Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About tpflicke
tpflicke
Path Finder
Member since:
11-01-2013
11-08-2024
Community Statistics
| Posts | 35 |
| Solutions | 6 |
| Karma Given | 11 |
| Karma Received | 20 |
| Member Since | 11-01-2013 |
Activity Feed
- Karma Re: Why would a basic substring search fail? for wpreston. 06-05-2020 12:47 AM
- Karma Re: How to create an alert to identify if there is any lag between the _time and _indextime of firewall events? for thomrs. 06-05-2020 12:47 AM
- Karma Re: How to write source stanza regex in props.conf for timezone recognition? for gkanapathy. 06-05-2020 12:47 AM
- Karma Re: Clean All Filter Inputs With A Button? for somesoni2. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an hourly alert when never seen before with certain unique characteristics appear in an index?. 06-05-2020 12:47 AM
- Got Karma for Re: Is it possible to get percentiles in pivots?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create a new key-value pair name and value based on text within a log?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an alert to identify if there is any lag between the _time and _indextime of firewall events?. 06-05-2020 12:47 AM
- Got Karma for Re: How to create an alert to identify if there is any lag between the _time and _indextime of firewall events?. 06-05-2020 12:47 AM
- Got Karma for Re: timechart count by -not a legit field-. 06-05-2020 12:47 AM
- Got Karma for Re: Differentiate between public IP and private IP?. 06-05-2020 12:47 AM
- Karma Re: What are the ports that I need to open? for bandit. 06-05-2020 12:46 AM
- Karma Re: How to compare fields over multiple sourcetypes without 'join', 'append' or use of subsearches? for MuS. 06-05-2020 12:46 AM
- Karma Re: How to avoid subsearch auto-finalize in query performing outer join against lookup table for somesoni2. 06-05-2020 12:46 AM
- Karma Re: How to avoid subsearch auto-finalize in query performing outer join against lookup table for gkanapathy. 06-05-2020 12:46 AM
- Karma Re: How to extract event raw size just like linecount for dwaddle. 06-05-2020 12:46 AM
- Got Karma for Re: Search on data model object, weird behavior. 06-05-2020 12:46 AM
- Got Karma for How to extract event raw size just like linecount. 06-05-2020 12:46 AM
- Got Karma for Multiple inline drilldown. 06-05-2020 12:46 AM
- Got Karma for Re: Regex error. 06-05-2020 12:46 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
The pivot command currently (v6.2.1) support the median but not other percentiles.
However, if you simply want to have the reports using datamodel acceleration rather than the drag and drop features of the pivot UI the you could use tstats. The tstats command will use the tsidx files of your accellerated datamodel and you can use perc , exactperc and upperperc .
| tstats p25(Duration) AS p25 p50(Duration) AS p50 p75(Duration) AS p75 from datamodel=SomeDataModel
BTW, for something more complex you might create a pivot via the UI, run it and inspect the job which gives you the tstats command which you can then modify / develop further.
... View more
03-24-2015
04:58 AM
3 Karma
I had the same message and resolved it by single-quoting the fields inside the eval statement so the following might do the trick:
... | eval n = if('Probe.Class'==1, "true", "false") | ...
... View more
02-26-2015
02:48 AM
While a far better solution would be fixing the log format, I wonder if a heavy forwarder could be employed to modify the date string before sending it to the indexing tier. If necessary, the forwarder could be configured to ignore the timestamp, it should simply apply the transformation, e.g. via SEDCMD, then send the data on.
... View more
02-24-2015
08:10 AM
2 Karma
For larger amounts of HTML I found it useful to format multi-line with \, e.g:
login_content = This is a <b>production server</b>. \
If you are running some expensive searches, try one of the following servers:\
<a href="http://server1:8000">server1</a> or <a href="http://server2:8080">server2</a>
... View more
02-24-2015
03:17 AM
I found the following in $SPLUNK_HOME/etc/users//user-prefs/local/user-prefs.conf of Splunk 6.2.1:
eai_app_only = False
eai_results_per_page = 100
What do they do? There doesn't seem to be any documentation.
