Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About Taruchit
Taruchit
Contributor
Member since:
06-29-2020
08-29-2024
Community Statistics
| Posts | 193 |
| Solutions | 1 |
| Karma Given | 46 |
| Karma Received | 7 |
| Member Since | 06-29-2020 |
Activity Feed
- Posted How to get searches with time range as All Time? on Splunk Search. 08-29-2024 11:06 AM
- Got Karma for Re: Can we run parallel writes in lookup file?. 08-12-2024 09:23 AM
- Posted Re: Can we run parallel writes in lookup file? on Splunk Search. 08-12-2024 08:51 AM
- Karma Re: Can we run parallel writes in lookup file? for isoutamo. 08-12-2024 08:51 AM
- Karma Re: Can we run parallel writes in lookup file? for gcusello. 08-12-2024 08:51 AM
- Karma Re: Can we run parallel writes in lookup file? for richgalloway. 08-12-2024 08:43 AM
- Posted Can we run parallel writes in lookup file? on Splunk Search. 08-12-2024 06:54 AM
- Posted How to access jira tickets beyond 100 in Splunk? on Getting Data In. 05-22-2024 10:21 AM
- Posted Re: How to resolve SPL fetching more number of data points for indexed data than event data? on Splunk Search. 02-15-2024 05:26 AM
- Posted Re: How to resolve SPL fetching more number of data points for indexed data than event data? on Splunk Search. 02-15-2024 04:57 AM
- Karma Re: How to resolve SPL fetching more number of data points for indexed data than event data? for ITWhisperer. 02-15-2024 04:57 AM
- Karma Re: How to resolve SPL fetching more number of data points for indexed data than event data? for ITWhisperer. 02-15-2024 04:56 AM
- Karma Re: How to resolve SPL fetching more number of data points for indexed data than event data? for ITWhisperer. 02-15-2024 04:56 AM
- Posted Re: How to resolve SPL fetching more number of data points for indexed data than event data? on Splunk Search. 02-15-2024 04:38 AM
- Posted Re: How to resolve SPL fetching more number of data points for indexed data than event data? on Splunk Search. 02-15-2024 04:07 AM
- Posted How to resolve SPL fetching more number of data points for indexed data than event data? on Splunk Search. 02-14-2024 10:38 AM
- Posted Re: Drilldown not working on some of the trellis results on Dashboards & Visualizations. 01-17-2024 04:53 AM
- Posted Re: Drilldown not working on some of the trellis results on Dashboards & Visualizations. 01-17-2024 03:10 AM
- Posted Re: Drilldown not working on some of the trellis results on Dashboards & Visualizations. 01-16-2024 07:59 AM
- Posted Re: Drilldown not working on some of the trellis results on Dashboards & Visualizations. 01-16-2024 06:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
08-29-2024
11:06 AM
Hello All, I need to search for SPLs having time range as All time. I used the below SPL:- index=_audit action=search provenance=* info=completed host IN (...)
|table user, apiStartTime, apiEndTime, search_,et, search_lt, search
|search apiStartTime='ZERO_TIME' OR apiEndTime='ZERO_TIME'
|convert ctime(search_*) I get results with apiStartTime as Empty apiEndTime as 'ZERO_TIME' search_et 07/31/2024 00:00:00 search_lt 08/29/2024 13:10:58 Thus, how do I interpret the above results and how do I modify the SPL to fetch correct results? Thank you Taruchit
... View more
Labels
- Labels:
-
fields
08-12-2024
08:51 AM
1 Karma
Hi @gcusello, Thank you for sharing your inputs. I have a report which fetches last seen timestamp of hosts across multiple indexes. I store the results in lookup file, and then use the lookup file as a bounded static source from where we can read the results in other reports and dashboards as required. It helps me with two scenarios: - 1. If the report that generates results fails because of some reason, and as the result the downstream dashboards and reports that consume the data will also get impacted. And I will need to wait for Operations team to help with the issue or wait until the report runs again and hope that it runs successfully in the next execution. 2. Since I am referring a lookup file, the fetching and searching of records in SPLs written for reports and dashboards get faster. Please share if you have any views to consider and improve. Thank you
... View more
08-12-2024
06:54 AM
Hello All,
I have a lookup file which stores data of hosts across multiple indexes.
I have reports which fetch information of hosts from each index and updates the records in lookup file.
Can I run parallel search for hosts related to each index and thus parallelly update the same lookup file?
Or is there any risk of performance, consistency of data?
