Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yshen
yshen
Path Finder
Member since:
06-18-2020
2 weeks ago
Community Statistics
| Posts | 30 |
| Solutions | 0 |
| Karma Given | 33 |
| Karma Received | 1 |
| Member Since | 06-18-2020 |
Activity Feed
- Karma Re: How to calculate the time between events based on a field change grouped by another field? for wpreston. 2 weeks ago
- Karma Re: Splunk Security Essentials: 'mvmap' function is unsupported or undefined for bowesmana. 2 weeks ago
- Karma Re: mvexpand multiple multi-value fields? for to4kawa. 4 weeks ago
- Posted Re: How to tag or group events by multiple possible values of a field without repeated value? on Alerting. 4 weeks ago
- Tagged Re: How to tag or group events by multiple possible values of a field without repeated value? on Alerting. 4 weeks ago
- Posted How to tag or group events by multiple possible values of a field without repeated value? on Alerting. a month ago
- Tagged How to tag or group events by multiple possible values of a field without repeated value? on Alerting. a month ago
- Posted Re: Dashboard Base Search is not working for all panels on Splunk Search. 02-23-2021 08:56 PM
- Karma Re: Dashboard Base Search is not working for all panels for gjanders. 02-23-2021 08:48 PM
- Karma Re: Dashboard Base Search is not working for all panels for apilger_splunk. 02-23-2021 08:46 PM
- Karma Why is the Dashboard Base Search is not working for all panels? for hackentrick. 02-23-2021 08:46 PM
- Got Karma for How to create a list of literal values of strings with Splunk query language?. 01-15-2021 03:10 PM
- Posted Re: How to create a list of literal values of strings with Splunk query language? on Splunk Search. 01-15-2021 02:51 PM
- Karma Re: How to create a list of literal values of strings with Splunk query language? for to4kawa. 01-15-2021 02:50 PM
- Posted How to create a list of literal values of strings with Splunk query language? on Splunk Search. 01-15-2021 12:06 PM
- Karma Re: How do I concatenate two fields into a string? for ftk. 12-24-2020 03:00 PM
- Karma How to find the time difference between the current and previous event per field? for rodrigorenie. 12-21-2020 04:30 PM
- Karma Re: Help with Advanced Source Type for woodcock. 11-09-2020 11:32 AM
- Karma Re: Help with Advanced Source Type for manjunathmeti. 11-09-2020 11:30 AM
- Karma Re: How do you delete old data from an index? for ManchitMalik. 10-28-2020 02:08 PM
4 weeks ago
@gcusello Thanks for the pointer. My problem is a real one that I need for some field troubleshooting. Maybe, my framing of my problem could be simplified. But it's what I can do at the moment. Maybe, once I know the solution, then the problem statement might be simplified. The extraction of the fields of DEVICE, ATTRIBUTE, etc. has already been done in the respective sourcetype. Your suggestion of using transaction with startwith and endwith might work sometimes. But I eventually need to identify those event groups that have subsets of the expected events. For example, Certain group may only has event of "SOR_RESTRICT_STATUS.STATE" so the transaciton may need to startwith "SOR_RESTRICT_STATUS.STATE" as well. Likewise, some other subset may only have SOR_A_STATUS.STATE OR SOR_B_STATUS.STATE so the transaction may need also to endwith SOR_A_STATUS.STATE OR SOR_B_STATUS.STATE by this school of thought, the eventual transaction definition would be like: transaction DEVICE startswith="SOR_A_STATUS.STATE OR SOR_B_STATUS.STATE OR SOR_RESTRICT_STATUS.STATE" endswith="SOR_A_STATUS.STATE OR SOR_B_STATUS.STATE OR SOR_RESTRICT_STATUS.STATE" I have tried how it would up with the same condition for startwith and endwith I am concerned that it would lose the expected differentiation for the transactions. Maybe a question to experts.