... View more
- Tags:
- user-prefs
02-22-2015
02:09 PM
From yannK's answer I understand the problem is that you've got clock hour [1;24] rather than hour [0;23] so you need to shift everything back by 1 hour from clock hour to hour as Splunk has no support for clock hour.
The query below shows how this can be done using rex mode=sed and a timezone offset with the 24 clock hour being handled separately.
Essentially what happens is:
"28.02.2015 24:05:03:100" => "28.02.2015 23:05:03:100-0000" => "28.02.2015 23:05:03.100"
"28.02.2015 20:32:45:123" => "28.02.2015 20:32:45:123+0100" => "28.02.2015 19:32:45.123"
| gentimes start=-1
| eval testdata="something 28.02.2015 24:05:03:100 else#something 28.02.2015 20:32:45:123 else"
| table testdata | makemv testdata delim="#" | mvexpand testdata | eval _raw = testdata
| rex mode=sed field=_raw "s/(\d\d\.\d\d\.\d{4}) 24(:\d\d:\d\d:\d+) /\1 23\2-0000 /g"
| rex mode=sed field=_raw "s/(\d\d\.\d\d\.\d{4}\s+\d+:\d\d:\d\d:\d+) /\1+0100 /g"
| rex field=_raw "(?<date_str>\d\d\.\d\d\.\d{4}\s+\d+:\d\d:\d\d:\d+[+-]\d+)"
| eval n = strftime(strptime(date_str, "%d.%m.%Y %k:%M:%S:%3N%z"), "%d.%m.%Y %H:%M:%S.%Q")
| table testdata date_str n
You should also be able to specify the manipulations in props.conf using SEDCMD which would be applied at indexing time:
SEDCMD-clockhour24 = s/(\d\d\.\d\d\.\d{4}) 24(:\d\d:\d\d:\d+) /\1 23\2-0000 /g
SEDCMD-clockhourXX = s/(\d\d\.\d\d\.\d{4}\s+\d+:\d\d:\d\d:\d+) /\1+0100 /g
... View more
02-14-2015
03:26 PM
With regards to the regular expression - the first group should be non-greedy to prevent it from gobbling up too much.
Here's my test query producing the desired result for the given examples:
| gentimes start=-1
| eval temp="DATABASE-DTA-PRD#APACHE-SCM-PRD-TST#SERVERS-PRD"
| table temp
| makemv temp delim="#"
| mvexpand temp
| rename temp as _raw
| rex field=_raw "(?<result>.*?)(?:-DTA-PRD|-PRD-TST|-TST|-DTA|-PRD)"
| table _raw result
If you are not anchoring the regular expression to the end with $ you shouldn't need the -PRD-TST and -DTA-PRD matches. Under the condition that the -SCM tag is always the first tag and that there is always at least one tag you might simplify the query a bit, e.g.
| rex field=_raw "(?<result>.*?)(?:-DTA|-PRD|-TST)"
Alternative 1
Using rex mode=sed would allow you to discard specific tags which also works if the tag order differs.
| gentimes start=-1
| eval temp="DATABASE-DTA-PRD#APACHE-SCM-PRD-TST#SERVERS-PRD#APACHE-PRD-TST-SCM"
| table temp
| makemv temp delim="#"
| mvexpand temp
| rex field=temp mode=sed "s/-(PRD|TST|DTA)//g"
| table temp
Alternative 2:
Now, if things turn really complicated the you could resort to using a lookup table
full_fieldname,short_fieldname
DATABASE-DTA-PRD,DATABASE
APACHE-SCM-PRD-TST,APACHE-SCM
APACHE-PRD-SCM-TST,APACHE-SCM
SERVERS-PRD,SERVERS
...
and use like:
| eval full_fieldname=...
| lookup name_translation full_fieldname OUTPUT short_fieldname
| eval fieldname=if(isNull(short_fieldname), full_fieldname, short_fieldname)
| stats count by fieldname
All of these would work if you do the manipulation in the query, if you want to do this in props.conf this might not be the case.
