Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About blablabla
blablabla
Path Finder
Member since:
08-03-2021
12-21-2023
Community Statistics
| Posts | 25 |
| Solutions | 0 |
| Karma Given | 18 |
| Karma Received | 3 |
| Member Since | 08-03-2021 |
Activity Feed
- Posted Re: Timeline - Custom Visualization: How to hide the legend? on All Apps and Add-ons. 12-21-2023 01:21 AM
- Karma Re: Timeline - Custom Visualization: How to hide the legend? for niketn. 12-21-2023 01:21 AM
- Karma Re: How do I update panel color in Splunk using CSS? for niketn. 12-21-2023 01:20 AM
- Karma Re: How to set loading order for panels? for woodcock. 12-14-2023 05:46 AM
- Posted Re: How do you create a lookup from a range of values? on Splunk Search. 12-05-2023 11:57 PM
- Posted Re: How do you create a lookup from a range of values? on Splunk Search. 12-05-2023 11:53 PM
- Karma Re: Are there Different Dashboard Colors since Update to 9.0.2? for Martin_Doering. 10-10-2023 04:53 AM
- Got Karma for Re: Are there Different Dashboard Colors since Update to 9.0.2?. 05-26-2023 01:19 AM
- Got Karma for Re: Are there Different Dashboard Colors since Update to 9.0.2?. 05-25-2023 01:34 AM
- Karma Re: Are there Different Dashboard Colors since Update to 9.0.2? for SplunkingKnight. 03-27-2023 06:09 AM
- Posted Re: Are there Different Dashboard Colors since Update to 9.0.2? on Dashboards & Visualizations. 02-28-2023 02:32 AM
- Posted Re: Are there Different Dashboard Colors since Update to 9.0.2? on Dashboards & Visualizations. 02-28-2023 02:27 AM
- Posted Re: Are there Different Dashboard Colors since Update to 9.0.2? on Dashboards & Visualizations. 02-27-2023 08:01 AM
- Posted Are there different dashboard colors since update to 9.0.2? on Dashboards & Visualizations. 02-05-2023 11:25 PM
- Posted Re: Dark theme swith fails when using emojis in the dashboard on Dashboards & Visualizations. 11-28-2022 07:56 AM
- Posted Re: Why is my chart overlay not working? on Splunk Search. 11-09-2022 11:52 PM
- Karma Re: In summary indexing, why does the sitimechart gives different results than the timechart? for dwaddle. 10-25-2022 11:37 PM
- Karma Re: How to search the total number of users per day? for javiergn. 09-19-2022 06:38 AM
- Karma Re: Where Statement for exact numeric value for ITWhisperer. 07-20-2022 01:16 AM
- Posted Why am I yielding an error with Where Statement for exact numeric value? on Splunk Search. 07-20-2022 01:05 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 1 |
12-21-2023
01:21 AM
Thanks! If I could, I would give you 10 Karma for this solution. It makes the panel so much nicer
... View more
12-05-2023
11:57 PM
Transform your lookup in a way, that every productID has a row. Then you can use the lookup in its native way. It will lead to large lookup files, but the lookup itself is still very performant. Every workaround with map, subsearch etc. will be slow and imperformant.
... View more
12-05-2023
11:53 PM
I do not recommend to use map. It is an extremely slow command. As far as I know Splunk unfortunately does not support range lookups. We also had this issue and at the end we transformed our lookup file in a way, that every value of the range is a single row. It leads to large lookup files but performing the lookup is still much more performant than map or similar commands
... View more
02-28-2023
02:32 AM
Thanks for posting. At least for me this series did not yield the colours like before. I think the order is maybe not right 🤔
... View more
02-28-2023
02:27 AM
1 Karma
Hi @SplunkingKnight I used this color scheme <option name="charting.seriesColors">[0x06D9C,0x4FA484,0xF59E63,0xB4595C,0x62B3B2,0x284B6A]</option> I am not sure though, what is the behavour, if your plot would need more colors than defined. Best regards
... View more
02-27-2023
08:01 AM
1 Karma
Hi @SplunkingKnight up to now the only solution seems to be overwriting the colors according to this post. As far as I understood, the reason for the new colors is to meet the minimum requirement for regulations for visually impaired people (A11y_WCAG). But yeah, would have been nice, if the new colors would have been a configurable option that users, who are visually impaired, could select. 🤔 Best regards
... View more
02-05-2023
11:25 PM
Hello all,
since our Update to Splunk Enterprise 9.0.2 we experienced, that the Dashboard colors (Simple XML) changed completely. And the new colors are terrible! Did someone experience something similar after the update? And if yes: Were you able to get the colors back to the way they were?
