Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- About mcaulsc
mcaulsc
Path Finder
Member since:
08-17-2020
03-17-2026
Community Statistics
| Posts | 33 |
| Solutions | 1 |
| Karma Given | 4 |
| Karma Received | 4 |
| Member Since | 08-17-2020 |
Activity Feed
- Posted Re: search past escaped characters for an alert on Splunk Search. 03-18-2026 02:25 AM
- Posted search past escaped characters for an alert on Splunk Search. 03-17-2026 02:57 AM
- Posted Re: avoid join on Splunk Search. 06-02-2023 07:23 AM
- Posted Can I search without using join? on Splunk Search. 06-02-2023 04:35 AM
- Posted Re: condition match set tokens on input on Splunk Search. 03-17-2023 08:13 AM
- Posted How to condition match set tokens on input? on Splunk Search. 03-17-2023 04:19 AM
- Got Karma for Re: timechart active connections between start end end times. 10-20-2022 07:49 AM
- Posted Re: timechart active connections between start end end times on Splunk Search. 10-20-2022 07:44 AM
- Posted Re: How to make timechart active connections between start end end times? on Splunk Search. 10-19-2022 07:04 AM
- Posted Re: timechart active connections between start end end times on Splunk Search. 10-19-2022 01:42 AM
- Posted How to make timechart active connections between start end end times? on Splunk Search. 10-18-2022 09:20 AM
- Posted Re: join replacement with stats on Splunk Search. 12-01-2021 05:45 AM
- Posted Re: join replacement with stats on Splunk Search. 12-01-2021 04:48 AM
- Posted Re: join replacement with stats on Splunk Search. 11-30-2021 12:20 AM
- Posted Re: join replacement with stats on Splunk Search. 11-30-2021 12:17 AM
- Posted Re: join replacement with stats on Splunk Search. 11-29-2021 07:28 AM
- Posted join replacement with stats on Splunk Search. 11-29-2021 07:10 AM
- Posted generated field in chart on Splunk Search. 10-20-2021 02:04 AM
- Posted Re: Rename fields based on Token value on Splunk Search. 10-01-2021 02:14 AM
- Karma Re: Rename fields based on Token value for ITWhisperer. 10-01-2021 02:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-18-2026
02:25 AM
ok, I've found a way. I'm not extracting, just a standard search in spl, the full TEXT field has already been extracted as I said. TEXT=" +MYMSGIDI: An FFDC Incident has been created: \"java.io.IOException: EDC5133I No space left on device. 397\" at ffdc_26.03.15_04.30.06.0.log" a standard search seems to have an issue with anything after the escaped double quote. So: | search TEXT=*MYMSG* works fine but: | search TEXT=*EDC5133I* doesn't work. I got round it by searching the _raw instead and just setting a field for the error msg as I know what it is anyway. | search _raw="*EDC5133I*" | eval errmsg="EDC5133I No space left on device"
... View more
03-17-2026
02:57 AM
I'm trying to create an alert based on a field as shown below, I want to search for the EDC5133I text. However the TEXT filed used by search seems to end at the escaped ": +FFDC1015I: An FFDC Incident has been created: \ Full field is: TEXT=" +MYMSGIDI: An FFDC Incident has been created: \"java.io.IOException: EDC5133I No space left on device. 397\" at ffdc_26.03.15_04.30.06.0.log" Any ideas on how I can run a search for that value in the field?
... View more
Labels
- Labels:
-
subsearch
06-02-2023
07:23 AM
thanks, thats is what I have been attempting and I get to the stats point ok with 121k events returned but trying to get the data into a timechart is eluding me at the moment.
... View more
06-02-2023
04:35 AM
Hi, I'm looking to improve performance and avoid the subsearch_maxout issue with a join on two source types.
I'm joining on a one to many field 'Correlator', srctypeA has will have one unique entry for 'Correlator' and srctypeB has multiple entries. So when my search on srctypeA returns a value for Correlator I want to timechart by a field in records with matching Correlator in srctypeB.
So the current search below works, I'm looking for better performing options if anyone has any suggestions.
index=index1 sourcetype=srctypeA field1=ABC*
| join max=0 type=inner Correlator [ search index=index1 sourcetype=srctypeB ]
| timechart span=1d count by field2
... View more
03-17-2023
08:13 AM
Superb, been scratching my head on that one for a couple of hours. Thanks for the solution.
... View more
03-17-2023
04:19 AM
Hi, I seem to be having a mental block which maybe someone can help with.
I have an input dropdown which runs a query to populate values in the dropdown, depending on the value selected I want to set two more token. The condition match should be on the first 6 characters of the selected value, so if aaaaaa* set two new tokens and if aaaaab* set a different two. All tokens are then used in panels on the dashboard and should refresh each time the value in the dropdown is changed.
sample xml below that will hopefully give the idea.