... View more
02-14-2015
02:29 PM
1 Karma
The following should do the trick though producing the regular stats output format:
... | rex field=_raw "\{state,\"(?<state>\w*)" | stats count by state | sort -count
or with timechart:
... | rex field=_raw "\{state,\"(?<state>\w*)" | timechart count by state
... View more
Here's a suggestion trying to get to the same result though via a different approach and one that would not require to effectively make an all time search every hour.
To remember already discovered combinations of field1, field2, field2 long term and even exceeding your normal data retention period you could use either a summary index or a lookup table.
In general I find working with lookup tables easier so here's an suggestion facilitating one:
In CSV format the table, I named discovered_combinations, could look like:
discovered_timestamp,field1,field2,field3
1423922204,AAA,"",123
1423923303,"",bbb,435
1423924444,"RRR,bbb,""
The timestamp would provide a return value but might also be used in queries and generally help keep track of when field combinations were discovered.
A search scheduled every hour would find events that don't match a field combination in the lookup table, dedup and send the alert so you get the first event for any new combination.
index=mydata earliest=-1h@h latest=@h
| dedup field1, field2, field3
| lookup discovered_combinations field1 field2 field2 OUTPUT discovered_timestamp
| where isNull(discovered_timestamp)
A second search scheduled afterwards would then update the lookup table using ... | outputlookup discovered_combinations append=true .
There might be a way of doing this all in a single query which would be neater.
... View more
02-13-2015
03:07 PM
One approach would be to set the alert action for your search to a script.
The script can then send you an email and also interact with Splunk via the REST API.
http://dev.splunk.com/view/SP-CAAADQ5 provides an example for disabling a search via the API:
curl -k -u admin:changeme -d "disabled=1" -d 'search="fail+OR+error"' https://localhost:8089/servicesNS/admin/search/saved/searches/web_errors
You also create, delete and otherwise manipulate saved searches without having to interact with the UI.
It's also possible just disable the alert action.
... View more
02-13-2015
10:58 AM
1 Karma
To deal with all the various examples in this thread and all other possible cases such as new domains like .london, I think it will need something more than a reasonably short regex line.
I would probably go down the route of calling a Python script to deal with the cases to my satisfaction and being able to lay out the logic in a maintainable way. Maybe there is a splunk app or add-on that provides such functionality, if not, it could make a nice exercise to create one.
A few test cases:
conductor.io.com => io.com
support.expedia.co.uk => expedia.co.uk
0.52.channel.facebook.com => facebook.com
0.52.channel.facebook.london => facebook.london
... View more
02-13-2015
07:52 AM
1 Karma
I am not sure if you want to return events with only public or only private IP addresses.
How about
index=<someindex> source=<somesource> " connected to 10\."
to only get the private ones or
index=<something> source=<somesource> "connected to " NOT "connected to 10\."
to get the public ones.
This will only look consider 10.x.x.x as private (not other ranges like 192.168.x.x etc) which might be sufficient for what you want. This should also be quick as it's filtering on the indexer.
... View more
To elaborate on the answer provided by thomrs:
I've recently set up an alert to keep an eye on lag (including 'negative lag' caused by incorrect timezone setting or server time). Note that the query is looking only at the latest event for each source by using dedup and does not attempt to determine lag by indexer.
index=<index_name>
| dedup host source
| eval indexed_time=strftime(_indextime, "%+")
| eval file_timestamp=strftime(_time, "%+")
| eval lag = round(_indextime - _time)
| eval abs_lag=abs(lag)
| table host file_timestamp indexed_time lag abs_lag source
| sort -num(abs_lag)
| search abs_lag > 30
| rename lag as "lag in seconds"
| rename abs_lag as "lag in seconds (unsigned)"
| rename indexed_time as "log event indexed at"
| rename file_timestamp as "timestamp from log event (adjusted)"
... View more
02-10-2015
07:36 AM
1 Karma
The following eval clause might do the trick though it will result in field Logon being present with a blank value if neither phrase is found:
eval Logon=case(match(_raw,"user logged on"), "yes", match(_raw,"user failed logon"),"no",1==1,"")
As jrodman wrote this could be used as part of the search and should also work for creating a calculated field.