On 8.2.2.3
On 9.0.2
I would appreciate every hint. The new colors are something that cannot be presented to management 🙈
Thanks and best Regards
... View more
Labels
- Labels:
-
chart
-
panel
-
simple XML
11-28-2022
07:56 AM
This bug also happens (on Splunk Enterprise 8.2.3.3) when using a XML Declaration like <?xml version="1.0" encoding="UTF-8"?> Took us a while to figure this out
... View more
11-09-2022
11:52 PM
I experienced that the chart overlay is buggy when there are spaces or special characters in the name (though I did realize this effect only in the search, on the Dashboards it worked also with spaces. Splunk v 8.2.3.3). When I removed the space in the field name, the value could be plotted as secondary axis with overlay. Try to remove your brackets by renaming avg(Time). Anonymized example: Attempt with space in field namedoes not work. The overlay is ignored and no secondary axis: Attempt without space in field name works properly:
... View more
07-20-2022
01:05 AM
Hello,
I am experiencing an interesting Issue. I am trying to filter for a specific value in a numeric field. Following statement works finde:
index="IndexA"
| eval A.distance=trim('A.distance',"'")
| eval A.distance='A.distance'/100
| search A.distance=1
If I am trying to replace the search with a where, I am getting the Error "Error in 'where' command: Type checking failed. The '==' operator received different types."
index="IndexA"
| eval A.distance=trim('A.distance',"'")
| eval A.distance='A.distance'/100
| where A.distance=1
Event Coverage if this value is 100% and all the values get for typeof() the result "Number". All of the values do not have a digit after the comma. We are using Splunk Enterprise 8.2.3.3 . Does someone know, why the where statement is yielding an error in this case?
Thanks
... View more
- Tags:
- where
Labels
- Labels:
-
other
05-24-2022
11:35 PM
Hello,
I am trying to use the Java SDK to update a Lookup automatically on a daily basis.
My source is a csv File with ca. 22000 rows.
My current approach (and the approach from the other thread in the community) consists of reading the csv row per row and updating the KV Store by search jobs using outputlookup. After some hundreds of lines the server refuses the connection and my searches raise exceptions.
My question is: Is there a smarter way of updating the KV Store (or uploading the csv as whole) using the Java SDK?
I can get information about the KV Store using:
service.getConfs().get("collections").get("KV_Name")
But I did not find a way of accessing the data within the KVStore inside the documentation/javadoc.
Thanks in advance 😊
... View more
Hello,
I am using a scheduled report to fill a summary index. The report is supposed to work with indextime and process everything, that came new within the last hour. Therefore I configured the timerange the following way:
But somehow the scheduled report restricts the event time to the last 24 hours, which can yield to no search results in a case, that indexed data is from the day before yesterday:
Does someone know, why this restriction is happening, although the event time is supposed to be unrestricted?
Thanks and best regards
... View more
- Tags:
- reporting
Labels
- Labels:
-
scheduled search
-
summary indexing
03-24-2022
12:25 AM
Hello, I have a scheduled report, which is used to fill a summary index. The report for the summary index is scheduled hourly (based on indextime) The event data is usually indexed on daily basis at once (sometimes though there are multiple data ingestions of the server per day) Now the thing is, that the search is inefficient. In normal cases, this is no issue, but when a day was skipped for ingestion and the next day therefore indexes two days of event data at once, the report for the summary index will crash and there will be a gap in the summary index. To avoid data gaps, I configured the search to be durable This is the configuration regarding the time constraints of the search: This is the configuration for the durable search (Backfill method is multiple, as it is recommended for searches with transforming commands) To test, if data gaps of the summary index are recovered automatically, I stopped the dataflow of for the event index for 5 days and then indexed all the data at once, knowing, that this will lead the scheduled report to crash. Unfortunately, the durable search did not recover the data gap of the summary index. From the 5 days only a few hours were indexed into the summary index. Does someone have an idea why this is so? Thanks and best regards
... View more
Labels
- Labels:
-
other
-
scheduled search
-
summary indexing
02-25-2022
07:22 AM
Thank you for your reply. the command is stored in a different index. Is it still possible to use streamstats? what could be the reason, that using join with usetime=true and earlier=true yielded later results from the subsearch? Could it be because of sorting within the subsearch?
... View more
02-03-2022
06:03 AM
Hello, I have the following issue. I have a Search A, that yields me the state of a device. I would like to supplement the state by the information of the command, that leaded to the State A. Therefore I am looking to get the last command of Search B with the same device ID, that is before my Event in Search A. In order to do this, I have used a left join. index="IndexA" sourcetype="SourceA" .....|eval time=_time| table time ID state
|join type=left left=A right=B usetime=true earlier=true where A.ID=B.ID
[search index="IndexA" sourcetype="SourceB" ...|eval time=_time| table time ID command| sort _time-]
|timediff='A.time'-'B.time' Now I have the following issues: Is there a direct way to access the internal field _time? (Using 'A._time' doesn't work, which is why I am saving it in an own field named time) Somehow, if I don't use table at the end of the search command, i cannot access the value of time in the subsearch B using 'B.time' . What is the reason for this? And most important: I am getting results of the subsearch B, which are newer than my Event in the Search A. Is this because I used sort inside the subsearch? Thanks and best Regards
... View more
01-17-2022
02:01 AM
Hello, i have a question regarding the usage of the results of a join within an eval if. I have a couple of responses, to which I am joining their preceeding requests (written in another source) index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-] The issue is, that sometimes I get a wrong match, hence a request, that is not connected to the response and was a few days ago. The reason, why they are matched, is because it is the same device ID. Thats why I am trying to have an eval for the timediff. If I am using the variable request.command within the if, I will receive empty results: index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-]
|....(commands calculating timediff)
| request.command=if(timediff<300,request.command,"") If I am saving the value within a field that contains no point in the name, it works properly: index="index1" sourcetype="sourcetype1" Response... |table rcvTime Command
|join type=left left=response right=request usetime=true earlier=true where response.ID=request.ID [search index="index2" sourcetype="sourcetype2" Request ....|table rcvTime Command|sort _time-]
|....(commands calculating timediff)
|rename requestCommand as request.command
| requestCommand=if(timediff<300,requestCommand,"") Does someone have an idea, why I cannot use request.command within the eval (but on other commands I can use it)? Thanks and best Regards
... View more
12-08-2021
12:34 AM
Thank you, in this case I will avoid the map. The usecase is actually quite simple. The first search (search1) gets me error messages. They have a time and an ID. I have another search (search2) which gives me informations about operations made. They have the same ID (because the ID is referenced to the device). index="summary_index" search_name="search1" ...|fields _time ID ...