... View more
- Tags:
- search
a month ago
Here is the data for illustration: (To facilitate experiment, I provide below the query snippet to recreate the data in Splunk query.) | makeresults | eval _raw= "Date Time DEVICE ATTRIBUTE STATE TagExpected 2021-03-19 11:56:22.449 K30 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 12:16:17.564 K30 SOR_A_STATUS.STATE SOR_FAILED 1 2021-03-19 12:17:55.191 K30 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 1 2021-03-19 12:21:16.659 K30 SOR_A_STATUS.STATE SOR_FAILED 2 2021-03-19 12:32:42.247 K30 SOR_B_STATUS.STATE SOR_FAILED 2 2021-03-19 12:51:21.456 A60 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 2 2021-03-19 12:51:52.949 A60 SOR_A_STATUS.STATE SOR_FAILED 1 2021-03-19 12:54:01.077 A60 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 13:01:26.367 A60 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 1 2021-03-19 13:01:26.818 K30 SOR_A_STATUS.STATE SOR_FAILED 3 2021-03-19 13:02:41.142 K30 SOR_B_STATUS.STATE SOR_FAILED 3 2021-03-19 13:08:19.694 A60 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 2 2021-03-19 13:09:14.433 K30 SOR_B_STATUS.STATE SOR_FAILED 4 2021-03-19 13:10:19.149 W34 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_OFF 1 2021-03-19 13:16:12.847 A60 SOR_B_STATUS.STATE SOR_FAILED 3 2021-03-19 13:24:59.420 A60 SOR_A_STATUS.STATE SOR_FAILED 3 2021-03-19 13:24:59.870 A60 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 3 2021-03-19 13:25:48.068 A60 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_OFF 2021-03-19 13:35:47.614 A60 SOR_A_STATUS.STATE SOR_FAILED 4 2021-03-19 13:38:19.632 A90 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 13:46:10.118 R20 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 13:50:30.328 R50 SOR_A_STATUS.STATE SOR_FAILED 1 2021-03-19 13:54:58.831 W20 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 1 2021-03-19 13:55:30.622 W20 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_OFF 2021-03-19 13:56:38.060 A60 SOR_A_STATUS.STATE SOR_FAILED 5 2021-03-19 14:02:19.102 K30 SOR_B_STATUS.STATE SOR_FAILED 5 2021-03-19 14:08:51.212 R50 SOR_A_STATUS.STATE SOR_FAILED 2 2021-03-19 14:09:47.657 R20 SOR_B_STATUS.STATE SOR_FAILED 2 2021-03-19 14:11:10.387 C30 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 15:01:15.315 C30 SOR_B_STATUS.STATE SOR_FAILED 2 2021-03-19 15:02:33.670 R65 SOR_A_STATUS.STATE SOR_FAILED 1 2021-03-19 15:06:56.258 C50 SOR_B_STATUS.STATE SOR_FAILED 1 2021-03-19 15:09:32.583 R50 SOR_A_STATUS.STATE SOR_FAILED 3 2021-03-19 15:09:33.484 R50 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_ON 3 2021-03-19 15:09:40.240 R50 SOR_RESTRICT_STATUS.STATE SOR_SPEED_RESTRICT_OFF 2021-03-19 15:36:17.104 A90 SOR_B_STATUS.STATE SOR_FAILED 1" | multikv forceheader=1 | eval combined=Date." ".Time | eval _time=strptime('combined', "%Y-%m-%d %H:%M:%S.%Q") | fields _time DEVICE ATTRIBUTE STATE TagExpected In the above records, I’d like to tag or group the events by the following rules: For a device value, e.g. K30, I’d like to tag the events with DEVICE value K30 with first occurrences of SOR_B_STATUS.STATE or SOR_A_STATUS.STATE (their occurrences do not matter) and SOR_RESTRICT_STATUS.STATE after with the same tag value, to be one group. For the same DEVICE value, next occurrences of SOR_B_STATUS.STATE or SOR_A_STATUS.STATE (their occurrences do not matter) and SOR_RESTRICT_STATUS.STATE after I’d group them to be tag 2, to be a different group, etc. Subset of such event group will also be considered to be separate group. The events in a group does not need to be adjacent in time. I don’t insist on the tag value, any mechanism to group the events would be fine. I feel that using streamstats or transaction in some fashion might solve the problem. But I need help to wrap around my brain to work it help. Really appreciate that you could give me some help or hint. Thanks in advance, and have nice weekends!
