Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About benhooper
benhooper
Communicator
Member since:
08-10-2020
11-25-2020
Community Statistics
| Posts | 66 |
| Solutions | 8 |
| Karma Given | 14 |
| Karma Received | 4 |
| Member Since | 08-10-2020 |
Activity Feed
- Posted Re: Colour-coded columns from stats avg by field on Dashboards & Visualizations. 11-24-2020 05:32 AM
- Karma Re: Colour-coded columns from stats avg by field for to4kawa. 11-24-2020 05:32 AM
- Posted Colour-coded columns from stats avg by field on Dashboards & Visualizations. 11-12-2020 08:13 AM
- Posted Re: appendcols subsearch skewing timestamps in some circumstances on Splunk Search. 11-12-2020 06:58 AM
- Karma Re: appendcols subsearch skewing timestamps in some circumstances for richgalloway. 11-12-2020 06:58 AM
- Posted Re: appendcols subsearch skewing timestamps in some circumstances on Splunk Search. 11-12-2020 01:04 AM
- Posted Re: appendcols subsearch skewing timestamps in some circumstances on Splunk Search. 11-11-2020 08:39 AM
- Posted appendcols subsearch skewing timestamps in some circumstances on Splunk Search. 11-11-2020 03:03 AM
- Karma Unable to index data to splunk using add-on builder modular input method though the event shows in output console for suryajagarapu. 11-03-2020 06:30 AM
- Got Karma for Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler. 10-22-2020 02:57 PM
- Posted Re: Alert emails via Office 365 on Alerting. 10-22-2020 01:16 AM
- Posted Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler on Alerting. 10-21-2020 09:12 AM
- Got Karma for Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler. 10-21-2020 08:19 AM
- Posted Re: Alert emails via Office 365 on Alerting. 10-21-2020 08:10 AM
- Posted Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler on Alerting. 10-21-2020 08:06 AM
- Posted Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler on Alerting. 10-21-2020 07:38 AM
- Posted Re: Alert emails via Office 365 on Alerting. 10-21-2020 07:29 AM
- Posted Alert emails via Office 365 on Alerting. 10-21-2020 03:52 AM
- Posted Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler on Alerting. 10-21-2020 03:17 AM
- Got Karma for Re: Splunk Enterprise 8.0.4.1 on Ubuntu 20.04LTS single user instance: Emails fail with 'ResourceNotFound' error on aler. 10-20-2020 12:47 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-09-2024
01:10 AM
OK. I added an idea https://ideas.splunk.com/ideas/EID-I-2471 Feel free to upvote and/or comment
... View more
06-26-2023
06:45 AM
Done: How to change a Simple XML table height when no re... - Splunk Community
... View more
03-10-2022
02:12 PM
Yes, permissions can get pretty messy. This also happens if Splunk is normally run by the Splunk user but is then started from root (usually using sudo).
... View more
11-24-2020
01:19 PM
work around: | makeresults
| eval _raw="severity,time_diff_avg
high,9.09
low,9.08
medium,19.51"
| multikv forceheader=1
| table severity time_diff_avg
| rex "(?<comment>(?# the logic))"
| xyseries severity severity time_diff_avg
| table severity high medium low It's the only way to be satisfied with everything you want to do.
... View more
11-12-2020
07:37 AM
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
... View more
09-14-2020
08:09 AM
I added the following lines to the Python script: pythonversion = str(sys.version_info[0]) + "." + str(sys.version_info[1]) + "." + str(sys.version_info[2])
helper.log_info("collect_events() triggered. Currently running Python version {}.".format(pythonversion)) From this, I discovered that the app was being run in Python version 2.7 but it was designed for Python version 3. I: Added the line python.version = python3 under the section [general] in file /opt/splunk/etc/system/local/server.conf Removed the app with command sudo /opt/splunk/bin/splunk remove app <appName> which deleted the index(es). Deleted the app's KV store with command sudo /opt/splunk/bin/splunk clean kvstore -app <appName> (just in case) Restarted Splunk. Reinstalled the app. The REST API then worked as expected.
... View more
09-09-2020
01:28 AM
I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.
... View more
09-08-2020
11:25 PM
Hi @benhooper, Good for you. Ciao and happy splunking. Giuseppe P.S. Karma Points are appreciated by all the contributors 😉
... View more
09-01-2020
03:02 AM
I'd like to be able to do this too. Did anyone ever find a solution?