<input type="dropdown" token="iptoken" searchWhenChanged="true"> <label>Apply Engine</label> <fieldForLabel>value</fieldForLabel> <fieldForValue>value</fieldForValue> <search> <query>index=ti-u_* sourcetype=$iptoken$ value=aaaaa** | table value |dedup value |sort value</query> <earliest>@y</earliest> <latest>now</latest> </search> <<change> <condition match="$iptoken$=="aaaaaa*""> <set token="newtoken1">newvalue1</set> <set token="newtoken2">newvalue2</set> </condition> <condition match="$iptoken$=="aaaaab*""> <set token="newtoken1">newvalue1</set> <set token="newtoken2">newvalue2</set> </condition> </change> </input>
thanks in advance
... View more
10-20-2022
07:44 AM
1 Karma
Thanks, Couple of new functions I not used yet in there, it certainly produces a timechart. I just need to reduce the data and try and validate what I see with the data. Thanks for your time and the solution.
... View more
10-19-2022
07:04 AM
Hi, In the data there is nothing else, of that type, lots of other connection data but not that would help us, it is essentially a dataset of records cut at socket termination. Each report would be for limited ports, 1 normally maybe 3 in unusual circumstances, but code for 1 would work. Dataset size to be honest no idea, I don't manage that, but I'd guess up to 1GB.
... View more
10-19-2022
01:42 AM
Hi, Connections can be distinguished by PORT in this example. So the count would be any records that have started before or during the interval but not terminated. Sample data: PORT CONSTA CONEND 55300 2022-10-15 07:33:40.919446 2022-10-19 07:25:46.440451 55300 2022-10-15 07:33:57.704310 2022-10-19 07:17:45.082410 55300 2022-10-15 07:34:39.447813 2022-10-19 07:25:42.237149 55300 2022-10-15 07:34:48.125852 2022-10-19 07:38:46.745400 55300 2022-10-15 07:34:55.561466 2022-10-19 07:33:44.027628 55300 2022-10-15 07:48:57.706834 2022-10-19 07:17:45.086782 55300 2022-10-15 07:57:37.375340 2022-10-19 07:24:24.382886 55300 2022-10-15 08:01:05.756897 2022-10-19 06:50:45.339550 55300 2022-10-15 08:02:24.329066 2022-10-19 07:22:37.247145 55300 2022-10-15 08:21:32.202534 2022-10-19 06:46:35.348080 55300 2022-10-15 08:44:39.721370 2022-10-19 07:38:46.746090 55300 2022-10-15 08:59:03.215559 2022-10-19 07:39:39.372292 55300 2022-10-16 15:08:47.255462 2022-10-19 07:24:24.353308 55300 2022-10-16 17:37:33.308594 2022-10-19 06:50:45.328513 55300 2022-10-17 10:00:11.261248 2022-10-18 10:00:12.426608
... View more
10-18-2022
09:20 AM
Hi,
Any thoughts appreciated.
I have some connection data captured at connection termination, it has connection start and end times. CONSTA and CONEND in the format "2022-10-18 15:40:00.000000". What I'd like to do is timechart in say 5 minute intervals the number of connections that were active in those intervals. So all connections in an interval 15:40 - 15:45 that had started but not terminated and repeat that across the timechart so 15:45 - 15:50 etc. Hopefully that make sense.
Thanks in advance Steve
... View more
Labels
- Labels:
-
timechart
12-01-2021
05:45 AM
oh that's a good one, will tuck that away for future reference, thanks. I'm close, I just can't get the span to work in the timechart, will span correctly for periods where there are no events showing 0, but events appear individually rather than counted over the span period. index=ti-p_ibmzos (sourcetype=source_one servername=ABC*) OR (sourcetype=source_detail) sysplex=XYZ | stats dc(sourcetype) AS sourcetypeCount values(*) AS * BY Correlator | where sourcetype="source_one" | eval NewTime=strptime(sample_time,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | timechart span=5m count by sample_name _time name_one name_two 2021-12-01 08:36:28 1 1 2021-12-01 08:36:29 1 1 2021-12-01 08:44:16 1 1 2021-12-01 08:44:18 1 1 2021-12-01 08:49:59 1 1 2021-12-01 08:50:01 1 1 2021-12-01 09:01:31 1 1
... View more
12-01-2021
04:48 AM
One additional bit of information, the Correlator is a 1 to many relationship, so one entry in source_one and many entries in source_detail
... View more
11-30-2021
12:20 AM
Hi, Yes thanks, read through that, or at least a copy of the same from a different conference I suspect. I think if I can work this one query out then I should be ok to convert some other joins which make a dashboard quite expensive. Just struggling on building the right stats results to chart correctly. Regards Steve
... View more
11-30-2021
12:17 AM
Thanks, SampleTime is only in source_detail. The common field is Correlator and I only want events where the Correlator is for servername=xyz*. I then want to count the number of events for SAMPLE_NAME per minute in source_detail where Correlator matches what we returned from source_one. so what I want out is : _time (derived from SampleTime) name1 name2 etc 2021-11-29 20:04:00 0 5 2021-11-29 20:05:00 2 1 etc.