... View more
- Tags:
- search
Labels
- Labels:
-
other
02-23-2021
08:56 PM
It took me at least 5 hours of experiment to make sure that I'm not making a mistake. It's really frustrated and disappointed by such mystery and arbitrary behavior without any hint of error message! A great company can do better. I wish customers should not always be treated as a victim of hidden secrete! So the moral of the story, a base search must explicitly specify all the fields that will be used by the searches using the base search by command fields or table.
... View more
01-15-2021
02:51 PM
Amazing! Powerful, and sophisticated! Thanks a million!
... View more
01-15-2021
12:06 PM
1 Karma
The requirements is to find the event_A and event_B such that There is some event A's before the event_B, and the event_A’s TEXT field and the event_B’s TEXT field have the first character identical, and the second characters satisfy the condition: the event_B’s TEXT’s 2nd character in numerical value is equal to the event_A’s corresponding field’s 2nd character, or event_B’s is 1 plus, or 1 minus of the event_A’s. It is after some event_A satisfying condition 1, with CATEGORY value “ALARM” and not after such event_A with CATEGORY value “CLEARED”, or It is after some event_A satisfying condition 1, with CATEGORY value “CLEARED”, but the event_B’s _time is within 60 minutes of the _time of event_A (CATEGORY=CLEARED) Here are some sample data: _time CATEGORY TYPE TEXT
2020-12-29T05:20:32.710-0800 ADVISORY event_B K35JB
2020-12-29T05:37:54.462-0800 ADVISORY event_B A05KM
2020-12-29T05:57:50.164-0800 ADVISORY event_B K25CD
2020-12-29T05:59:06.004-0800 ALARM event_A R20-A
2020-12-29T05:59:24.635-0800 ALARM event_A K35-E
2020-12-29T05:59:37.200-0800 ALARM event_A C15
2020-12-29T06:00:24.470-0800 CLEARED event_A R20-A
2020-12-29T06:00:40.415-0800 CLEARED event_A K35-E
2020-12-29T06:08:09.945-0800 ADVISORY event_B R65AG
2020-12-29T06:14:24.740-0800 ADVISORY event_B K35JB
2020-12-29T06:14:43.988-0800 ADVISORY event_B K45JB
2020-12-29T06:56:44.642-0800 ADVISORY event_B A77MD
2020-12-29T06:59:42.745-0800 ADVISORY event_B C87AB
2020-12-29T07:30:39.080-0800 ADVISORY event_B M97AF
2020-12-29T08:39:26.008-0800 ADVISORY event_B K25BA
2020-12-29T09:46:48.175-0800 ADVISORY event_B C25EG Here is the illustration with the above sample data (with comment after # ) _time CATEGORY TYPE TEXT
# all the event_B without event_A before are eliminated
2020-12-29T05:59:06.004-0800 ALARM event_A R20-A # expecting event_B with TEXT with prefix Ri where i = 1, 2, 3
2020-12-29T05:59:24.635-0800 ALARM event_A K35-E # expecting event_B with TEXT with prefix Ki where i = 2, 3, 4
2020-12-29T05:59:37.200-0800 ALARM event_A C15 # expecting event_B with TEXT with prefix Ci where i = 0, 1, 2
2020-12-29T06:00:24.470-0800 CLEARED event_A R20-A # only expecting event_B with TEXT with prefix Ri where i = 1, 2, 3 with _time < 2020-12-29T06:00:24.470-0800 + 60 minutes
2020-12-29T06:00:40.415-0800 CLEARED event_A K35-E # only expecting event_B with TEXT with prefix Ki where i = 2, 3, 4 with _time < 2020-12-29T06:00:40.415-0800 + 60 minutes
2020-12-29T06:08:09.945-0800 ADVISORY event_B R65AG # to be eliminated, not expected, as R6 does not match Ri, i=1, 2, 3
2020-12-29T06:14:24.740-0800 ADVISORY event_B K35JB # kept, as K3 matched the expected prefix, and within the time windows
2020-12-29T06:14:43.988-0800 ADVISORY event_B K45JB # kept, as K4 matched the expected prefix, and within the time windows
