Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About mmacalik
mmacalik
Explorer
Member since:
05-25-2021
05-15-2024
Community Statistics
| Posts | 7 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 05-25-2021 |
Activity Feed
- Karma Re: After upgrading to 6.5.0, KV Store will not start for jcrabb_splunk. 09-15-2023 04:10 AM
- Posted Re: Dynamic string substitution on Splunk Search. 02-17-2022 12:51 AM
- Posted Re: Dynamic string substitution on Splunk Search. 02-16-2022 05:55 AM
- Karma Re: Dynamic string substitution for Software-Simian. 02-16-2022 05:55 AM
- Karma Re: Dynamic string substitution for ITWhisperer. 02-16-2022 05:51 AM
- Posted Re: Dynamic string substitution on Splunk Search. 02-16-2022 04:59 AM
- Posted How to make a dynamic string substitution to insert specific parameters into specific place in string on Splunk Search. 02-16-2022 04:38 AM
- Tagged How to make a dynamic string substitution to insert specific parameters into specific place in string on Splunk Search. 02-16-2022 04:38 AM
- Tagged How to make a dynamic string substitution to insert specific parameters into specific place in string on Splunk Search. 02-16-2022 04:38 AM
- Posted Re: Modifying Dashboard items visibility based on specific users on Dashboards & Visualizations. 12-30-2021 05:13 AM
- Posted Re: Align Single value panel on Dashboards & Visualizations. 12-29-2021 06:47 AM
- Posted Modifying Dashboard items visibility based on specific users on Dashboards & Visualizations. 12-29-2021 04:15 AM
Topics I've Started
02-17-2022
12:51 AM
I modified it a little so it can work with multiple rows. In production environment i have much more fields that can distinguish a row but for the sake of example i added counter and param as |stats by argument. |makeresults count=4
|streamstats count
|eval message=case(count=1, "blablabla [%2] blablabla [%1] blablabla [%3]", count=2, "blablabla [%2] blablabla [%1] blablabla", count=3, "blablabla [%2] blablabla [%1] blablabla [%3]", count=4, "blablabla [%1]")
|eval param=case(count=1, "paramA:paramB:paramC", count=2, "paramD:paramE", count=3, "paramF:paramG:paramH", count=4, "paramI")
|rename count as counter
|fields message, param, counter
| rex field=message max_match=0 "\[\%(?<arg>\d+)\]"
| stats values(message) as message values(param) as params by counter, param arg
| eval arg="arg".arg
| eval message=counter.":".message
| xyseries message arg param
| foreach arg*
[| eval <<FIELD>>=mvindex(split(<<FIELD>>,":"),<<MATCHSEG1>>-1)
| eval message=if(isnull(<<FIELD>>), message, replace(message,"\[\%<<MATCHSEG1>>\]",<<FIELD>>))]
| eval message=mvindex(split(message,":"),1)
... View more
02-16-2022
05:55 AM
Thanks, @ITWhisperer that's exactly what i was looking for. Now to analyze what is actually going on... 😉 @Software-Simian The lookup aproach seems also good, but not feasable when there are more than 4000 message templates in 4 languages (different syntax thus different param order).
... View more
02-16-2022
04:59 AM
Additional details: The data I'm analysing consists (among other) production process parameter's and human readable message template to populate with those parameters. Basically its thousands of message - param pairs which needs to be combined into human readable format. More insight example: | makeresults
| eval message="Product [%2] is on hold in process [%1] hold description: [%3]"
| eval param="PID1000:ABCD123:visual defect" Which would result in human readable format: Product [ABCD123] is on hold in process [PID1000] hold description: [visual defect] another example: | makeresults
| eval message="Material [%1] already assigned to [%2]"
| eval param="MAT1234:ABCD123" Should result in : Material [MAT1234] already assigned to [ABCD123] Although making spearate eval would work for specific example, the number of parameters can differ as well their order in message (thus numerated indexes ). For example if i would do it in any typical language i would split the param string into a list (or array), and then inserted indexed values into proper positions in message string. Is something like that possible?
... View more
02-16-2022
04:38 AM
Dear Splunk community
I need help with a presumably easy task, but it had already cost me quite a while.
