Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About MarcRiese
MarcRiese
Explorer
Member since:
06-22-2020
05-19-2021
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 06-22-2020 |
Activity Feed
- Posted Re: Fillnull versus !=none ??? on Splunk Search. 05-19-2021 01:42 AM
- Posted Fillnull versus !=none ??? on Splunk Search. 05-18-2021 11:18 PM
- Tagged Fillnull versus !=none ??? on Splunk Search. 05-18-2021 11:18 PM
- Tagged Fillnull versus !=none ??? on Splunk Search. 05-18-2021 11:18 PM
- Karma Re: finding alerts (saved searchs) based on alarm IDs or other event contents for richgalloway. 10-08-2020 12:43 AM
- Posted finding alerts (saved searchs) based on alarm IDs or other event contents on Splunk Search. 10-06-2020 04:47 AM
- Karma Re: How to request cancellation of a question for richgalloway. 10-06-2020 04:24 AM
- Posted Re: inputlookup in search macro generates error message on Splunk Search. 06-23-2020 11:09 PM
- Posted Re: inputlookup in search macro generates error message on Splunk Search. 06-23-2020 12:23 AM
- Posted Re: inputlookup in search macro generates error message on Splunk Search. 06-22-2020 11:41 PM
- Posted inputlookup in search macro generates error message on Splunk Search. 06-22-2020 11:29 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-18-2021
11:18 PM
In an existing alert I found the following code: ... | fillnull Foo value="bar" | search Foo!=none … It seems that the result of the first line is that Foo always has a value. If that is so, then in which case could the second line have any effect? Does it really filters anything out? It seems that none is a reserved word in Splunk, but I was not able to find any definition of it in the Splunk reference manual. Any pointers to official Splunk documentation?
... View more
10-06-2020
04:47 AM
Usually I find an individual alert, i.e., a saved search, among a large number of alerts by searching for it by name. How can I find the individual alert that generates a known, specific alarm-ID, e.g. "file error 12345"? More generally, how does one find an alert, among a large number of alerts, based on the contents of the events it generates? Is there a way to find all alerts that generate alarm IDs containing a text, i.e. where the text is a substring of the complete alarm IDs. For example, all alerts that generate alarm IDs containing "file error"?
... View more
Labels
- Labels:
-
metadata
06-23-2020
11:09 PM
Hi Bowesmana, The leading pipe was the problem. Thanks for your great help! Much appreciated! Marc
... View more
06-23-2020
12:23 AM
PPS Now I understand what the appendcols error message is about. There is such a command in the search macro. It starts as follows: eval counter=0 | eval calculated_threshold = 390 | eval threshold_diff_percentage = 5 | appendcols [... ] | eval ... This code works without error when it was part of a saved search, but when I put the same code in a search macro I get the error "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)."
... View more
06-22-2020
11:41 PM
P.S. If I put the inputlookup command in the search, just before the call to the search macro like this: inputlookup blabla4.csv | `blabla1(host="blabla2", mon-host="blabla3" )` Where the search macro now starts as follows: eval counter = 0 | .... Then when I attempt to search, I get the following error message: "Error in 'appendcols' command: You can only use appendcols after a reporting command (such as stats, chart, or timechart)." I don't understand this error message. What can I do to fix this?
... View more
06-22-2020
11:29 PM
My search consists solely of a call to a search macro. It looks like this: `blabla1(host="blabla2", mon-host="blabla3" )` The search macro starts as follows: | inputlookup blabla4.csv | eval counter=0 | ... I get an error message "Error in 'inputlookup' command. This command must be the first command of a search." Does this error message mean that Splunk does not support the use of inputlookup in a search macro?
... View more
Labels
- Labels:
-
lookup
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-19-2021
05:33 AM
|