... View more
11-29-2021
07:28 AM
Thanks, That doesn't filter by 'servername' at any point though? Also I need to use the time in the BY clause otherwise it doesn't group correctly. regards Steve
... View more
11-29-2021
07:10 AM
OK, I'm trying to improve performance by replacing some join queries with stats, but struggling on a filter. I have the below query, two source types where the common field between events is 'Correlator' . In source_one I have fields 'Correlator', 'sysplex' and 'servername'. In source_detail I have 'Correlator', 'sysplex' and multiple other fields, the one for this data is Sample_NAME. 'servername' in source_one could have multiple values and I want to filter on a match so search servername=xyz* I've tried a number of ways and I can't seem to manage to limit results to a filter on 'servername' without losing everything else, 'sysplex' which is in both sourcetypes filters just fine. Any thoughts would be appreciated. index=my_index sourcetype=source_one OR sourcetype=source_detail sysplex=ABC* | stats values(SAMPLE_NAME) AS SampleName values(SAMPLE_TIME) AS SampleTime by Correlator,SampleTime | eval _time=strptime(SampleTime,"%Y-%m-%d %H:%M:%S.%N") | timechart span=1m count by SampleName
... View more
10-20-2021
02:04 AM
Hi, I have data with field names in the format: h00m00 h00m15 h00m30 h00m45 h01m00 .. thru h23m45 I'd like to pull the 'h' value from a drop down and use that in a chart command , so eval hh=substr('04:00:00',1,2) from the current token in the drop down should give me 04. Then somehow chart just the h04* fields so I can focus on a specific hour as below where I hardcoded the h04* | chart sum(h04*) by edate if anyone has any ideas I'd be grateful.
... View more
Labels
- Labels:
-
chart
10-01-2021
02:14 AM
That's it, excellent and I can pull them into a table etc with a generic. Thanks for the solution and also the explanations.
... View more
10-01-2021
01:07 AM
so what I really want is something equivalent to IF .... THEN DO If app =app1 then Do rename fld1 as newname1 rename fld2 as newname2 rename field3 as newname11 End If app =app2 then Do rename fld1 as newnameA rename fld2 as newnameB rename field3 as newnameYY End Hopefully that makes more sense.
... View more
10-01-2021
12:53 AM
ah, I see now, thanks for the explanation, I got that working and that will be useful. My example was a bit too literal I think where I masked names. What I'm actually after is a complete rename so: when app=="appA" rename "fld1" as "newname1", rename "fld2" as "newname2", rename "fld3" as "newname11"
... View more
09-30-2021
06:08 AM
sorry, will have to walk me through the : [| eval {app}<<FIELD>> = <<FIELD>>] what is that doing and how would that handle multiple values for app?
... View more
09-30-2021
02:23 AM
Hi, I have some data which spans multiple systems example below: "system" "app" "fld1" "fld2" "fld3" sys1 appA 1 0 0 sys1 appA 0 0 0 sys1 appB 0 1 What I'm trying to do is create a generic dashboard so I would need to rename the fields based on the "app" value. So something similar to: when app=="appA" rename "fld1" as "appAfld1", rename "fld2" as "appAfld2" when app=="appB" rename "fld1" as "appBfld1" Then in a table only show the renamed fields, so a conditional table statement again based on the "app" value. Any ideas on how/if that can be achieved? Alternately I just create separate dashboards but a lot of repetition in that so I suspect there is a way to do it. Thanks in advance for any ideas.
... View more
Labels
- Labels:
-
fields
09-17-2021
06:57 AM
That's the one, been tying myself in knots with this for far longer than I should and ended up down regex rabbit holes that I didn't need to be down. Many thanks for the help.
... View more
09-17-2021
06:50 AM
thanks, that gets me a list of all the possible values in pos 5 for 2. What I want is the whole value if I have a match. so if I have AAAABBCC I have a match on BB in pos5,2 so return AAAABBCC
... View more
09-17-2021
06:35 AM
Hi, in anything else this would seem very simple but I seem to be flummoxed trying to do this in splunk. Probably not helped by having zero regex knowledge. I have a field that has values in the format: AAAABBCC I want to return all values that have BB in position 5, if anyone could be so kind as to provide a sample I can then pull it apart and try and work out how it does it. Thanks.
... View more
Labels
- Labels:
-
regex
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-17-2026
02:53 AM
|