Another approach would be using rex mode=sed to change the text:
rex mode=sed field=_raw "s/user logged on/Logon=yes/" | rex mode=sed field=_raw "s/user failed logon/Logon=no/"
You might need a kv or
| rex field=_raw "Logon=(?<Logon>yes|no)"
to pick up the name value pair.
... View more
05-27-2014
01:19 AM
Thanks, exactly what I need.
... View more
05-24-2014
08:37 AM
I've got a large number of logs which look similar to:
INFO com.this.that.SomeLogger 2014-05-08 08:29:49,997 [CSP-12.3.4.3245432] [pool-10-thread-1] {"metaData":{"sourceURI":"/search/" ....}}
and
INFO com.this.that.SomeLogger 2014-05-08 08:29:49,997 [CSP-12.3.4.3245432] [pool-10-thread-1] payload=<event type="x12">...</event>
in addition to log entries with a freeform text or name-value pair load.
It the whole event was JSON then Splunk would format this nicely in the event viewer panel but this doesn't work for the above mixed entries. Changing the logs to all JSON is at present not an option.
One way seems to be creating custom events viewers that would deal with displaying above mixed events so users awkwardly end up copy-pasting payload into a JSON or XML formatter.
I hope it's possible to improve presentation of events with mixed content with limited effort, e.g. by facilitating an already existing Splunk app or deriving custom events viewers from existing ones.
What are my options?
... View more
05-24-2014
08:03 AM
1 Karma
I frequently use the length of the raw data - more often than readily extracted fields punctuation and linecount
I do so be extracting the field in the query like
... | eval raw_length=len(_raw) | ...
What are the options to do this as a predefined field extraction at either search time or even index time?
... View more
05-19-2014
04:06 PM
Excellent, specifying the prefix to avoid collisions was precisely what I was missing. Thanks a lot.
... View more
05-19-2014
08:11 AM
1 Karma
I wonder if it is possible to perform more than one inline drilldown.
Here is what I would like to do:
run a query A listing the top x error codes during a selected time frame, e.g. 10 minutes
display the results in a table A
when a table A row is clicked run a query B against an error code - bug ticket lookup table (there can be multiple tickets for a given error code)
display the results in a second table B
when clicking on a row in table B perform some action using the data of that row, e.g. show details, run another search ...
I have been using the Table - inline drilldown from the Sideview utils (3.2.6) as starting point.
I understand how to pass data from the clicked row of table A to narrow search B.
However, I struggle to see how step 5. could be made to work given the $row.fields.xxxx$ mechanism of passing data.
... View more
05-19-2014
07:39 AM
The answer to this question is actually the same as for the field menu: this can be achieved using workflow actions.
(Credits to bwooden)
... View more
05-09-2014
01:46 AM
Thanks, that's exactly what I was looking for.
... View more
05-08-2014
06:21 AM
When a field is selected to be shown in the results, the field appears with a collapsed dropdown menu containing the items 'Tag = ' and 'Report on Field'.
I would like to extend this menu with additional items for some fields.
Example
I extract and show the user_id in the results.
In the menu I want to display an item that, when clicked, opens the URL http://somedomain/display?user_id=6787765685 in a new browser tab/window
BTW, ideally I want to build the URL from more than just one field value, e.g. http://somedomain/display?user_id=6787765685&date=20140131&firstname=Fred
The HTML of the menu (before modifications) looks like:
<div class="outerMenuWrapper splShadow splMenu splMenu-primary" style="display: none; top: 556px; left: 975px;">
<ul>
<div class="innerMenuWrapper">
<li class="">
<a href="javascript:void(0);" tabindex="-1" class="menuItemLink" s:fieldname="user_id" s:fieldvalue="6787765685">
Tag user_id=6787765685</a></li>
<li class=""><a href="javascript:void(0);" tabindex="-1" class="menuItemLink" s:fieldname="user_id"
s:fieldvalue="6787765685">Report on field</a></li>
</div>
</ul>
</div>
... View more
05-07-2014
08:54 AM
I want to extend the Event Options Menu which is located beside the result records.