... View more
08-20-2020
07:37 AM
I've made the following multi-series line chart (details) where it makes much more sense to have the Y axis on the right-hand side as that's where the most recent values are charted: Unfortunately, I can't see a way to do this. The most common recommendation that I've found is to use an overlay but it seems that that's incompatible with multi-series mode. Can anyone help?
... View more
08-19-2020
03:39 AM
1 Karma
Building off of my last solution, I've also managed to create a kind of "client alerts by severity over time" dashboard. Full XML source below: <form>
<label>Overview</label>
<fieldset submitButton="false">
<input type="time" token="TimePicker">
<label>Time range</label>
<default>
<earliest>-24h@h</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<single>
<title>Time range</title>
<search>
<query>| makeresults
| addinfo
| eval range_start = strftime(info_min_time,"%Y/%m/%d %H:%M"), range_end = strftime(info_max_time,"%Y/%m/%d %H:%M")
| eval now = strftime(now(),"%Y/%m/%d %H:%M")
| eval range = case(info_min_time == 0 AND match(info_max_time, "Infinity"), "All-time (last updated " . now . ")", info_min_time != 0 AND NOT match(info_max_time, "Infinity"), range_start . " to " . range_end)
| table range</query>
<earliest>$TimePicker.earliest$</earliest>
<latest>$TimePicker.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>5s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="colorBy">value</option>
<option name="colorMode">none</option>
<option name="drilldown">none</option>
<option name="height">74</option>
<option name="numberPrecision">0</option>
<option name="refresh.display">progressbar</option>
<option name="showSparkline">1</option>
<option name="showTrendIndicator">1</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<option name="trendColorInterpretation">standard</option>
<option name="trendDisplayMode">absolute</option>
<option name="unitPosition">after</option>
<option name="useColors">0</option>
<option name="useThousandSeparators">1</option>
</single>
</panel>
</row>
<row>
<panel>
<title>Client #1</title>
<html>
<style>
/* Styling for high line */
.highcharts-series-0 text {
font-size: 25px !important;
font-weight: bold !important;
fill: #DF4D58 !important;
}
.highcharts-series-0 path {
stroke-width: 4px;
}
/* Styling for medium line */
.highcharts-series-1 text {
font-size: 20px !important;
font-weight: bold !important;
fill: #FFBB4B !important;
}
.highcharts-series-1 path {
stroke-width: 3px;
}
/* Styling for low line */
.highcharts-series-2 text {
font-size: 15px !important;
font-weight: bold !important;
fill: #3391FF !important;
}
.highcharts-series-2 path {
stroke-width: 2px;
}
/* Styling for bottom grid lines */
.highcharts-yaxis-grid path:first-of-type, .highcharts-axis-line {
stroke: black !important;
}
</style>
</html>
<chart>
<search>
<query>index="<client #1>"
| dedup case_id, status sortby -_time
| reverse
| eval openClosed = case(match(status, "new|in_progress"), "Open", match(status, "resolved_other|resolved_auto"), "Closed")
| streamstats current=f last(status) as lastStatus by case_id
| eval firstEvent = if(openClosed == "Open" AND isnull(lastStatus), "True", "False")
| eval lastEvent = if(openClosed == "Closed", "True", "False")
| where firstEvent == "True" OR lastEvent == "True"
| dedup case_id, openClosed sortby -_time
| append [| makeresults | eval _time = 0, low_alert_count = 10000, med_alert_count = 10000, high_alert_count = 10000, openClosed = "Closed"]
| eval _time = if(status == "new", strptime(creation_time, "%Y/%m/%d %H:%M:%S"), _time)
| append [| makeresults | addinfo | eval _time = info_min_time]
| append [| makeresults | addinfo | eval _time = info_max_time]
| sort by +_time
| eval low_alert_count_change = case(openClosed == "Open", "+" . low_alert_count, openClosed == "Closed", "-" . low_alert_count)
| streamstats sum(low_alert_count_change) as low_alert_count_open_raw
| streamstats min(low_alert_count_open_raw) as low_alert_count_open_min
| eval low_alert_count_open = case(low_alert_count_open_raw == low_alert_count_open_min, 0, low_alert_count_open_raw < 0 AND low_alert_count_open_raw > low_alert_count_open_min, low_alert_count_open_raw - low_alert_count_open_min, low_alert_count_open_raw > 0 AND low_alert_count_open_raw < low_alert_count_change, low_alert_count_change, 1=1, low_alert_count_open_raw)
| eval med_alert_count_change = case(openClosed == "Open", "+" . med_alert_count, openClosed == "Closed", "-" . med_alert_count)
