Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About abhinav_aashish
abhinav_aashish
Explorer
Member since:
02-12-2021
07-20-2021
Community Statistics
| Posts | 22 |
| Solutions | 0 |
| Karma Given | 5 |
| Karma Received | 0 |
| Member Since | 02-12-2021 |
Activity Feed
- Posted Re: Unable to use 2 evals in the query on the basis of regex check. on Reporting. 07-20-2021 01:37 AM
- Karma Re: Unable to use 2 evals in the query on the basis of regex check. for richgalloway. 07-19-2021 09:43 PM
- Posted Re: Unable to use 2 evals in the query on the basis of regex check. on Reporting. 07-19-2021 05:53 AM
- Karma Re: Unable to use 2 evals in the query on the basis of regex check. for richgalloway. 07-19-2021 05:53 AM
- Posted Unable to use 2 evals in the query on the basis of regex check. on Reporting. 07-19-2021 05:39 AM
- Posted Re: Using multiple multiselects in the dashboard panel to perform a search on Reporting. 07-02-2021 07:48 AM
- Posted Using multiple multiselects in the dashboard panel to perform a search on Reporting. 07-02-2021 12:32 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-25-2021 01:13 AM
- Karma Re: Using 2 RADIOBUTTONS and using them in the query for ITWhisperer. 05-25-2021 01:12 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-24-2021 04:25 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-24-2021 02:40 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-24-2021 01:17 AM
- Karma Re: Using 2 RADIOBUTTONS and using them in the query for ITWhisperer. 05-20-2021 10:37 PM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 10:34 PM
- Karma Re: Using 2 RADIOBUTTONS and using them in the query for ITWhisperer. 05-20-2021 10:34 PM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 05:33 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 05:04 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 04:46 AM
- Posted Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 04:40 AM
- Tagged Re: Using 2 RADIOBUTTONS and using them in the query on Dashboards & Visualizations. 05-20-2021 04:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
07-20-2021
01:37 AM
Thanks @richgalloway . It worked.
... View more
07-19-2021
05:53 AM
I totally get it what you are saying but I could not find other way.
... View more
07-19-2021
05:39 AM
I've the following data in my table part1.part2.answer.local part1-part2..part3.part4.answer.net part11.part11-part11.answerxyz.net part1-part2-part3-part4.answer.net part1-part2-part3-part6.answer.com part127.09 abcd (+789) part127.08 abcd (+123) part127.06 abcd (+456) I want to split it as follows : 1.) If there is a space present in the data then it should be returned exactly as it is input-------------------------------------output part127.09 abcd (+789)-------- part127.09 abcd (+789) part127.08 abcd (+123)------- part127.08 abcd (+123) part127.06 abcd (+456) --------part127.06 abcd (+456) 2.) If there is no space then the part before the first dot should be returned input------------------------------------------------------ output part1.part2.answer.local ----------------------------------part1 part1-part2..part3.part4.answer.net------------------- part1-part2 part11.part11-part11.answerxyz.net ------------------part11 part1-part2-part3-part4.answer.net -------------------part1-part2-part3-part4 part1-part2-part3-part6.answer.com------------------part1-part2-part3-part6 I've tried this : index=ind sourcetype=src
| fields f1
| where f1 != "null"
| dedup f1
| eval temp=f1
| eval derived_name_having_space=if(match(f1,"\s*[[:space:]]+"),1,0)
| eval with_Space=f1
| where derived_name_having_space=1
| eval without_Space=mvindex(split(temp,"."),0)
| where derived_name_having_space=0
| table with_Space without_Space f1 Here I'm not getting any rows returned. -------------------------------------------------------------------------- But , In the above query when I remove the part | eval without_Space=mvindex(split(temp,"."),0)
| where derived_name_having_space=0 I get the correct results of the rows where derived_name_having_space=1 . --------------------------------------------------------------------------- Similarly, when I remove the part | eval with_Space=f1
| where derived_name_having_space=1 I don't get the correct results of the rows where derived_name_having_space=0 . input ---------------------------------------------output part127.09 abcd (+789)-------------------- -part127 part127.08 abcd (+123) -------------------- part127 part127.06 abcd (+456) -------------------- part127 Since they all evaluate to the same result it creates a problem while deduping. ------------------------------------------------------------------------------- I've used the regex class from here : https://www.debuggex.com/cheatsheet/regex/pcre Can anyone point me where I'm missing it or any other approach should be followed? Thanks
... View more
07-02-2021
07:48 AM
What i was trying to do was to remove those records from the table which were also there in EXCLUDE Sources index. I have already tried what you mentioned.
