×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
ITWhisperer
SplunkTrust
Member since: ‎08-18-2020
Community Statistics
Posts 11284
Solutions 2289
Karma Given 70
Karma Received 3361
Member Since ‎2020-08-18
Activity Feed
Topics I've Started
View All

Re: How to create a dashboard using the extracted ...

by SplunkTrust in Splunk Search
yesterday
yesterday
Just list the fields that you want after the table command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Table   ... View more

Re: How to create a dashboard using the extracted ...

by SplunkTrust in Splunk Search
Tuesday
Tuesday
You could try something like this | rex max_match=0 "(?m)(?<namevalue>(?<=(\]|,)\s).+?(?=\s\-\s)\s-\s[^,]+?(?=,|$))(,|$)" | mvexpand namevalue | rex field=namevalue "(?<name>.+?(?=\s\-\s))\s-\s(?<value>[^,]+?(?=,|$))" | eval {name}=value | stats values(*) as * by _raw ... View more

Re: How to create a dashboard using the extracted ...

by SplunkTrust in Splunk Search
Tuesday
Tuesday
Is this just one event or two or four? If four, how do you relate Request END to its corresponding Request BEGIN? What fields, if any, do you already have extracted? ... View more

Re: Slack Channel

by SplunkTrust in Knowledge Management
Monday
Monday
Try this splunkcommunity.slack.com ... View more

Re: distinct output from one splunk as input to an...

by SplunkTrust in Splunk Search
Monday
Monday
Updated response - you said 2d would be OK - essentially, the subsearch needs to be fewer than 50,000 events, so if 15d matches that requirement, then use 15d otherwise use a smaller amount (like 2d as you suggested). ... View more

Re: distinct output from one splunk as input to an...

by SplunkTrust in Splunk Search
Monday
Monday
The simplest way to do this (although perhaps not the most optimal) would be something like this (index=xxxx) orgName=xxx sourcetype=CASE(SourceB) earliest=-15d [search (index=xxxx) orgName=xxx sourcetype=CASE(SourceA) earliest=-2d uniqueIdentifier="Class.ClassName.MethodName*" | dedup SourceASqlId | rename SourceASqlId as SourceBSqlId | table SourceBSqlId] | table SourceBSqlText Bear in mind that subsearches are limited to 50,000 events ... View more

Re: Why does timewrap require timechart results?

by SplunkTrust in Splunk Search
a week ago
1 Karma
a week ago
1 Karma
If all these things were documented, there wouldn't be a need for Answers, Splunk Trust and .conf! 🤣 ... View more

Re: Why does timewrap require timechart results?

by SplunkTrust in Splunk Search
a week ago
2 Karma
a week ago
2 Karma
timewrap is looking for a hidden field called _span This should work | tstats count where index=my_index by _time span=1h | eval _span=3600 | timewrap 1w  This should give a warning index=my_index | timechart span=1h count | fields - _span | timewrap 1w ... View more

Re: dashboard

by SplunkTrust in Dashboards & Visualizations
a week ago
1 Karma
a week ago
1 Karma
Change the init block (solution updated) <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init>   ... View more

Re: How to get a range of number?

by SplunkTrust in Splunk Search
a week ago
1 Karma
a week ago
1 Karma
Essentially, you need to do the hard work! First untable the stats from the timechart results, find each user's maximum, sort the results by maximum and user, then count the users and find the "middle 20", then convert back to chart format. index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m sum(eval(RSZ_KB/1024/1024)) as Mem_Used_GB by USER useother=false limit=0 | untable _time USER Mem_Used_GB | eventstats max(Mem_Used_GB) as max by USER | sort 0 max USER desc | streamstats dc(USER) as user_number | eventstats dc(USER) as total | where user_number > (total - 20)/2 and user_number < 20+((total - 20)/2) | xyseries _time USER Mem_Used_GB ... View more

Re: Error suppression

by SplunkTrust in Splunk AppDynamics
a week ago
a week ago
Still not sure what you are expecting from this forum. ... View more

Re: Error suppression

by SplunkTrust in Splunk AppDynamics
a week ago
a week ago
Can you or the customer change the application so it doesn't report the errors in the first place? ... View more

Re: dashboard

by SplunkTrust in Dashboards & Visualizations
a week ago
1 Karma
a week ago
1 Karma
<form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR </delimiter> <default>0</default> <initialValue>1,0</initialValue> <change> <eval token="rangeColors">if(isnotnull(mvfind($form.srStatus$,"0")),"\"0x118832\",\"0xd41f1f\"","\"0x118832\",\"0x118832\"")</eval> </change> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_minor.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_major.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_critical.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_warning.csv``` | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe [ stats count | eval Message="No critical Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> ... View more