| streamstats sum(med_alert_count_change) as med_alert_count_open_raw
| streamstats min(med_alert_count_open_raw) as med_alert_count_open_min
| eval med_alert_count_open = case(med_alert_count_open_raw == med_alert_count_open_min, 0, med_alert_count_open_raw < 0 AND med_alert_count_open_raw > med_alert_count_open_min, med_alert_count_open_raw - med_alert_count_open_min, med_alert_count_open_raw > 0 AND med_alert_count_open_raw < med_alert_count_change, med_alert_count_change, 1=1, med_alert_count_open_raw)
| eval high_alert_count_change = case(openClosed == "Open", "+" . high_alert_count, openClosed == "Closed", "-" . high_alert_count)
| streamstats sum(high_alert_count_change) as high_alert_count_open_raw
| streamstats min(high_alert_count_open_raw) as high_alert_count_open_min
| eval high_alert_count_open = case(high_alert_count_open_raw == high_alert_count_open_min, 0, high_alert_count_open_raw < 0 AND high_alert_count_open_raw > high_alert_count_open_min, high_alert_count_open_raw - high_alert_count_open_min, high_alert_count_open_raw > 0 AND high_alert_count_open_raw < high_alert_count_change, high_alert_count_change, 1=1, high_alert_count_open_raw)
| where _time != 0
| chart values(high_alert_count_open) as High, values(med_alert_count_open) as Medium, values(low_alert_count_open) as Low by _time</query>
<earliest>$TimePicker.earliest$</earliest>
<latest>$TimePicker.latest$</latest>
<sampleRatio>1</sampleRatio>
<refresh>30s</refresh>
<refreshType>delay</refreshType>
</search>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">collapsed</option>
<option name="charting.axisTitleY.visibility">collapsed</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.abbreviation">none</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.abbreviation">none</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.abbreviation">none</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">line</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">connect</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">1</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisEnd</option>
<option name="charting.legend.labels">[High, Medium, Low]</option>
<option name="charting.legend.mode">standard</option>
<option name="charting.legend.placement">right</option>
<option name="charting.lineWidth">2</option>
<option name="charting.seriesColors">[0xDF4D58, 0xFFBB4B, 0x3391FF]</option>
<option name="refresh.display">progressbar</option>
<option name="trellis.enabled">0</option>
<option name="trellis.scales.shared">1</option>
<option name="trellis.size">medium</option>
<drilldown>
<link target="_blank">/app/TA-myAppName/myAppName?form.AlertsOpen.earliest=$TimePicker.earliest$&form.AlertsOpen.latest=$TimePicker.latest$</link>
</drilldown>
</chart>
</panel>
</row>
</form>
... View more
08-14-2020
01:38 AM
I've achieved this with the following search: <base search>
| dedup case_id, status
| reverse
| streamstats current=f last(status) as lastStatus by case_id
| eval firstEvent = if((status == "new" OR status == "in_progress") AND isnull(lastStatus), "True", "False")
| eval lastEvent = if(match(status, "resolved"), "True", "False")
| where firstEvent == "True" OR lastEvent == "True"
| <other stuff>
... View more
08-13-2020
07:54 AM
As I detailed at https://community.splunk.com/t5/Splunk-Search/Case-open-count-and-trend-history/m-p/513894/highlight/false, this is a great solution but has one problem: it incorrectly handles the field "CURRENT" having a value of 0. To work around this, I simply used something like "| append [| makeresults | eval CURRENT = -10000] | reverse" which sets a baseline so low that CURRENT should never even get to 0 but everything else still works.
... View more
08-12-2020
02:24 AM
The following regex can be used to suppress any trailing substrings: (\d*)\+*(\d+):(\d+):(\d+)(.*)
... View more
08-11-2020
01:13 AM
I found: That it was actually the lack of events that was causing this. https://community.splunk.com/t5/Archive/Evaluate-if-there-are-no-search-results-or-events-for-a-field/m-p/437348/highlight/true#M78636 which recommended using makeresults so I replaced "append [| stats count as alert_count]" with "append [| makeresults | eval alert_count_total = 0]" which resolved the problem.
... View more
08-10-2020
08:01 AM
It seems that using streamstats in place of eventstats has achieved what I want as the average updates with each event.
... View more
- Tags:
- it
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
11-25-2020
06:41 AM
|
Karma given to
