Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About vl951f
vl951f
Path Finder
Member since:
04-28-2021
01-06-2023
Community Statistics
| Posts | 22 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-28-2021 |
Activity Feed
- Posted Re: Why does tstats not work for some feeds with host="unassigned"? on Splunk Search. 01-05-2023 09:54 PM
- Posted Re: tstats not working for some feeds with host="unassigned" on Splunk Search. 01-05-2023 11:07 AM
- Posted Why does tstats not work for some feeds with host="unassigned"? on Splunk Search. 01-05-2023 08:37 AM
- Tagged Why does tstats not work for some feeds with host="unassigned"? on Splunk Search. 01-05-2023 08:37 AM
- Posted Re: How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 04:49 PM
- Posted Re: How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 02:46 PM
- Posted Re: How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 11:00 AM
- Posted How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 07:16 AM
- Tagged How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 07:16 AM
- Tagged How to alert host stop on failover paired hosts on Splunk Search. 03-07-2022 07:16 AM
- Posted Where to find "Detected Anomaly" notable events in ITSI on Splunk ITSI. 09-27-2021 12:57 PM
- Posted Where to find "Detected Anomaly" notable events in ITSI? on Splunk Search. 09-27-2021 08:58 AM
- Posted Re: How can I get max number of hours without events for all indexes, myindex=* ? on Splunk Search. 05-28-2021 02:54 PM
- Posted Re: How can I get the search work with multiple indexes on Splunk Search. 05-28-2021 02:51 PM
- Karma Re: How can I get the search work with multiple indexes for isoutamo. 05-28-2021 02:49 PM
- Posted Re: How can I get the search work with multiple indexes on Splunk Search. 05-28-2021 12:10 PM
- Posted Re: How can I get the search work with multiple indexes on Splunk Search. 05-28-2021 12:07 PM
- Posted How can I get the search work with multiple indexes on Splunk Search. 05-27-2021 04:05 PM
- Posted Re: How can I get max number of hours without events for all indexes, myindex=* ? on Splunk Search. 05-25-2021 11:15 AM
- Posted Re: How can I get max number of hours without events for all indexes, myindex=* ? on Splunk Search. 05-25-2021 11:12 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
01-05-2023
09:54 PM
@yuanliu YES. That's the answer I'm looking for (Splunk gets host field in any source because this is a required base field for Splunk). Do you have any link for Splunk documentation to indicate the general rules for the host field? I'm trying to convince the source developers to assign a value to the host field for all feeds. Thank you so much.
... View more
01-05-2023
11:07 AM
There is no host field in any of those raw messages. It looks like Splunk assigned "unassigned" to the host field if it's blank. What's the general rules for the host field parsing in Splunk? Should any feed be assigned a value to host field (if it's blank)? Will assigning a value to the host field (if it's blank) fix the tstats search problem?
... View more
01-05-2023
08:37 AM
We had some feeds with host="unassigned". the following tstats will not return any result for some feeds, but it works for some other feeds:
tstats count where index=aindex by host,sourcetype,index
... View more
- Tags:
- tstats
Labels
- Labels:
-
tstats
03-07-2022
04:49 PM
Hi, Giuseppe I changed OUTPUT to OUTPUTNEW. It works. index=summary search_name=feed_status | lookup paired_host.csv Host_primary AS Host_name OUTPUTNEW Host_secondary as hostname2 pair_ID as pairid | lookup paired_host.csv Host_secondary AS Host_name OUTPUTNEW Host_primary as hostname1 pair_ID as pairid | stats dc(Host_name) AS hcount values(hostname1) AS Host_Primary values(hostname2) AS Host_secondary BY pairid | where hcount =2 Thanks a lot for your help.
... View more
03-07-2022
02:46 PM
It looks like one of the pair_ID is NULL from 2 lookup OUTPUT: | lookup paired_host.csv Host_primary AS Host_name OUTPUT Host_secondary pair_ID | lookup paired_host.csv Host_secondary AS Host_name OUTPUT Host_primary pair_ID
... View more
03-07-2022
11:00 AM
Hi, Giuseppe: I added the column pair_ID, ad give it an unique number for each paired host. But "dc_Host_name" is always "1" after run the search. Thanks
... View more
03-07-2022
07:16 AM
I have host stop event logged in a summary index Index=summary search_name=feed_status Host_name Host_status Host1a Host_stop Host2b Host_stop Host4a Host_stop Host1b Host_stop Host3a Host_stop I also have a lookup table for failover paired hosts. Host_primary Host_secondary Host1a Host1b Host2a Host2b Host3a Host3b Host4a Host4b I need to generate the host stop alert when both failover paired hosts are stopped. In this case alerting on Host1a and Host1b stopped.