2020-12-29T06:56:44.642-0800 ADVISORY event_B A77MD # to be eliminated, not expected, as A7 does not match any of the expected prefix
2020-12-29T06:59:42.745-0800 ADVISORY event_B C87AB # to be eliminated, not expected, as C8 does not match Ci, i=0, 1, 2
2020-12-29T07:30:39.080-0800 ADVISORY event_B M97AF # to be eliminated, not expected, as M9 does not match any of the expected prefix
2020-12-29T08:39:26.008-0800 ADVISORY event_B K25BA # to be eliminated, not expected, as its _time is beyond the expected window
2020-12-29T09:46:48.175-0800 ADVISORY event_B C25EG # kept, as C2 matched the expected prefix, and there is no time window limit for the prefx C2 I cannot wrap my head to figure a solution with Splunk query. I could only find a solution when there is only one event_A expecting the corresponding event_B, using streamstats to keep of track the only one expecting event_A’s TEXT prefix, and _time to scan for the satisfying event_B, but once there are multiple event_A’s expecting with different TEXT prefixes and _time’s, then I cannot find a way to remember and perform the scan for the multiple event_A’s expectations. With a conventional programming language, say Python, I’ll keep track of the union of expectant prefixes, and time windows, and scan the events against such history state. Could you kindly help me! Thanks in advance!
... View more
Labels
- Labels:
-
eval
-
rex
-
transaction
10-13-2020
10:23 PM
@ashleyherbert following your elegant idea using change clause, I implemented mine below: <form>
<label>Adaptive Option All</label>
<fieldset submitButton="false">
<input type="multiselect" token="dev_type" searchWhenChanged="true">
<label>Type of Sensor</label>
<choice value="*">All</choice>
<default>*</default>
<prefix>(</prefix>
<suffix>)</suffix>
<initialValue>*</initialValue>
<delimiter>, </delimiter>
<fieldForLabel>Device_Type</fieldForLabel>
<fieldForValue>Device_Type</fieldForValue>
<search>
<query>index="cse_scada"
| dedup Device_Type
| sort Device_Type<</query>
<earliest>0</earliest>
<latest></latest>
</search>
<change>
<eval token="form.dev_type">
case(
mvcount('form.dev_type')=0,"*", <!-- when there is non selected, set to "*" -->
mvcount('form.dev_type')>1 AND mvfind('form.dev_type',"*")>0,"*", <!-- when there are more than one selected, and "*" is not the first one, set to "*" -->
mvcount('form.dev_type')>1 AND mvfind('form.dev_type',"*")=0,mvfilter('form.dev_type'!="*"), <!-- when there are more than one selected, and "*" is the first one, remove "*" -->
1==1,'form.dev_type' <!-- otherwise no change -->
)
</eval>
</change>
</input>
</fieldset>
</form> but it does not work. When I selected a specific option "*" (All) does not disappear. After having specific option(s), selecting "*" (All), the other option(s) do not disappear. Would you please help to diagnose what could go wrong? Thanks! -- I suspect that it might be related how the list of values for the token dev_type is represented, as I observed, when only "*" is selected, the corresponding URL is http://l-yshen:8000/en-US/app/search/trychangeadaptiveall?form.dev_type=* when one more option is selected, say "UPS", the corresponding URL becomes http://l-yshen:8000/en-US/app/search/trychangeadaptiveall?form.dev_type=*&form.dev_type=UPS It seems the manipulation in the change clause takes no effect.
... View more
10-12-2020
09:12 AM
@soutamo Thanks for the license information!
