Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About shashi584
shashi584
Explorer
Member since:
07-12-2021
03-23-2022
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 07-12-2021 |
Activity Feed
- Posted How to create a search to display the results? on Dashboards & Visualizations. 03-23-2022 11:04 AM
- Karma Re: Cron expression for splunk alert for gcusello. 01-24-2022 08:15 AM
- Posted Re: Cron expression for splunk alert on Alerting. 01-24-2022 08:06 AM
- Posted Cron expression for splunk alert on Alerting. 01-24-2022 07:57 AM
- Posted Re: How to delete fields name on Splunk Search. 10-09-2021 10:00 AM
- Posted How to delete fields name on Splunk Search. 10-09-2021 09:14 AM
- Posted Re: Need to remove duplicate data on Splunk Search. 07-16-2021 09:34 AM
- Posted Re: Need to remove duplicate data on Splunk Search. 07-16-2021 08:14 AM
- Posted Re: Need to remove duplicate data on Splunk Search. 07-16-2021 02:50 AM
- Karma Re: Need to remove duplicate data for gcusello. 07-12-2021 08:34 AM
- Posted Need to remove duplicate data on Splunk Search. 07-12-2021 07:58 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-23-2022
11:04 AM
Hello,
My requirement is to display the results of related Service and KPI name if any of the below tile turns Yellow, red etc except Green (this we can verify using alert_level)
Created below look up table #sresellerpricing
Below is the query i'm using but not getting any results.
index=itsi_summary KPI IN ("ServiceHealthScore") alert_level>1 is_entity_in_maintenance=0 serviceid IN ("e46d2d3b-7b5a-40d4-aebf-54aa0b394e25", "23ff8e98-59d0-48d6-a8d2-8a1385d26bd8", "372848b0-380a-4fca-a78c-816747e00cf3") | eval service_kpi_id=serviceid."-".kpiid | search NOT service_kpi_id IN ( [ search index=itsi_summary KPI IN ("ServiceHealthScore") alert_level>1 is_entity_in_maintenance=0 serviceid IN ("e46d2d3b-7b5a-40d4-aebf-54aa0b394e25", "23ff8e98-59d0-48d6-a8d2-8a1385d26bd8", "372848b0-380a-4fca-a78c-816747e00cf3") | eval service_kpi_id=serviceid."-".kpiid | dedup service_kpi_id | return $service_kpi_id ] ) | lookup sresellerpricing key AS kpiid OUTPUT Service | dedup kpi Service | table Service kpi
... View more
Labels
- Labels:
-
other
01-24-2022
08:06 AM
Hi @gcusello Thanks for the reply, Yes i tried the below Expression which runs every hour past 30 minutes from Mon-Fri 30 * * * 1-5 However, my requirement is to Pause at "Friday 11:59 PM CST " and resume at Sunday 11:59 PM CST" which is tricky part and not sure how to set up in CST time zone. In My preference, if i set up in CST time zone , will that work ?
... View more
01-24-2022
07:57 AM
I Want to create one splunk alert where it runs on all weekdays and Pause at "Friday 11:59 PM CST " and resume at Sunday 11:59 PM CST" Can you help me with a Cron expression that satisfies the above requirement? I need the alert to be set up in CST time zone only
... View more
Labels
- Labels:
-
cron
10-09-2021
10:00 AM
I have extracted one field with the same name and I have deleted it, so I'm wondering why it's still displaying in the fields section. As you mentioned I have used the same field in search query hence it is showing which makes sence. Is there any way to remove/unhide completely from the field section without removing field data from the search query?
... View more
10-09-2021
09:14 AM
I want to delete this field (VID) from one of my search query, this is not available under Field extractions. and what is the difference between (a and #) ?
... View more
Labels
- Labels:
-
fields
07-16-2021
09:34 AM
We have two different Assignment groups (ITOPS-DCE-SELLER-MONITORING and ITOPS-DCE-SELLER-SUPPORT), with your query can see only active Incidents but assignment group is "ITOPS-DCE-SELLER-MONITORING" even though we included (dv_assignment_group = "ITOPS-DCE-SELLER-SUPPORT").. No idea why it's still not working index="snow" sourcetype="snow:incident" source="https://dell.service-now.com/" dv_assignment_group = "ITOPS-DCE-SELLER-SUPPORT" dv_u_cim_true="true" | stats dc(dv_incident_state) AS dc_incident_state values(dv_incident_state) AS dv_incident_state BY dv_number | where dc_incident_state=1 AND dv_incident_state="Active" | table dv_number dv_incident_state
... View more
07-16-2021
08:14 AM
Don't know how but surprisingly it's working now using below query.. Thanks for your help.. index="snow" sourcetype="snow:incident" source="https://dell.service-now.com/" dv_assignment_group = "ITOPS-DCE-SELLER-SUPPORT" dv_u_cim_true="true" dv_active="true" | where like(dv_incident_state,"Active") AND NOT like (dv_incident_state,"Resolved") AND NOT like (dv_incident_state,"Closed") | dedup dv_incident_state | stats count by dv_incident_state, dv_number,dv_active
... View more
07-12-2021
07:58 AM
We have 3 different (Active,Closed,Resolved) records for same Incident and we need to retrieve only Active incident record and Incident shouldn't have any other status records such as Closed,Resolved. Below query is still showing Active Incident record, however Incident is already in resolved status... index="snow" sourcetype="snow:incident" source="https://dell.service-now.com/" dv_assignment_group = "ITOPS-DCE-SELLER-SUPPORT" dv_u_cim_true="true" | where like(dv_incident_state,"Active") AND NOT like (dv_incident_state,"Resolved") AND NOT like (dv_incident_state,"Closed") | dedup dv_incident_state | stats count by dv_incident_state, dv_number,dv_active
... View more
Labels
- Labels:
-
stats
