Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About rahul_n
rahul_n
Explorer
Member since:
04-23-2021
10-13-2021
Community Statistics
| Posts | 10 |
| Solutions | 0 |
| Karma Given | 7 |
| Karma Received | 0 |
| Member Since | 04-23-2021 |
Activity Feed
- Posted How to set up alerts which search for every minute and send out alerts if response time is greater than 1000 msec? on Alerting. 10-13-2021 10:39 AM
- Posted How to Schedule a PDF Delivery in Splunk ? The option is greyed out. on Splunk Search. 06-01-2021 10:54 PM
- Posted Re: How to unset a token in drilldown based on specific column? on Splunk Search. 05-15-2021 11:00 AM
- Karma Re: How to unset a token in drilldown based on specific column? for renjith_nair. 05-15-2021 10:59 AM
- Posted How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Tagged How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Tagged How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Tagged How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Tagged How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Tagged How to unset a token in drilldown based on specific column? on Splunk Search. 05-09-2021 04:19 PM
- Karma Re: Problem of mismatched quotes and/or parenthesis says splunk but not my editor... for richgalloway. 05-09-2021 02:50 PM
- Karma Re: drilldown condition set token based on click.value for vnravikumar. 05-09-2021 02:32 PM
- Posted Re: How to get the max of p90 over a month ? on Dashboards & Visualizations. 05-09-2021 09:59 AM
- Karma Re: How to get the max of p90 over a month ? for tscroggins. 05-09-2021 09:59 AM
- Posted How to get the max of p90 over a month ? on Dashboards & Visualizations. 04-29-2021 08:29 AM
- Posted Re: How to set up alerts when current week data is more than avg of last 4 weeks data ? on Dashboards & Visualizations. 04-29-2021 08:19 AM
- Karma Re: How to set up alerts when current week data is more than avg of last 4 weeks data ? for ITWhisperer. 04-29-2021 08:19 AM
- Karma Re: How to set up alerts when current week data is more than avg of last 4 weeks data ? for ITWhisperer. 04-29-2021 08:19 AM
- Karma Re: How to set up alerts when current week data is more than avg of last 4 weeks data ? for ITWhisperer. 04-29-2021 08:19 AM
- Posted Re: How to set up alerts when current week data is more than avg of last 4 weeks data ? on Dashboards & Visualizations. 04-24-2021 07:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-13-2021
10:39 AM
Hi. I am trying to set up alerts to notify when the response time is greater than 1000 milli seconds. The alert has to search for every minute or for every 5 minutes. Below is the query which I have used. index=testIndex sourcetype=testSourceType basicQuery | where executionTime>1000 | stats count by app_name, executionTime After running the query by setting it for "Last 5 minutes" in the dropdown beside search icon, I am getting results. Then I have saved the query as an Alert with time range set to "last 5 minutes" and Cron Expression set to "*/1 * * * *" to run it for every 1 minute in the last 5 minutes. Is this a correct approach ? Main point is: I don't want to miss any events with response time more than 1000msec. Also, what is the difference between setting time in dropdown and earliest=-5m latest=now ? Can someone please help me ? Thanks in Advance.
... View more
Labels
- Labels:
-
alert action
-
alert condition
-
cron
-
email
-
throttling
06-01-2021
10:54 PM
Hi. I have a Splunk dashboard, and there is a requirement to send the dashboard as a pdf report everyday. I can see the "Schedule PDF Delivery" option, but it is currently greyed out. I have searched online and also on Splunk forums, but couldn't get an exact answer on how to schedule a PDF delivery if the option is greyed out. All of the panels in my dashboard don't depend on any user input ( user input = Any information that we need to pass to get the panels ) The panels depend on the Splunk queries, which would search for an index, then a namespace and then for few columns and usual calculation (involving stats, eval, timechart etc.) Can someone please help me with the Scheduled PDF Delivery ? Any help is greatly appreciated.
... View more
Labels
05-15-2021
11:00 AM
Thanks @renjith_nair for the solution.
