Activity Feed
- Karma Re: How to create a drilldown for mayurr98. 06-05-2020 12:50 AM
- Karma Re: How to extract date:time format from raw data using REGEX? for micahkemp. 06-05-2020 12:49 AM
- Karma Re: I am trying to run CLI searches and output it to a file but its only giving 100 results. for jowenssi. 06-05-2020 12:49 AM
- Karma Re: I am trying to run CLI searches and output it to a file but its only giving 100 results. for Ayn. 06-05-2020 12:49 AM
- Karma Re: Problem with Lookup Editor App: only KV Stores visible in the overview for LukeMurphey. 06-05-2020 12:49 AM
- Karma Problem with Lookup Editor App: only KV Stores visible in the overview for shoermann. 06-05-2020 12:49 AM
- Karma Splunk 7 shows Splunk version as 4 for jet1276. 06-05-2020 12:49 AM
- Karma Re: How to extract date:time format from raw data using REGEX? for micahkemp. 06-05-2020 12:49 AM
- Karma Re: How to extract date:time format from raw data using REGEX? for acharlieh. 06-05-2020 12:49 AM
- Karma Re: Splunk Add-on for Citrix NetScaler 6.1.0: Why are fields not getting parsed for a Netscaler v11 Syslog input on a heavy forwarder? for kmuellercm. 06-05-2020 12:48 AM
- Karma Re: Simple XML drilldown link search won't recognize regex or rex for vsingla1. 06-05-2020 12:48 AM
- Karma Disable Autofocus feature in Splunk App and TA for wild0104. 06-05-2020 12:48 AM
- Karma Problem replicating config (bundle) to search peer for willprince. 06-05-2020 12:47 AM
- Karma Re: How to calculate percentage and display this on a timechart? for rsennett_splunk. 06-05-2020 12:47 AM
- Karma Re: Connect Splunk to the Internet to retrieve apps for mstegmueller. 06-05-2020 12:46 AM
- Karma Re: How to Refresh a simple FORM dashboard every 60 seconds for jaxjohnny. 06-05-2020 12:46 AM
- Karma Re: how to find difference between two "stats count" used in two different saved search for sideview. 06-05-2020 12:46 AM
- Karma Re: knowledge bundle for rphillips_splk. 06-05-2020 12:46 AM
- Karma Re: Escape < and > in the xml of dashboards for gkanapathy. 06-05-2020 12:45 AM
- Karma Re: How to display chart values without using tool tip for DMohn. 06-05-2020 12:45 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
09-04-2019
08:14 PM
It’s only working for the first value of the user column.
For other values in that column it’s showing no data. Can you please look into it.
... View more
09-04-2019
12:57 PM
when i click on user count for example its taking user=4 . I want the value values instead of number.
... View more
09-04-2019
12:57 PM
below is the query i achieved so far. i am unable to parse the token value
DrillDown
<panel>
<table>
<search>
<query>index=_*|stats dc(user) as user by sourcetype host source</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<drilldown>
<set token="show_panel">true</set>
<set token="selected_value">$click.value2$</set>
</drilldown>
</table>
</panel>
<panel depends="$selected_value$">
<table>
<search>
<query>index=_* |stats values(user) as user by sourcetype host source | mvexpand user| search user=$selected_value$ </query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">none</option>
<option name="percentagesRow">false</option>
<option name="refresh.display">progressbar</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
</table>
</panel>
... View more
09-04-2019
12:50 PM
Hello everyone,
I am trying to create a simple hiding drill down panel.
With below search:
index=_internal |stats dc(user) as uniqueusers by sourcetype host
Which gives below table:
sourcetype host uniqueusers
aaaa ccc 4
bbbbb ddddd 2
When a user clicks on uniquesusers value for example 4 it should show a new panel below with list of 4 uniqueuser names.
... View more
08-02-2019
06:30 AM
No, its not working. Still field are coming with dns name ip combinations.
... View more
08-01-2019
07:10 PM
Hi All , below is my sample data. We are receiving data using key=value pairs like below.
time=time1 | dest_ip=abmncd.com-123.45.64.78|src_ip=nahahha.com-142.36.28.69|action=success........