|join type=left left=L right=R usetime=true earlier=true where L.ID=R.ID [search index="summary_index" search_name="search2" |fields ...] so basically I want to use the current where clause, in which the ID are matched, with something where there is a time criterium. I thought about something similar to (I know, the syntax is wrong, sorry for this) join type=left left=L right=R usetime=true earlier=true where L.ID=R.ID and (L._time-R._time)<300
... View more
12-08-2021
12:04 AM
Hallo @PickleRick , thanks for your answer. Is there also no way to use a where-clause? The outer search has a very low number of results. Maybe the inefficient solution would also be fine for me. How would a solution like this be designed?
... View more
12-03-2021
11:17 PM
Thanks for your answer @johnhuang The search results represent an error case which is quite rare. So the dataset itself is large (10k/day), but the expected result of the outer search is <10/day. The search will run on daily basis with the timespan of 1d.
... View more
12-03-2021
12:07 PM
Thanks for the reply @ITWhisperer Is there also no where clause that I could use in the join? Or is there an alternative to the left join for enriching the data of search 1 with data of search 2 in case that the criteria are met (older than the event, but max 5 mins older and containing the same ID)?
... View more
12-03-2021
07:00 AM
Hello, I would like to ask, if it is possible to pass a time restriction to a subsearch of an join ? Unfortunately I did not find anything fitting in the forum. In my specific case I would like to enrich the results of search1 with the last event of search2, in which the ID is equal and the timestamp of search2 is not more than 5 minutes before the timestamp of search1. index="summary_index" search_name="search1" ...|fields _time ID ...
|join type=left left=L right=R usetime=true earlier=true where L.ID=R.ID [search index="summary_index" search_name="search2" |fields ...] Does someone have an idea? Thanks in advance!
... View more
09-13-2021
12:26 AM
Thank you very much ! This solved my issue in a simple way 😀
... View more
09-12-2021
11:21 PM
Thanks a lot for the reply! It goes in the right direction. Sometimes though, I get one change time as a result, but 3-4 modes. It looks like this: ID Modes ChangeTime 123 A C B 1630616559.136 Do you have an idea, how I prevent the search to get me more than one mode as the last result? PS: A machine can have several mode changes within short time, and I would need to get every mode change seperated. My search looks like this currently: .... | fields _time ID MODE | stats list(MODE) as Modes max(_time) as ChangeTime by ID | eval Modes=mvdedup(Modes)| where mvcount(Modes) > 1 Is it correct to interpret, that the first result in Modes is the new Mode? (in the example it would be A) Or is it the last one? (in the example it would be B) Thanks and best regards!
... View more
09-10-2021
07:04 AM
1 Karma
Hello guys, does someone know, whether it is possible, to do a matching of search results with previous results of the same search? I have a machine, that can enter different modes. Just for the example lets say, the machine can enter mode A, B or C. I receive an heartbeat every few seconds of hundred of these machines, which leads to a very large dataset. But I am not interested in the heartbeat, I am interested in the transition of the modes. Example: Time Machine_ID Mode 10:00:00 1 A 10:00:01 2 C 10:00:02 2 C 10:00:03 1 B 10:00:04 2 B So what I am basically interested in here is the transition of machine 1 from mode A to B and of machine 2 from C to B. In other words: I am searching for heartbeats, where the mode is different than the mode of the previous heartbeat of the same machine_ID. At the end, my result would look something like this _time _time_old_Mode machine_ID new_mode old_Mode 10:00:03 10:00:00 1 B A 10:00:04 10:00:02 2 B C I have tried subsearches, but I was not sucessful. The simplified search for getting the heartbeat is currently: index="heartbeat" | rex field=_raw "......(?P<MODE>.......)"| fields _time ID MODE Performance is not crucial, as it is planned to run this at night for a summary index. Thanks in advance! Best Regards
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
12-21-2023
04:47 AM
|
Karma given to
