Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About NanSplk01
NanSplk01
Communicator
Member since:
03-07-2022
2 weeks ago
Community Statistics
| Posts | 57 |
| Solutions | 3 |
| Karma Given | 1 |
| Karma Received | 3 |
| Member Since | 03-07-2022 |
Activity Feed
- Posted Re: Drill down from pie chart in dashboard studio on Splunk Enterprise. 2 weeks ago
- Karma Re: Drill down from pie chart in dashboard studio for livehybrid. 2 weeks ago
- Posted Drill down from pie chart in dashboard studio on Splunk Enterprise. 2 weeks ago
- Tagged Drill down from pie chart in dashboard studio on Splunk Enterprise. 2 weeks ago
- Posted Re: Trying to create a search that will bring back indexes that have 0 bytes ingested over the last 30 days on Splunk Search. 09-29-2025 07:05 AM
- Posted Trying to create a search that will bring back indexes that have 0 bytes ingested over the last 30 days on Splunk Search. 09-24-2025 08:36 AM
- Got Karma for Re: How to create a field on the fly using CASE. 02-19-2025 09:52 PM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-19-2025 04:46 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-18-2025 10:22 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-18-2025 05:01 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-13-2025 10:40 AM
- Posted Re: How to create a field on the fly using CASE on Splunk Search. 02-13-2025 08:39 AM
- Posted How to create a field on the fly using CASE on Splunk Search. 02-12-2025 09:26 AM
- Tagged How to create a field on the fly using CASE on Splunk Search. 02-12-2025 09:26 AM
- Posted Re: Trying to add a sub_search that brings back the action field to the base search. Any help will be appreciated. on Splunk Enterprise Security. 02-05-2025 03:53 AM
- Posted Trying to add a sub_search that brings back the action field to the base search. Any help will be appreciated. on Splunk Enterprise Security. 02-04-2025 11:39 AM
- Posted Search for triggered save searches and their actions titles and users: Need help with subsearch on Splunk Search. 02-04-2025 09:51 AM
- Got Karma for Re: I have been trying to use the CASE function in splunk, but my results are not correct. 11-19-2024 09:59 AM
- Posted Re: I have been trying to use the CASE function in splunk, but my results are not correct on Splunk Search. 11-19-2024 09:55 AM
- Posted I have been trying to use the CASE function in splunk, but my results are not correct on Splunk Search. 11-19-2024 09:02 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
I am new to dashboarding drop downs and I'd like to create a drop down for each slice of the pie. I have created a search as a pie chart and tried to add a drop down that will search for only the slice I have selected. So far it's not going anywhere. This is what I have: "title": "Demo DCP Levels", "description": "", "inputs": { "input_global_trp": { "options": { "defaultValue": "-24h@h,now", "token": "global_time" }, "title": "Global Time Range", "type": "input.timerange" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "$global_time.earliest$", "latest": "$global_time.latest$" } } } }, "tokens": { "default": { "DCP-ERROR": { "value": "ERROR" }, "ERROR": { "value": "ERROR" } } }, "visualizations": { "global": { "showProgressBar": true } } }, "visualizations": { "viz_4Ur0ZwMO": { "containerOptions": {}, "dataSources": { "primary": "ds_iY2W7D6g" }, "eventHandlers": [ { "options": { "tokens": [ { "key": "row.ERROR.value", "token": "ERROR" } ] }, "type": "drilldown.setToken" }, { "options": { "tokens": [ { "token": "DCP-ERROR", "value": "ERROR" } ] }, "type": "drilldown.setToken" } ], "showLastUpdated": false, "showProgressBar": true, "title": "DCP Levels", "type": "splunk.pie" } }, "dataSources": { "ds_iY2W7D6g": { "name": "Pie chart search", "options": { "query": "index=\"dcp-np\" level!=INFO \n| dedup level\n| stats count by level", "queryParameters": { "earliest": "-15m", "latest": "now", "sampleRatio": "1" } }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_global_trp" ], "layoutDefinitions": { "layout_1": { "options": { "gutterSize": 10, "height": 960, "width": 1440 }, "structure": [ { "item": "viz_4Ur0ZwMO", "position": { "h": 250, "w": 1440, "x": 0, "y": 0 }, "type": "block" } ], "type": "grid" } }, "options": {}, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } }, "applicationProperties": { "hideEdit": false, "hideExport": false } } How can I select a piece of the pie to drop down to another search?
... View more
- Tags:
- dropdown
Labels
- Labels:
-
splunk-assist
09-29-2025
07:05 AM
Unfortunately neither brought back only those indexes that were just zero, it brought back all indexes and they were all counted as zero.
... View more
09-24-2025
08:36 AM
| rest splunk_server=* /services/data/indexes | fields title currentDBSizeMB lastIngestTime | eval Bytes = round(coalesce(currentDBSizeMB, 0) * 1024 * 1024, 0) | where Bytes = 0 AND NOT match(title, "^_") | eval Source="REST" | rename title as "Index" | table Index Bytes Source | append [ | dbinspect index=* summarize=t | stats sum(rawSize) as Bytes by index | eval Bytes = coalesce(Bytes, 0) | where Bytes = 0 AND NOT match(index, "^_") | eval Source="dbinspect" | rename index as "Index" | table Index Bytes Source ] | dedup Index All I get is one index instead of all of them.