The idea is to add a link containing some data from the result record beside which the menu is located.
When clicking on the extra menu item the link should open in a new browser tab.
Is this achievable with relatively limited effort?
Example for Illustration
I a result record contains the field userid then the Event Options Menu should contain an item Display in XYZ which would invoke a URL like https://some_domain/display_user?date=20140203&userid=12434233433
The date would be derived from _time and userid from a field in the results, e.g. customer_id.
While the Event Options Menu is appealing for this enhancement, I am open to other suggestions too
The HTML of that menu (without any modifications):
<div class="outerMenuWrapper splShadow splMenu splMenu-primary" style="display: none; top: 411px; left: 243px;">
<ul>
<div class="innerMenuWrapper">
<li class=""><a href="/en-US/etb?sid=1399554203.68&offset=0&namespace=search"
tabindex="-1" class="menuItemLink" target="_blank">Build Eventtype</a></li>
<li class=""><a href="/en-US/ifx?sid=1399554203.68&offset=0&namespace=search"
tabindex="-1" class="menuItemLink" target="_blank">Extract Fields</a></li>
<li class=""><a href="/en-US/app/search/show_source?sid=1399554203.68&offset=0&latest_time="
tabindex="-1" class="menuItemLink" target="_blank">Show Source</a></li>
</div>
</ul>
</div>
... View more
11-30-2013
05:35 PM
I've created the following query for a range of -12h...+12h with data 1,2,3,4 weeks ago and the data of the last 12h creating a timechart with 10m span and snapping to 10min.
The query works ok with minor caveats such as ignoring summer/winter time changes.
index=x somesearchfields earliest=-684h latest=+12h
| eval interval_sec=600
| eval week1_end = relative_time(now(), "-156h")
| eval week1_start = relative_time(now(), "-180h")
| eval week2_end = relative_time(now(), "-324h")
| eval week2_start = relative_time(now(), "-348h")
| eval week3_end = relative_time(now(), "-492h")
| eval week3_start = relative_time(now(), "-516h")
| eval week4_end = relative_time(now(), "-660h")
| eval today_start = relative_time(now(), "-12h")
| eval dataset = case(
_time < week4_end,"4 weeks ago",
_time > week3_start AND _time < week3_end, "3 weeks ago",
_time > week2_start AND _time < week2_end, "2 weeks ago",
_time > week1_start AND _time < week1_end, "1 week ago",
_time > today_start AND _time<=now(),"last 12h",
1==1, null)
| eval stop=interval_sec*floor(now()+(12*3600)/interval_sec)
| eval start=interval_sec*ceil((now()-(12*3600))/interval_sec)
| eval _time = if(dataset=="1 week ago", _time+(3600*24*7), _time)
| eval _time = if(dataset=="2 weeks ago", _time+(3600*24*14), _time)
| eval _time = if(dataset=="3 weeks ago", _time+(3600*24*21), _time)
| eval _time = if(dataset=="4 weeks ago", _time+(3600*24*28), _time)
| where _time>start AND _time<stop
| timechart span=600s fixedrange=f count by dataset
The Question:
How do I modify the query to get a timechart displaying the following:
the last 12h of data (as currently showing as 'last 12h')
the data for the interval a week earlier (as currently showing as '1 week ago')
the average of the data 1,2,3 and 4 weeks earlier (i.e. avg('1 week ago' + '2 weeks ago' + '3 weeks ago' + '4 weeks ago'))
... View more
- Tags:
- timechart
11-29-2013
08:46 AM
Ah, didn't think of trying metadata or inputlookup as first element of a sub-query. This certainly opens up possibilities!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-08-2024
01:16 PM
|