I'm trying to make a dynamic string substitution to insert specific parameters into specific place in string.
in example:
| makeresults
| eval message="blablabla [%2] blablabla [%1] blablabla [%3]"
| eval param="param1:param2:param3"
Where %1 is the respective position in param string (colon separated)
The resulting string would be (note that it is not in param index order):
"blablabla [param2] blablabla [param1] blablabla [param3]"
The number of parameters and indexes in message varies (usually from 1 to 4, but can also be none).
I've tried to split it into mv fields and make some multi value indexed substitution, and then use a foreach statement or mvjoin but frankly i failed.
I've also considered some hard regex work but i'm not even sure if its possible to work
Please note that I am limited to Splunk Enterprise 6.5.10
Regards
MM
... View more
12-30-2021
05:13 AM
Hello @isoutamo I tested lookups some time before, but unfortunately with my basic user role i cannot make them public. The example i created is fully self-sufficient despite role limitations. I guess I need to apply higher authority 🙂
... View more
12-29-2021
06:47 AM
Hello @Usman_Qureshi There isn't much in your question, but I'm guessing you want to represent some search result in middle of a panel. You can achieve it ie. by passing the value to token, and using html center the token value as another panel. Original search can be hidden. <form>
<row>
<panel id="test">
<table>
<search>
<query>
|makeresults |eval Column="single value" |table Column
</query>
<done>
<set token="value_Token">$result.Column$</set>
</done>
</search>
</table>
</panel>
</row>
<row>
<html>
<div><center>Value: $value_Token$</center></div>
</html>
</row>
</form>
... View more
12-29-2021
04:15 AM
Hello Splunk users For my company internal purpose i needed to publish dashboards to very limited number of users. The limitation was not based on user role, but strictly on ID and I didn't find a solution suitable on forums. While tinkering with "depends" based on a couple of posts here i came up with panels show hide combo with env:user token which I'm sharing right now. Users white list is managed by a simple eval/case statement directly inside dashboard's xml code for fast update. Panels visibility changes based on dropdown input controlled by that eval command. Since I have only basic user role I cannot make any server changes. If you have some idea on how to improve this concept please let me know. (ie. how to use "in" syntax instead of many case options) <form>
<label>user_authority_test</label>
<fieldset submitButton="false">
<input type="dropdown" token="field1" depends="$user_ok$">
<label>Limited input</label>
<choice value="1">Limited visability</choice>
</input>
<input type="checkbox" token="field2">
<label>Unlimited input</label>
<choice value="1">Visible for all</choice>
<delimiter> </delimiter>
</input>
</fieldset>
<row depends="$user_not_ok$">
<panel>
<title>Message for limited users and/or some other panels</title>
<html>
<div>Message body</div>
</html>
</panel>
</row>
<row depends="$hide$">
<panel>
<html>
<h2>Debug</h2>
<div>authority: $authority$</div>
<div>user: $env:user$</div>
</html>
</panel>
<panel>
<table>
<title>auth</title>
<search>
<query>|makeresults |eval user="$env:user$" |table user </query>
<earliest>-1s</earliest>
<latest>now</latest>
<done>
<!-- insted of user1, user2 etc. add desired user ID -->
<eval token="form.authority">case($result.user$=="user1","on", $result.user$=="user2","on", 1=1, "off"</eval>
</done>
</search>
</table>
</panel>
<panel>
<!-- changing visibility of panels based on two step process, eval command modifies value of dropdown.
Another token's embedded inside the dropdown controls which panels are visible and which are not
You can actually create many sets of values in condition for more felxibility-->
<input type="dropdown" token="authority">
<label>authority set</label>
<choice value="on">On</choice>
<choice value="off">Off</choice>
<change>
<condition value="on">
<set token="user_ok"></set>
<unset token="user_not_ok"></unset>
</condition>
<condition value="off">
<unset token="user_ok"></unset>
<set token="user_not_ok"></set>
</condition>
</change>
</input>
</panel>
</row>
<row depends="$user_ok$">
<panel>
<table>
<search id="MainSearch">
<query>index=_internal
|head 5
|table sourcetype, _time</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
</table>
</panel>
<panel>
<chart>
<search base="MainSearch">
<query>
|chart c(_time) by sourcetype</query>
<progress>
<set token="Area_Name">$Area_placeholder$</set>
</progress>
</search>
<option name="charting.chart">pie</option>
<option name="charting.chart.sliceCollapsingThreshold">0</option>
</chart>
</panel>
</row>
</form>
... View more
Labels
- Labels:
-
simple XML
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-15-2024
04:36 AM
|