I just want to extract just ip address's from dest_ip and src_ip fields at search time in props.conf . when i write rex in search its working, below is my search command which is working..
index =test | rex field=dest_ip "(?(\d{1,3}.){3}\d{1,3})" |rex field src_ip "(?(\d{1,3}.){3}\d{1,3})"
But when i create inline extract in props.conf its not working.
[sourcetype]
EXTRACT-dest_ip = dest_ip="(?(\d{1,3}.){3}\d{1,3})"
EXTRACT-src_ip = src_ip ="(?(\d{1,3}.){3}\d{1,3})"
We need to use the same field names to work with CIM datamodels. we are ok with search time extraction or index time extractions also.Please help
Thanks
... View more
- Tags:
- login
06-11-2018
12:32 PM
I installed 3.0.3 but issue still exists.
... View more
06-11-2018
08:15 AM
Thanks , got it working.
... View more
06-11-2018
07:47 AM
Hi Ayn,
I tried it but its but still its returning the 100 results. Can you modify my above query where exactly to add -maxout switch .
... View more
06-08-2018
12:05 PM
Hello Everyone,
I am trying to run below query everyday at 6AM through CLI and output the result to new text file. But it's returning only 100 results. I also tried maxout but its not working and giving me some error, I might be missing something here . Can someone help me to get unlimited results for the query below.
/opt/splunk/bin/splunk search 'index =main sourcetype=employee_data_hcprd earliest=-24h@h latest=now |search HR_STATUS="I" | table EMPLID' > /opt/jobdata.txt
Thanks.
Surya
... View more
- Tags:
- splunk-enterprise
05-09-2018
07:11 AM
We are also facing the same problem .
... View more
01-02-2018
05:16 PM
Below is part of my sample data .. I want to extract date and time from the data.
00.111.222.1 va10n40596.abcdefgt.com - - 443 [02/Jan/2018:18:25:41 -0500]
I want new filed called start_date as 02/Jan/2018:18:25:41 and delete semi-column between date and time.
need some thing like this start_date=02/Jan/2018 18:25:41 from above raw data.
Thanks.
... View more
08-12-2017
02:50 PM
index=main (sourcetype=bb OR sourcetype=cc) type=DELETE | transaction info.agentId startswith=COMPLETED endswith=DELETE keepevicted=true | search closed_txn=0 type=DELETE | stats count(info.agentId) AS "Deleted Device"
| appendcols [search index=main(sourcetype=bb OR sourcetype=cc ) type=COMPLETED OR type=DELETE| transaction info.agentId startswith=COMPLETED endswith=DELETE keepevicted=true | search closed_txn=0 type!=DELETE | stats count(info.agentId) AS "Onboarded Devices" ]
My outcome is:
Deleted Device Deleted Device
151 155
But I need the difference as below.
Total Devices
4
... View more
06-15-2017
06:10 PM
I want to filter "Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE " out so that i can extract all fields in key value pair.
May I know the exact way how I can do it?
... View more
06-15-2017
06:07 PM
Hi Ninjas, I am trying to extract fields from json logs but i have time stamp and some text data in front of array so i can't extract by using key value pair. Can anyone help me?
Jun 12 23:59:18 AM1-JJ-Arod-1 TESTIN-TUE {"addresses": {"local_ipv4": "99.9.9.999", "public_ipv4": "00.000.111.222"}, "cpu_info": {"idle": 00.1}, "date": "2017-06-12 23:59:01.291710", "disk_space": {"disk": "/dev/xvda1", "free": "54781", "pct_used": "6", "total": "60337"}, "host_type": "test", "hostname": "AM1-JJ-Arod-1", "memory_stats": {"available": 3483, "cached": 1747, "free": 1512, "percent": 7.3, "total": 3759, "used": "2247"}
... View more
04-26-2017
06:47 AM
Our environment is having 3 Sh and 4 indexers . I am getting following error very frequently. I followed suggestions in from this portal but it didn't helped me. Currently we are running 6.5.2 version.
Search process did not exit cleanly, exit_code=255, description="exited with code 255". Please look in search.log for this peer in the Job Inspector for more info.
Your help is appreciated.
Thanks
... View more
- Tags:
- searchheads