... View more
07-02-2021
12:32 AM
I have 3 sources of data A,B and C and they have some common data. Source C is an inputlookup. There are now 2 multiselect fields "INCLUDE Source" AND "EXCLUDE Source". Whichever source I select in "INCLUDE Source" then it should append the searched data into the table accordingly and none of the sources must be excluded unless specified in the "EXCLUDE Source" (i.e by default NONE should be present in the "EXCLUDE Source".) I want to use this multiselect feature here in splunk in the following way described below: 1.) By default data from all the sources should be appended after each other and duplicates should be removed. (i.e. "INCLUDE Source" must have value ALL AND "EXCLUDE Source" must have NONE.) 2.) Depending upon the order of included fields in "INCLUDE Source" the data should be appended into the table and depending on the data in the "EXCLUDE Source" the data must be removed from the table. In all cases the duplicates must be removed. I tried using 3 radio buttons using YES and NO as options but I was not able to get the result.
... View more
05-25-2021
01:13 AM
Thanks man for your help.
... View more
05-24-2021
04:25 AM
See what I need is yes(g1) and yes(g2) ---> return the common rows from B and C both (keep either of them in the result) where a match occurs based on a column yes(g1) and no(g2) ---> return the common rows from B and not include C where a match occurs based on a column no(g1) and yes(g2) ---> return the common rows from C and not include B where a match occurs based on a column no(g1) and no(g2) ---> return the rows from A which are not present in both B and C
... View more
05-24-2021
02:40 AM
Wont the above code return the fields from A as well when YES is selected? The NO and NO works fine now but the YES-NO combinations does not give correct result.
... View more
05-24-2021
01:17 AM
There are some changes in the ask. When I select "NO" from group-1 it should omit the rows from B index and similarly for group-2 it should omit the rows from C index when I select "NO". And when "NO " is selected from both the groups it should return the rows from A which are not present in both B and C. I tried few things by adding in the <condition value="No">
<set token="joinB">| join common_column type=outer [| search index= B]</set>
<set token="whereB">check_column_value !="BBBBBBBBBBB"</set>
<eval token="whereBC">if($whereC$="","| where ".$whereB$,"| where ".$whereB$." OR ".$whereC$)</eval>
<set token="mysearch">
index=a .....................
$joinB$
$joinC$
$whereBC$
| table list of columns
</set>
</condition> for both the button groups but I wasn't getting satisfactory results.
... View more
05-20-2021
10:34 PM
Thanks man it worked. Instead of this <set token="whereB">check_column_value="BBBBBBBBBBB"</set> I was doing <set token="whereB">| where check_column_value="BBBBBBBBBBB"</set> This "| where" thing here was creating issues. Thanks for the help.
... View more
05-20-2021
05:33 AM
My code works properly when done without the use of radio buttons and I've applied the same logic. I'm facing the issue with the use of 2 radio button groups. Also I wanted the result this way: Join field Field match from B Field match from C Keep B or C Keep B and C A CCCCCCCCCCCC Y N
... View more
05-20-2021
05:04 AM
Not working. <default>Yes</default> The combination on Yes(g1) and No(g2) and vice-versa works. Also No(g1) and No(g2) works fine. i want the result I clarified Join field Field match from B Field match from C Keep B or C Keep B and C A CCCCCCCCCCCC Y N I'm sorry for too many edits.
... View more
05-20-2021
04:46 AM
I cant share those details. I implemented exactly the same as you wrote above.