... View more
09-27-2021
12:57 PM
Our ITSI is showing some "Detected Anomaly" for the kpi "Index Usage". Where and how can I find the notable events for those "Detected Anomaly"? I didn't find then in index=itsi_tracked_alerts. Thanks
... View more
Labels
- Labels:
-
using ITSI
09-27-2021
08:58 AM
Our ITSI is showing some "Detected Anomaly" for the kpi "Index Usage". Where and how can I find the notable events for those "Detected Anomaly"?
... View more
Labels
- Labels:
-
search job inspector
05-28-2021
02:54 PM
Got it working by changing "by _time,myindex" to "by myindex,_time".
... View more
05-28-2021
02:51 PM
It works by changing "by _time,index" to "by index,_time"! Thank you so much
... View more
05-28-2021
12:10 PM
I'm just counting the number of event for each hour for the index. | bucket _time span=1h | stats count as event_count by _time, index It didn't use any other field names.
... View more
05-28-2021
12:07 PM
Hi, I'm trying to get the max number of hours with no events for the indexes. It works when I did it for one index. index=feed1 Result: index max(number_of_zeros) feed1 6 index=feed2 Result: index max(number_of_zeros) feed2 4 But got wrong results for more than one index: index=feed1 OR index=feed2 Result: index max(number_of_zeros) feed1 1 feed2 2
... View more
05-27-2021
04:05 PM
I have the search to get max number of hours without events for feeds. It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes? index=feed1 OR index=feed2 | bucket _time span=1h | stats count as event_count by _time, index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600)-1 | stats max(number_of_zeros) by index
... View more
Labels
- Labels:
-
stats
05-25-2021
11:15 AM
I tried the following search, didn't work myindex=* | bucket _time span=1h | stats sum(de_count) as event_count by _time,myindex (get hourly event count by _time) | search event_count!=0 | delta _time as mydelta ( get max number of hours without events) | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by myindex | rename "max(number_of_zeros)" as maxgap | table myindex maxgap
... View more
05-25-2021
11:12 AM
I tried the following. It didn't work. Looks like it put all results in one line. I only got the result for one myindex, and not showing myindex in the table. myindex=router | bucket _time span=1h | stats sum(de_count) as event_count by _time,myindex (get hourly event count by _time) | search event_count!=0 | delta _time as mydelta ( get max number of hours without events) | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by myindex | rename "max(number_of_zeros)" as maxgap | table myindex maxgap
... View more
05-25-2021
10:45 AM
I have the summary index to record hourly event count for all device (de_count). I have the following search to get max number of hours without events for myindex=router: myindex=router | bucket _time span=1h | stats sum(de_count) as event_count by _time (get hourly event count by _time) | search event_count!=0 | delta _time as mydelta ( get max number of hours without events) | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) | rename "max(number_of_zeros)" as maxgap | table myindex maxgap How can I get max number of hours without events for all indexes, myindex=* ?
... View more
Labels
- Labels:
-
count
05-24-2021
10:10 AM
You can think the search is: index=* | stats sum(hourly_count) as event_count by _time,index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by index
... View more
05-24-2021
10:03 AM
I'm working with my summary index. feed_index is the same as index in my summary index.
... View more
05-24-2021
07:41 AM
I got it work for one feed index. How can I get it work for all feedindex? I tried the following, it didn't work. feed_index=* | stats sum(hourly_count) as event_count by _time,feed_index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600.00)-1 | stats max(number_of_zeros) by feed_index
... View more
05-21-2021
12:40 PM
I have a summary index for hourly event count of a feed. The feed has some hours with event count empty. How can I get the max number of hours with no event. In the following example, the max number of hours without event is 3. Time Hourly Event Count hour 01:00 235 hour 02:00 hour 03:00 hour 04:00 67 hour 05:00 hour 06:00 43 hour 07:00 hour 08:00 hour 09:00 hour 10:00 87
... View more
Labels
- Labels:
-
count