Thank you
Taruchit
... View more
05-22-2024
10:21 AM
Hello All, I am using | jirarest to fetch tickets from JIRA search results to Splunk. In JIRA I have around 300 tickets, but when I try to fetched in Splunk only 50 are returned. I tried to add maxResults=1000, but I got 100 tickets. I tried to search about it and found in JIRA cloud if we have more than 100 items to return, we have to iterate through them in batches using startAt. But, the challenge is I am unable to find any way of running the iteration since I only get 50 tickets and not more on which I could run the iteration. Thus, I need your guidance on how to build a solution or workaround in Splunk to fetch all tickets. Thank you Taruchit
... View more
Labels
02-15-2024
05:26 AM
@ITWhisperer : Just to get your last word on this, the SPL I have shared in description is correct in your view to get event data points and index data points for each hour, given that due to delay ingestion we will see different patterns? Thank you
... View more
02-15-2024
04:57 AM
Thank you @ITWhisperer for sharing your inputs.
... View more
02-15-2024
04:38 AM
Thank you @ITWhisperer for your detailed inputs. I have different types of data sources to monitor. The one I observed and and shared is of AWS Key Management Service, where we write logs when the Key management service calls an AWS service on behalf of application (or user). Thus, please help to confirm if the approach you shared to compute and compare index datapoint counts at successive hours will enable better understanding of data ingestion issues in Splunk? And in that approach does event datapoint counts have any application or usage? Thank you
... View more
02-15-2024
04:07 AM
Hello @ITWhisperer, Thank you for your response. If I take duration of last 10 days, for some hours I get more index data points than event data points, and over the time it changes to more event data points to index data points. Additionally, there is no clear cyclic pattern observed during the day when this change happens, that some duration of time former is observed and some other duration latter is observed. The problem I am trying to solve is to identify potential data ingestion issue that may exist with respect to a given data source. That is the anticipated pattern would have event data points and indexed data points closely follow same pattern and the event data points volume will be slightly greater than or equal to indexed data points. But, when the event data points pattern and indexed data points pattern are not same over the same period of time or we may have more number of indexed data points than event data points, that is when the issue may be occurring. This is the problem I am trying to identify at run time or close to run time and later address with respect to each data source. Please share if the above helps to answer your questions to seek more guidance on the topic. Thank you
... View more
02-14-2024
10:38 AM
Hello All, I have the below SPL to compare hourly event data and indexed data to find if they follow similar pattern and if there big gap. |tstats count where index=xxx sourcetype=yyy BY _indextime _time span=1h
|bin span=1h _indextime as itime
|bin span=1h _time as etime
|eventstats sum(count) AS indexCount BY itime
|eventstats sum(count) AS eventCount BY etime
|timechart span=1h max(eventCount) AS event_count max(indexCount) AS index_count However, when I compare hourly results, I get more number of data points in indexed data than event data. Thus, can you please guide to resolve the problem. Thank you Taruchit
... View more
01-17-2024
04:53 AM
Thank you @jkat54 for sharing your inputs. Strangely, its just that expression that leads to such issue. Like when I try to remove characters from the string one by one, the drilldown works.
... View more
01-17-2024
03:10 AM
Hello @ITWhisperer, I appended the values of trellis data with string ":windows_infrastructure_data:", and the drilldown stopped working for all trellis charts. If I replace it with ":windows_infrastructure_data" or with "windows_infrastructure_data:", the drilldown works well. Thus, do you know if there is anything in the above expression I may have not observed yet but has the potential to cause blocking of drilldown? Thank you
... View more
01-16-2024
07:59 AM
Hello @jkat54, Thank you for your inputs. I referred to below list but it didn't help to get the result: - Thank you
... View more
01-16-2024
06:40 AM
Hello @ITWhisperer, Thank you for your response. There is no distinct observation about the value of the chart on which drilldown does not take place. Moreover, on the chart where issue occurs, when I click over it with mouse, no further activity occurs. I replaced trellis.value with trellis.value|u, refreshed the dashboard, but it still works only for 2 out of 3 visuals from the trellis. Thank you
... View more
01-16-2024
05:36 AM
I have a very strange observation, the above issue occurs when I am passing the token value to another dashboard. I tried to clone the existing panel, selected Manage tokens on this dashboard, defined a new token name with value $trellis.value$. Then passed the token in the header of the same panel. Thus, now when I click over any of the three trellis results, it does give me the respective value of the token in the panel header.
... View more
01-16-2024
04:59 AM
Hello All, I have a dashboard with trellis layout in the panel. I need to drilldown based on the dynamic values for which trellis is generated. The challenge is out of three charts that trellis gives, the drilldown works on two of them. On the third one, no action happens when I click over the chart. <row>
<panel>
<title>
<chart>
<search>
<query>index=...