... View more
05-09-2021
04:19 PM
Hi. I am trying to edit a source code of a splunk panel such that, the token should only when the user clicks on a particular column (Not a particular value). For example: lets consider the below table. Column1 Column2 Column3 Column4 Column5 Column6 Column7 value1 value2 value3 value4 value5 value6 value7 value11 value22 value33 value44 value55 value66 value77 I want to make changes such that, the token should work only when the user clicks any value in Column1 and Column2 (It can be value1 or value11 or value2 or value22 ). The token should not work when the user clicks on any value from other columns. The opened new panel based on token should disappear when user clicks on any value from columns other than column1 and column2. The source code which I have : <row>
<panel>
<table>
<title>Stats by user(Click on a value for further info)</title>
<search>
<query> SOME BUSINESS SPLUNK QUERY)</query>
<earliest>$startTime.earliest$</earliest>
<latest>$startTime.latest$</latest>
<refresh>5m</refresh>
<refreshType>delay</refreshType>
</search>'<option name="count">20</option>
<option name="dataOverlayMode">heatmap</option>
<option name="drilldown">cell</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<drilldown>
<condition>
<set token="value">$click.value2$</set>
</condition>
</drilldown>
</table>
</panel>
</row>
<row depends="$value$">
<panel>
<title>Usage of $value$</title>
<chart>
<search>
<query> ANOTHER SPLUNK QUERY</query>
<earliest>$earliest$</earliest>
<latest>$latest$</latest>
</search>
<option name="charting.chart">line</option>
<option name="charting.drilldown">none</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<unset token="value"></unset>
</drilldown>
</chart>
</panel>
</row> Please help me to add a condition to unset token based on column. Any help is greatly appreciated. Thanks in Advance.
... View more
05-09-2021
09:59 AM
Thanks @tscroggins for the solution.
... View more
04-29-2021
08:29 AM
Hi. I am trying to find max value of p90 over a month for 1 API. The query I use for finding stats: <basic splunk query> | search API = API1 | stats p90(processing_time) as 90%_time by API where processing_time is the time which would display the time used for finding p90. Can someone help me with the query to find the max value of p90 calculated over a month ? So that I can use that value to generate some kind of alerts. Any help is greatly appreciated. Thanks.
... View more
Labels
- Labels:
-
chart
-
form
-
panel
-
single value
-
timechart
04-29-2021
08:19 AM
@ITWhisperer , Thank you
... View more
04-24-2021
07:42 PM
Hi @ITWhisperer , By using the given query, which is index=indexname ns=namespace earliest=-35d@d | search API= API1 AND Customer= Customer1 | bin _time span=1w | stats count by _time Customer API | eval previous = if(_time > relative_time(now(), "-1w@w"), null, count) | eventstats avg(previous) as average by Customer API | where _time > relative_time(now(), "-1w@w") | fields - previous The table which I got for one customer and one API is _time Customer API count average 2021-04-17 Customer1 API1 83936 6348.25 2021-04-24 Customer1 API1 866 6374 Here, does the "count" refer to the count of requests for the week starting with the date in first column ? or the end date ? Does the _time refer to the start day of the week or the end day of the week ? Can we change the query so that we get the results which have the current week's count is greater than the average of last 4 week's count ? (So that I can create an alert which sends the list of customers sending more requests in current week ) Thank you for the help and any help in advance
... View more
04-24-2021
04:21 PM
Hi @ITWhisperer , Thank you for the quick response. I have few questions on the query. 1. I need to pass an index, a namespace and few other parameters (like, index=indexname ns=namespace process="end" method!=GET pod_name=podname region=regionname) before passing the actual query. By using the gentimes command, its not allowing me to pass the basic query as mentioned above. 2. Also, if I use the split() command with customer names or API names in it, it is not working , and the similar goes with split() command with api names. ( For reference: We have the fields Customer and API in the logs ) 4. The count must be the number of times a customer has accessed an API For reference, I use "<basic splunk query> | timechart count by API" to get the the timechart showing the count. (We have the field API in the logs, which makes it easy) Will that be possible for you to modify the query based on the above conditions ? I am sorry for asking too much, but I tried multiple ways and left with no results Thank you very much in advance
... View more
04-23-2021
04:15 PM
Hi All. I want to check if there is any means by which I can set up alerts if the current week's data is more than the avg of last 4 week's data. I have around 25 customers hitting 3 APIs. I want to compare if first customer has hit the first API more in the current week when compared to the avg number of hits in the previous 4 week's, and then send an alert if it exceeds the avg. Similarly for all the customers and the 3 APIs. All the above operation should happen with a single Splunk query. I don't want to write 25*3=75 queries for the alerts. I have written a query for 1 customer and 1 API index=nameofindex ns=namespace process="end" method!=GET earliest=-30d@d customer1 | search API="API1" | timechart span=1w count | timewrap w series=short | eval mean=(s1+s2+s3+s4)/4 | where s0 > mean Can anyone please help here ? Any help is greatly appreciated. Thanks!
... View more
Labels
- Labels:
-
chart
-
panel
-
simple XML
-
timechart
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-13-2021
03:58 PM
|
Karma given to