... View more
05-20-2021
04:40 AM
I implemented your code but when I select YES in bot the radio button groups I get the following error: Error in 'where' command: The expression is malformed. An 'OR' term is missing.
... View more
- Tags:
- impleme
05-19-2021
10:02 PM
I want this in the output " A BBBBBBBBBBB CCCCCCCCCCCC Y Y
... View more
05-19-2021
04:00 AM
Yes these two subsets overlap. I want to get the field values from index=A when YES is selected as per match condition.
... View more
05-19-2021
03:49 AM
Sorry. I'm unable to get this.
... View more
05-19-2021
03:32 AM
I'm having 3 indexes A(SUPER-SET), B(SUBSET-1), C(SUBSET-2). I'm having 2 radio button groups: Group1 and Group2 Group1 has 2 options: YES and NO When "YES" is selected then it performs A intersection B and "NO" does not perform any search. Group2 has 2 options: YES and NO When "YES" is selected then it performs A intersection C "NO" does not perform any search. I'm having the following SOURCE CODE for it : <input type="radio" token="field1" searchWhenChanged="true">
<label>Present in AB</label>
<choice value="Yes">Yes</choice>
<choice value="No">No</choice>
<change>
<condition value="Yes">
<set token="mysearch">
index=a .....................
| join <common_column> type=outer [| search index= B]
| where check_column_value="BBBBBBBBBBB"
| table <list of columns>
</set>
</condition>
<condition value="No">
<set token="mysearch"></set>
</condition>
</change>
</input>
<input type="radio" token="field2" searchWhenChanged="true">
<label>Present in AC</label>
<choice value="Yes">Yes</choice>
<choice value="No">No</choice>
<change>
<condition value="Yes">
<set token="mysearch">
index=a .....................
| join <common_column> type=outer [| search index= C]
| where check_column_value="CCCCCCCCCCCC"
| table <list of columns>
</set>
</condition>
<condition value="No">
<set token="mysearch"></set>
</condition>
</change>
</input>
<table>
<search>
<query>$mysearch$</query>
</search>
</table> When i click on YES buttons for the two groups : When I select both the YES options the result I get is from the index which is last selected as YES option only, i.e. in any case i'm not getting the result from both the sources even after selecting "YES" option. I feel there is some issue with the token value in the last part of the code shared above.(Not sure!!) Can anyone help me with this please? Thanks
... View more
- Tags:
- radio-button
Labels
- Labels:
-
form
-
panel
-
simple XML
-
table
-
token
02-12-2021
11:02 PM
I tried something like this : index=idx1 sourcetype=src | append [search index=idx2 sourcetype=src ] | dedup A| table A B C D idx1 had 4791 events idx2 had 6049 events (idx1-idx2) has 2590 events (idx2-idx1) has 3848 events union of 2 indexes has 8639 events intersection of 2 indexes has 2201 events So after executing the above query I got 8639 events 2590+3848+2201=8639 I think its correct... Any suggestions are welcomed
... View more
02-12-2021
10:33 AM
I have one index idx1 and other index idx2 and a common column "A" on which matching needs to be done. I'm facing difficulty in combining the data from both the columns. I've to combine the data in such a way that if there is duplicate then the data from idx1 must be prioritized over data from idx2; i.e. basically equivalent of set operation [a+(b-a)]. I've tried the following : | set diff [ search index=idx2 sourcetype=src | dedup A ] [search index=idx1 sourcetype=src | dedup A ] | stats count BY index A | table index A Here I get total 10840 statistics with both columns filled. But when I want to display other columns from both the indexes I get empty columns for those. Upon executing : | set diff [ search index=1idx1 sourcetype=src | dedup A ] [search index=idx2 sourcetype=src | dedup A ] | stats count BY index I get the output as index count idx1 4791 idx2 6049 Can anyone help me how should I proceed?? I've tried even this but not sure index=idx1 sourcetype=src | append [ | set diff [ search index=idx2 sourcetype=src | dedup A ] [search index=idx1 sourcetype=src | dedup A ]] | stats count BY index A | table index A
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-20-2021
08:55 AM
|