Re: Error suppression

by SplunkTrust in Splunk AppDynamics
a week ago
a week ago
So what are you looking to change? The application and the way it logs errors? ... View more

Re: dashboard

by SplunkTrust in Dashboards & Visualizations
a week ago
a week ago
Please clarify - if you have unsolved checked, it should be red if the count is greater than 0 but if it is 0 then the panel is green? Since you are using checkboxes, what do you want if both boxes are checked? ... View more

Re: Error suppression

by SplunkTrust in Splunk AppDynamics
a week ago
a week ago
There is insufficient information - what application, what errors, what logger, what customer? Please provide more detail about your usecase. ... View more

Re: dashboard

by SplunkTrust in Dashboards & Visualizations
a week ago
a week ago
If I understood correctly, you want red and green if unsolved is checked and green and red if unsolved is not checked? <form version="1.1" script="solved3.js ,minor.js, warning.js , critical.js" theme="dark"> <label>SBC Monitoring</label> <init> <set token="rangeColors">"0x118832","0xd41f1f"</set> </init> <fieldset submitButton="false"> <input type="checkbox" token="srStatus"> <label>Status</label> <choice value="1">solved</choice> <choice value="0">unsolved</choice> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>solved=</valuePrefix> <delimiter> OR </delimiter> <default>0</default> <initialValue>1,0</initialValue> <change> <eval token="rangeColors">if(isnotnull(mvfind($form.srStatus$,"0")),"\"0x118832\",\"0xd41f1f\"","\"0xd41f1f\",\"0x118832\"")</eval> </change> </input> </fieldset> <row> <panel> <title>MINOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_minor.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="minor">minor</set> <unset token="major"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>MAJOR EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_major.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorBy">value</option> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="numberPrecision">0</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="showSparkline">1</option> <option name="showTrendIndicator">1</option> <option name="trellis.enabled">0</option> <option name="trellis.scales.shared">1</option> <option name="trellis.size">medium</option> <option name="trendColorInterpretation">standard</option> <option name="trendDisplayMode">absolute</option> <option name="unitPosition">after</option> <option name="useColors">1</option> <option name="useThousandSeparators">1</option> <drilldown> <set token="major">major</set> <unset token="minor"></unset> <unset token="critical"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>CRITICAL EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_critical.csv``` | search $srStatus$ | stats count</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="critical">critical</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="warning"></unset> </drilldown> </single> </panel> <panel> <title>WARNING EVENTS</title> <single> <search> <query>| makeresults count=5 | eval solved=random()%2 ```| inputlookup sbc_warning.csv``` | search $srStatus$ | stats count</query> <earliest>0</earliest> <latest></latest> </search> <option name="colorMode">block</option> <option name="drilldown">all</option> <option name="rangeColors">[$rangeColors$]</option> <option name="rangeValues">[0]</option> <option name="refresh.display">progressbar</option> <option name="useColors">1</option> <drilldown> <set token="warning">warning</set> <unset token="major"></unset> <unset token="minor"></unset> <unset token="critical"></unset> </drilldown> </single> </panel> </row> <row> <panel> <title>MINOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=minor | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>MAJOR ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=major | stats count as Total by date</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>CRITICAL ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=critical | stats count as Total by date | appendpipe [ stats count | eval Message="No critical Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> <panel> <title>WARNING ALERTS HISTORY</title> <chart> <search> <query>index=sbc-logs RAISE-ALARM | dedup S | rex field=_raw ".*Severity:(?&lt;Severity&gt;\D+);" | rex field=_raw "\[Time:(?&lt;Time&gt;.*)]" | rex field=Time "(?&lt;date&gt;.*)@" | rex field=_raw "RAISE-ALARM:(?&lt;Alarm_Type&gt;\w+)" | rex max_match=0 field=_raw ": \[(?&lt;Region&gt;\w+)\]" | rex max_match=0 field=_raw "\[\w+\d\](?&lt;message&gt;[^;]+)" | table Alarm_Type Region message IP Severity Time date | search Severity=warning | stats count as Total by date | appendpipe [ stats count | eval Message="No Minor Alerts" | where count==0 | table Message | fields - Alarm_Type Region message IP Severity Time date] | transpose 0 | eval allnulls=1 | foreach row* [ eval allnulls=if(isnull('&lt;&lt;FIELD&gt;&gt;'),allnulls,0) ] | where allnulls=0 | fields - allnulls | transpose 0 header_field=column | fields - column</query> <earliest>0</earliest> <latest></latest> </search> <option name="charting.chart">column</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> <row> <panel depends="$minor$"> <title>Minor Events</title> <table id="sbc_minor_table"> <search> <query>| inputlookup sbc_minor.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$major$"> <title>Major Events</title> <table id="sbc_alarm_table"> <search> <query>| inputlookup sbc_major.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$critical$"> <title>Critical Events</title> <table id="sbc_critical_table"> <search> <query>| inputlookup sbc_critical.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>-30d@d</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$warning$"> <title>Warning Events</title> <table id="sbc_warning_table"> <search> <query>| inputlookup sbc_warning.csv | search $srStatus$ | eval Server_Name=case(IP == "10.2.96.35","US-SOU",IP == "10.82.10.245","KR-SEL",IP == "10.86.164.25","CN-SGH",IP == "10.86.68.25","CN-SHH",IP == "10.86.128.25","CN-SHA" ,IP == "10.20.41.90 ","DE-SLO",IP == "10.150.222.120","DE-BIE")</query> <earliest>0</earliest> <latest></latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form> ... View more

