×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
nsingh49
Explorer
Member since: ‎09-01-2021
‎09-06-2021
Community Statistics
Posts 4
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-01-2021
Activity Feed
View All

Re: Renaming regex returned token values and passi...

by in Splunk Search
‎09-05-2021 10:31 PM
‎09-05-2021 10:31 PM
This worked great for the drilldown panel. Is there a way to update it in the main panel as well and replace technical name with a general name(the barchart column name)? ... View more

Renaming regex returned token values and passing o...

by in Splunk Search
‎09-05-2021 01:00 PM
‎09-05-2021 01:00 PM
I have a splunk query that finds top errors in the log using regular expression. I then display it as a bar chart:             someSearchQuery|rex "someTerm(?<error>)|stats count by error|sort -count | head 10 I want to use the values returned by the query in a drill down such that on click on barchart the drilldown displays result for that value the drilldown xml i used for setting token is this         <drilldown>             <set token="show_panel">true</set>             <set token="selected_value">$click.value$</set>        </drilldown> and then I use this token in the drilldown query as such someSearchQuery|rex "someTerm(?<error>)|search error=$selected_value$|timechart count by errorType span="1m"|addcoltotals|rename NULL as count These error name are too technical and i want to change them in the main panel and drilldown. for e.g. if regex returns error"ID not found", I want to replace it with "Data_error" also i want my title to change with the general name         <title>$$selected_value$</title> But the problem is when I change the name using eval, the drilldown query doesnot get the actual error name and search fails becuase there is no such error as "Data_error". the query needs "ID not found" to fucntion. Is there any way this can be achieved?Can I change the name of my searchTerm and at the same time use the old searchTerm in drilldown query as well?   ... View more
Labels

Re: Sorting the fields based on values in a row

by in Splunk Search
‎09-02-2021 09:13 AM
‎09-02-2021 09:13 AM
added this to the query this and worked like a charm   | addcoltotals labelfield=_time label="TOTAL" | transpose header_field="_time" 0 | sort - TOTAL | transpose header_field="column" 0 | rename column as _time  ... View more

Sorting the fields based on values in a row

by in Splunk Search
‎09-01-2021 06:17 PM
‎09-01-2021 06:17 PM
This is my splunk query   index=xxxxx "searchTerm")|rex "someterm(?<errortype>)" | timechart count by errortype span ="1w" | addcoltotals labelfield=total | fillnullvalue=TOTAL|fileds - abc,def,total   I am adding the total count of the errors over a week in another column named TOTAL as depicted in table below.Here A... B... are error names in alphabetical order, the values are total number of errors that occured on that day for that errortype _time                      A....     A....     C....     D....     E.... 2021-08-25       11         22      05      23      89 2021-08-26        15       45        45      13      39 2021-08-27        34       05        55       33     85 2021-08-28        56       08        65       53      09 2021-08-29         01       06        95      36       01 TOTAL                  117        86       265  158    223 I want these fields sorted by value in TOTAL row in descending order like 265   223 1 58  117  86 But i am always getting this in alphabetical order of the errortype like A... A... B... how can i improve this query to get the sorted result like i want? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-06-2021 04:35 PM