... View more
10-12-2020
09:11 AM
@niketnilay Thanks for detailed help, very informative! Today, I checked again of my implementation. It's working now. Perhaps, I didn't restart enough, or not restarting at the right timing? (I did librarily start, as it's a development instance.). I can see the print out, even the logic works! But it seems somehow the response is a bit sluggish. The logic that I want is to have "All" option automatically removed, when user select more specific option, and add "All" back, when user removes all other options. (But the part of logics being working, I'm not sure which contributes its working, as I using two solutions. One is with JavaScript to handle the change, at the same time, I'm also using Simple XML in the change clause to update the options. I'll try to isolate which makes the logic working.) I still have more questions: for a production system, I cannot afford to restart Splunk, I was told in the video tutorial, that I could use the following url to reload the JavaScript's update: http://l-yshen:8000/en-US/_bump() but it didn't work for me yet. You mentioned some other options ( bump, refresh, restart Splunk, followed by internet Browser history cleanup depending on your Dev environment configuration ), I'd like to learn what's the proper way to experiment. I'm using Chrome browser. For the sake of completeness, here is the corresponding Simple XML code for the multi-select panel: <form script="multiselect_enhence.js" theme="dark">
<label>Temperatures of UPS and External Sensor</label>
<description>This dashboard provides panels to examine the temperatures </description>
<fieldset submitButton="false" autoRun="true">
<input id="multi1" token="Device_Type" searchWhenChanged="true" type="multiselect">
<label>Types of Sensor</label>
<choice value="*">All</choice>
<fieldForLabel>Device_Type</fieldForLabel>
<fieldForValue>Device_Type</fieldForValue>
<search>
<query>index="cse_scada"
| dedup Device_Type
| sort Device_Type</query>
</search>
<default>*</default>
<initialValue>*</initialValue>
<prefix>(</prefix>
<suffix>)</suffix>
<delimiter>, </delimiter>
<change>
<eval token="form.Device_Type">case(mvcount('form.Device_Type')=0,"All",mvcount('form.Device_Type')>1 AND mvfind('form.Device_Type',"All")>0,"All",mvcount('form.Device_Type')>1 AND mvfind('form.Device_Type',"All")=0,mvfilter('form.Device_Type'!="All"),1==1,'form.Device_Type')</eval>
<eval token="env">if(mvfind('form.Device_Type',"All")=0,"environment=*",$Device_Type$)</eval>
</change>
</input> Thanks greatly!
... View more
10-09-2020
11:52 AM
I'm using a free Splunk instance to develop dashboard mostly with simple XML before I deploy it to the production system. The trial license of the free Splunk instance has expired. I can still use it for the development. However, when I tried to use JavaScript to extend a dashboard, I could not get the JavaScript working, in the sense that I don't see the print out statement executed as I could not see the print out on the web console. I only got the following error message: "common.js:1063 GET http://l-yshen:8000/en-US/splunkd/__raw/servicesNS/admin/search/alerts/alert_actions?output_mode=json&search=(is_custom%3D1+OR+name%3D%22email%22+OR+name%3D%22script%22+OR+name%3D%22lookup%22)+AND+disabled!%3D1&count=1000&_=1602204254014 402 (Payment Required)". I wonder the meaning of the error message? I guess that it might have something related to payment/license. The javascript file in question common.js is not of mine, probably from Splunk's own. Any suggestion how I can get my javascript running, or how to investigate the root cause of its not running? I wish to learn how to find any response or clue of my mistakes. Here is the script that I having difficulty with: require([
'jquery',
'underscore',
'splunkjs/mvc',
'splunkjs/mvc/simplexml/ready!'
],
function($,_,mvc){
var multi1 = mvc.Components.get("multi1")
multi1.on("change",function(){
current_val = multi1.val()
console.log("Current Vals: " + current_val)
var first_choice_value = multi1.options.choices[0].value;
if (current_val.length > 1 && current_val.indexOf(first_choice_value) == 0) {
multi1.val(_.without(current_val, first_choice_value));
}
if (current_val.length > 1 && current_val.indexOf(first_choice_value) > 0) {
multi1.val([first_choice_value]);
}
})
}
)
© It's copied from here: https://www.youtube.com/watch?v=kQLV9AOL-FE&t=503s
... View more
Labels
- Labels:
-
javascript
-
panel
-
simple XML
10-09-2020
11:20 AM
@bowesmana Let me use an example to illustrate what I'm looking for. The following is changed sample data for illustration: Temperature=82.4, Location=xxx.165.152.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.154.21, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.162.22, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.164.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.2, Location=xxx.165.170.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.208.12, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=73.4, Location=xxx.165.48.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.3, Location=xxx.165.52.13, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=77.9, Location=xxx.165.52.14, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=76.3, Location=xxx.165.54.24, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=73.8, Location=xxx.165.36.21, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor I want to select ALL records whose locations have had temperature reached 83F ever. The qualifying locations are the following: xxx.165.152.48
xxx.165.48.20 as their temperature had reached 83F or above. So my expected output is the following: Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=73.4, Location=xxx.165.48.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor Note, I want ALL with the qualified locations, not just the ones with temperature above 83F. I need the raw data in its original form, not reconstructed statistics. Thank all for the help, but I have not found a solution that can produce the above expected outcome.