Re: How to get a range of number?

by SplunkTrust in Splunk Search
a week ago
a week ago
Sorry - try with USER (instead of user) index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" ``` Calculate memory used by each user each minute ``` | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false ``` Convert to a table ``` | untable _time USER Mem_Used_GB ``` Find memory usage in range ``` | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 ``` Find top 20 ``` | sort 20 Mem_Used_GB desc ``` Convert back to chart format ``` | xyseries _time USER Mem_Used_GB ... View more

Re: How to get a range of number?

by SplunkTrust in Splunk Search
a week ago
a week ago
Is this what you mean? index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" ``` Calculate memory used by each user each minute ``` | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false ``` Convert to a table ``` | untable _time USER Mem_Used_GB ``` Find memory usage in range ``` | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 ``` Find top 20 ``` | sort 20 Mem_Used_GB desc ``` Convert back to chart format ``` | xyseries _time user Mem_Used_GB ... View more

Re: How to show the line when its value is NULL wi...

by SplunkTrust in Splunk Search
a week ago
a week ago
| addtotals fieldname=_total | where _total > 0 ... View more

Re: How to get a range of number?

by SplunkTrust in Splunk Search
a week ago
a week ago
Please clarify your requirement. Do you want the top 20 memory over the whole period used and which user that was and on which day? Or, do you want the top 20 users who used the most memory each day? Or, do you want the top 20 users who used the most memory over all and how much they used each day? Or something else? ... View more

Re: How to get a range of number?

by SplunkTrust in Splunk Search
a week ago
a week ago
You could add an untable index=os sourcetype=ps (tag=dcv-na-himem) NOT tag::USER="LNX_SYSTEM_USER" | timechart span=1m eval((sum(RSZ_KB)/1024/1024)) as Mem_Used_GB by USER useother=false | untable _time USER Mem_Used_GB | where Mem_Used_GB >= 128 AND Mem_Used_GB <= 256 | sort Mem_Used_GB desc | head 20 ... View more

Re: Run predict command for multiple disk in same ...

by SplunkTrust in Splunk Search
2 weeks ago
2 weeks ago
Assuming instance contains the disk you want to predict, you could try something like this index=main host="localhost" instance="C:" sourcetype="Perfmon:LogicalDisk" counter="% Free Space" | eval instance=substr(instance,0,1) | timechart min(value) as "Used Space" by instance | appendpipe [| fields _time C | where isnotnull(C) | predict C algorithm=LLP5 future_timespan=180] | appendpipe [| fields _time D | where isnotnull(D) | predict D algorithm=LLP5 future_timespan=180] | appendpipe [| fields _time E | where isnotnull(E) | predict E algorithm=LLP5 future_timespan=180] ... View more

Re: Splunk transaction – Trouble extracting first...

by SplunkTrust in Splunk Search
2 weeks ago
1 Karma
2 weeks ago
1 Karma
Please provide some sample data (anonymised) which demonstrate your issue Having said that, you could try using stats to gather your events by id as this is can be more deterministic than transaction ... View more

Re: I want to replace hard coded text "Today" by c...

by SplunkTrust in Splunk Search
2 weeks ago
2 weeks ago
Please provide the source code for your dashboard in a code block using the </> button to insert the text. ... View more
Contact Me
Karma from
Karma given to