</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleratio>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">collapsed</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.overlayFields">median_count</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">none</option>
<option name="charting.lineWidth">2</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">1</option>
<option name="trellis.scales.shared">0</option>
<option name="trellis.size">small</option>
<drilldown>
<link target="_blank">/xxx/yyy/zzz?test_Tok=$trellis.value$</link>
</drilldown>
</chart>
</panel>
</row> The trellis gives vertical column charts arranged one after the other horizontally. Thus, your inputs to resolve the issue will be very helpful. Thank you Taruchit
... View more
Labels
01-08-2024
06:19 AM
Thank you for sharing your inputs.
... View more
01-08-2024
05:51 AM
Hello @PickleRick, Thank you for your inputs. It helped to resolve the issue. It would be very helpful if you could share how the use of prestats helped in this case so that its usage becomes more clear to understand. Thank you Taruchit
... View more
01-08-2024
04:27 AM
1 Karma
Hello All, I need to fetch the dates in the past 7 days where events are lesser than average event count. I used the below SPL: - |tstats count where index=index_name sourcetype=xxx BY _time span=1d
|eventstats avg(count) AS avg_count However, in scenario where on a particular day no events are ingested, the result skips those dates, that is does not return the dates with event count as zero. For example: It skips showing the highlighted rows in the below table: - _time count avg_count 2024-01-01 0 240 2024-01-02 240 240 2024-01-03 0 240 2024-01-04 0 240 2024-01-05 240 240 2024-01-06 240 240 2024-01-07 0 240 And gives below as the result: - _time count event_count 2024-01-02 240 240 2024-01-05 240 240 2024-01-06 240 240 Thus, need your guidance to resolve this problem. Thanking you Taruchit
... View more
12-01-2023
09:14 AM
Hello All, Do we have any method or workaround to export results of trellis layout in the visualization of dashboard to exported PDF? Any suggestions, inputs will be very helpful. Thank you Taruchit
... View more
Labels
11-21-2023
06:56 AM
Hello @ITWhisperer, Thank you for your response. Can you please help with example of how to write the code? |inputlookup myTable.csv
|where _time=relative_time(now(),"-1d@d") Now I need to apply the regular expression on fieldA and store the extracted data from each row in field: res. It would be very helpful if you could help. Thank you
... View more
11-21-2023
06:28 AM
Hello All, I have a lookup file with multiple fields. I am reading it using inputlookup command and implementing some filters. Now I need to apply regex on a field and extract the corresponding matched string from each row of the lookup into a separate field. The regex is: xxx[\_\w]+:([a-z_]+) Thus, I need your guidance and inputs to build the same. Thank you Taruchit
... View more
Labels
- Labels:
-
eval
-
field extraction
-
fields
-
lookup
-
regex
11-21-2023
03:15 AM
Thank you @PickleRick for your inputs. I was able to build my solution using it as below: - index=custom_index
earliest=-4w@w latest=@d
|search
[
|inputlookup append=true table1.csv
|where relative_time(now(),"-1d@d")
|dedup fieldA
|where fieldB<fieldC
|fields + fieldA
|fields - _time
]
|bin span=1d _time
|stats sum(xxx) AS xxx BY fieldA _time
|eventstats median(xxx) AS median_xxx BY fieldA
... View more
11-16-2023
04:39 AM
Hi @PickleRick, I have an index with multiple fields. I need to plot the timechart for values based on fieldA. However, I need to pick the selected values based on a search condition from lookup file for fieldA and plot their timechart using the data fetched from the index. Please share if the above explains the case or if you need any more details. I was able to build multiple timecharts using the SPL shared, however, I need to add statistical value like median or mean in each timechart and I am looking for help on the same. Thank you
... View more
11-16-2023
04:19 AM
| used the below approach so far it seemed to have worked. But if I want to compute statistics like mean, median, that does not seem to work. index=custom_index
earliest=-4w@w latest=@d
|search
[
|inputlookup append=true table1.csv
|where relative_time(now(),"-1d@d")
|dedup fieldA
|where fieldB<fieldC
|fields + fieldA
|fields - _time
]
|timechart span=1d sum(xxx) AS xxx BY fieldA To visualize each timechart separately, I used Trellis option in Visualization. Thus, if you can help if there is more better method to achieve the result it would be very helpful. And if you could help on computing statistical values such as mean, median in each timechart, that would be very helpful. Thank you
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-29-2024
04:45 PM
|
Karma from
Karma given to