... View more
10-05-2020
10:36 PM
Thanks for providing input. Your suggestion: | where Temperature>80
| stats min(Temperature) as LowestTemp max(Temperature) as HighestTemp by Location Type only computes the locations that have temperatures greater than 80F, and the minimum temperature and maximum temperature of those above 80F. But I want to all the raw events with the locations that have had temperatures above 80F sometimes. For those locations, I even want to have the events with temperature below 80F, as long as the location in question sometimes have temperature above 80F. It's very different semantics. Thanks for helping!
... View more
10-05-2020
07:02 PM
I have the following data as example: I want to find the events whose locations having had temperature above a threshold, say 80F. Temperature=82.4, Location=xxx.165.152.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.154.21, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=82.4, Location=xxx.165.162.22, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.164.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.2, Location=xxx.165.170.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=77.0, Location=xxx.165.208.12, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=73.4, Location=xxx.165.224.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS
Temperature=75.3, Location=xxx.165.52.13, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=77.9, Location=xxx.165.52.14, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=76.3, Location=xxx.165.54.24, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor
Temperature=73.8, Location=xxx.165.36.21, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor I would like to first find the subsets of locations with whom the temperatures having been above a threshold, say 80F. I may perform the a query like the following: | Temperature > 80
| fields Location
| dedup Location I'd call the locations outcome of the query "hot_locations", then I'd like perform my eventual query: | Location IN hot_locations My question is what's the syntax of Splunk query language to express the declarations? Thanks for your pointers!
... View more
Labels
- Labels:
-
other
10-02-2020
10:33 AM
I wish there is a way that is less impacting to the service than restarting the forwarder.
... View more
10-02-2020
08:20 AM
On a heavy forwarder, I added a new sourcetype in /opt/splunk/etc/apps/<my_app>/local/props.conf, [sensor_data]
DATETIME_CONFIG =
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
disabled = false
pulldown_type = true
BREAK_ONLY_BEFORE_DATE = and also at /opt/splunk/etc/apps/<my_app>/local/inputs.conf add [monitor:///home/slog/sensor_logs/sensor_*.dat]
disabled = false
index = cse_scada
sourcetype = sensor_data where my_app has been defined and establish working for the existing sourcetypes and indexes. The index cse_scada has also been defined and working. I thought that this is what it takes to introduce a new sorucetype and input on a Heavy Forwarder. But I don't see the newly defined souncetype listed in the list sourcetype, nor do I found any expected data in a query of sourcetype=sensor_data I didn't see any error in the <SPLUNK>/var/log/splunkd.log I wonder what else I need to do to the definitions working? - Do I have to restart the forwarder? - Any other means to let it to take effect?
... View more
Labels
- Labels:
-
other
09-16-2020
06:12 PM
@ITWhisperer Your suggestion sounds interesting. How do I create such input panel with dropdowns with Splunk? How do I create charts with the selected dropdown values? So far, I only learned some query language. Some pointer or example, would be appreciated. Thanks!
... View more
09-16-2020
06:08 PM
@alemarzu Thanks for the suggestion. I'll try. This solution might not support the functionality of selecting by Type, for example, I want the user to be able to view locations of Type value "UPS".
