodel foo.fooo |where Counterparty=abc AND TransactionType=xyz
I checked WHERE document and could not get a clue what went wrong. Could you help?
... View more
- Tags:
- splunk-cloud
05-10-2017
02:48 AM
I wanted to catch burst of events reaching certain threshold in a short period time. I think splunk must have this function but no luck finding it. Could you please point me to the doc?
I imagine the search would look like:
sourcetype=foo condition1=xxx condition2=yyy |where event count within 5 seconds > 100
... View more
- Tags:
- splunk-cloud
05-10-2017
12:10 AM
Hi I found more detailed symptom now.
If instead I specify the TradeID field, but rather search like below
sourcetype=foo 123456
The event shows up!
I check the event on GUI, and found that the GUI displays the event text (the log is in JSON format) as raw text, instead of showing as "syntax highlighted", and only SOME, but not other fields like TradeEvent and TradeID in the JSON log are listed under the log text.
I double checked and pasted the log text into JSONLint, and it is a valid JSON message.
Why does Splunk not index this message like other JSON event messages in my sourcetype?
p.s. to your question, yes the TradeID is in _raw log, and not a lookup field. The full spath is TradeEventObject.TradeID
... View more
05-09-2017
11:50 PM
oh ic. thank you.
... View more
05-09-2017
10:52 PM
I'm using Splunk Enterprise 6.5.2.
The Splunk-Enterprise tag for some reason is not allowed to use, error: The following topics are not present in the system, and you don't have permissions to create new ones: splunk-enterprise
... View more
05-09-2017
10:41 PM
Hi I tried to search as below, with where in(VALUELIST) function as described in: http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchReference/ConditionalFunctions
sourcetype=foo TradeEvent=NEW |where in( TradeID,"value1","value2") |fields TradeID
but I got error as title. could you advise?
Thanks.
... View more
- Tags:
- splunk-cloud