... View more
09-16-2020
09:08 AM
I have the following data samples: Temperature=82.4, Location=xxx.165.152.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=84.2, Location=xxx.165.152.48, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=82.4, Location=xxx.165.154.21, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=82.4, Location=xxx.165.162.22, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=77.0, Location=xxx.165.164.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=75.2, Location=xxx.165.170.17, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=77.0, Location=xxx.165.208.12, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=73.4, Location=xxx.165.224.20, Time=Wed Sep 16 07:43:01 PDT 2020, Type=UPS Temperature=75.3, Location=xxx.165.52.13, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor Temperature=77.9, Location=xxx.165.52.14, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor Temperature=76.3, Location=xxx.165.54.24, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor Temperature=83.8, Location=xxx.165.48.20, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor Temperature=73.8, Location=xxx.165.36.21, Time=Wed Sep 16 07:47:01 PDT 2020, Type=TempSensor I'd like to draw line graphs of the `Temperature` over `Time`, splitted by `Location` (for individual sensor), and I'd like to have a way to label the curves of `Locations`, by the value of `Type` (UPS or TempSensor), label, or legend, etc. I'd also like to be able to filter selectively showing by `Type's` value and/or by certain `Location`. So far, I figured out that I may be able to do the following: | xyseries Time, Location, Temperature but I am yet to figure out how to provide the labeling by `Type`, and filtering by `Type`, and `Location`.
... View more
09-04-2020
09:31 AM
@Nisha18789 I studied in details of your solution. I'm afraid that it does not solve my problems. Here are my understanding and paraphrase of your proposal: | makeresults
| eval start="2020-08-23T03:04:05.000-0700"
| eval end="2020-08-23T03:25:58.000-0700"
| eval Agent_hostname="m50-ups.a_domain"
| eval alarm="upsAlarmOnBypass" Create data fields of start, end, etc. | eval start_epoch=strptime(start,"%Y-%m-%dT%H:%M:%S.000-0700"), end_epoch=strptime(end,"%Y-%m-%dT%H:%M:%S.000-0700")
| eval duration_mins = ROUND((end_epoch - start_epoch)/60,2)
| table Agent_hostname alarm start end duration based on the known value of start and end values, compute the duration. But the key problem of mine is how to find the proper values of the start, and end! This problem is not being addressed by your proposal. Maybe, I should phrase my question as how to find the earliest start of an alarm and the time when it's being cleared. Below is my sketch of a solution, it may not be perfect, but I hope to show how the start and end might be computed outside of Splunk: ;; assume the symbol events is for the events of alarms in chronological order
(as-> (group-by :Agent_Hostname events) ; group the events by Agent_Hostname value
grouped-host
(map ; for each host
(fn [[host events-host]]
[host
(as-> (group-by ; group the events by alarm value
#(alarm-classification (% :alarm)) events-host) grouped-alarm
(map ; for each alarm
(fn [[alarm events-alarm]]
[alarm
(as->
(partition-by :status ; partition the events by same value of :status
events-alarm) x
(map first x) ; only take the first (the earliest) event of the same status)
(partition 2 x) ; combine the start and end events
(map start-end x))]) ; add the start and end time of an alarm event
grouped-alarm)
)])
grouped-host))
;; => (["m50-tc-ups.bart.gov"
;; (["upsAlarmOnBypass"
;; ({:start "2020-08-23T03:04:05.000-0700",
;; :end "2020-08-23T03:25:58.000-0700"})]
;; ["upsAlarmOnBattery"
;; ({:start "2020-08-23T03:07:16.000-0700",
;; :end "2020-08-23T03:10:31.000-0700"}
;; {:start "2020-08-23T03:19:06.000-0700",
;; :end "2020-08-23T03:24:28.000-0700"})]
;; ["upsAlarmInputBad"
;; ({:start "2020-08-23T03:07:16.000-0700",
;; :end "2020-08-23T03:10:32.000-0700"}
;; {:start "2020-08-23T03:19:06.000-0700",
;; :end "2020-08-23T03:24:28.000-0700"})]
;; ["upsAlarmLowBattery"
;; ({:start "2020-08-23T03:07:39.000-0700",
;; :end "2020-08-23T03:11:12.000-0700"}
;; {:start "2020-08-23T03:19:13.000-0700",
;; :end "2020-08-23T03:25:09.000-0700"})])])
... View more