... View more
02-19-2025
04:46 AM
1 Karma
Was able to get it working this way. index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR!=INFO _raw=* | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector") | search error_msg=* | dedup connName | table host connName error_msg ERROR
... View more
02-18-2025
10:22 AM
I think I'm close, but the error_msg does not display: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN | eval error_msg = case(match(_raw, "Disconnected"), "disconected", match(_raw, "restart failed"), "restart failed", match(_raw, "Failed to start connector"), "failed to start connector") | dedup host | table host connName error_msg
... View more
02-13-2025
10:40 AM
So I have been trying to use if statements, but I don't seem to be getting the if statement correct: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN Action="restart failed" OR Action="disconnected" OR Action="Task threw an uncaught an unrecoverable exception" | eval if(Action="restart failed", "restart failed", "OK", Action="disconnected","disconnected","OK", Action="Task threw an uncaught an unrecoverable exception", "ok") | table Action host connName I've tried several different formats for the if, but it keeps telling me the if statements are wrong. What am I not seeing here?
... View more
02-13-2025
08:39 AM
StatusMsg is the field (on the fly field) that I want to be populated by the message so I'm not certain what you mean by <<some expression>> So that was why I thought maybe this would be an if then type of query. If StatusMsg="some value" then put that in the table along with the other data. If not, then go to the next status message. So I would want: Action Host ConnName "Task through an uncaught..." lx....... CCNBU---- So should this be an if then search?
... View more
02-12-2025
09:26 AM
I have the following values that will go in a field titled StatusMsg: "Task threw an uncaught and unrecoverable exception" "Ignoring await stop request for non-present connector" "Graceful stop of task" "Failed to start connector" "Error while starting connector" "Ignoring error closing connection" "failed to publish monitoring message" "Ignoring error closing connection" "restart failed"| "disconnected" "Communications link failure during rollback" "Exception occurred while closing reporter" "Connection to node" "Unexpected exception sending HTTP Request" "Ignoring stop request for unowned task" "failed on invocation of onPartitionsAssigned for partitions" "Ignoring stop request for unowned connector" "Ignoring await stop request for non-present connector" "Connection refused" I am not certain how to do this. This is the base search: index=kafka-np sourcetype="KCON" connName="CCNGBU_*" ERROR=ERROR OR ERROR=WARN I want to create the field on the fly and have it pick up the appropriate CASE value. I would then put it in a table with host connName StatusMsg Any assist would be greatly appreciated.
... View more
- Tags:
- case
Labels
- Labels:
-
eval
02-05-2025
03:53 AM
All I want to get from the subsearch is to bring back the field actions. It can probably be a much smaller search.
... View more
02-04-2025
11:39 AM
index=cim_modactions source=/opt/splunk/var/log/splunk/incident_ticket_creation_modalert.log host=sh* search_name=* source=* sourcetype=modular_alerts:incident_ticket_creation user=* action_mode=* action_status=* search_name=kafka* [| rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo, actions | fillnull value="" | sort -lastUpdated actions] | table user search_name action_status date_month date_year _time
... View more
Labels
02-04-2025
09:51 AM
I want to use the 2nd search as a subsearch only bringing back the actions. How can I do this? SEARCH | rest /servicesNS/-/-/saved/searches | search title=kafka* | rename dispatch.earliest_time AS "frequency", title AS "title", eai:acl.app AS "app", next_scheduled_time AS "nextRunTime", search AS "query", updated AS "lastUpdated", action.email.to AS "emailTo", action.email.cc AS "emailCC", action.email.subject AS "emailSubject", alert.severity AS "SEV" | eval severity=case(SEV == "5", "Critical-5", SEV == "4", "High-4",SEV == "3", "Warning-3",SEV == "2", "Low-2",SEV == "1", "Info-1") | eval identifierDate=now() | convert ctime(identifierDate) AS identifierDate | table identifierDate title lastUpdated, nextRunTime, emailTo, query, severity, emailTo | fillnull value="" | sort -lastUpdated SUBSEARCH | rest "/servicesNS/-/-/saved/searches" timeout=300 splunk_server=* | search disabled=0 | eval length=len(md5(title)), search_title=if(match(title,"[-\\s_]"),("RMD5" . substr(md5(title),(length - 15))),title), user='eai:acl.owner', "eai:acl.owner"=if(match(user,"[-\\s_]"),rtrim('eai:acl.owner',"="),user), app_name='eai:acl.app', "eai:acl.app"=if(match(app_name,"[-\\s_]"),rtrim('eai:acl.app',"="),app_name), commands=split(search,"|"), ol_cmd=mvindex(commands,mvfind(commands,"outputlookup")), si_cmd=mvindex(commands,mvfind(commands,"collect")) | rex field=ol_cmd "outputlookup (?<ol_tgt_filename>.+)" | rex field=si_cmd "index\\s?=\\s?(?<si_tgt_index>[-_\\w]+)" | eval si_tgt_index=coalesce(si_tgt_index,'action.summary_index._name'), ol_tgt_filename=coalesce(ol_tgt_filename,'action.lookup.filename') | rex field=description mode=sed "s/^\\s+//g" | eval description_short=if(isnotnull(trim(description," ")),substr(description,0,127),""), description_short=if((len(description_short) > 126),(description_short . "..."),description_short), is_alert=if((((alert_comparator != "") AND (alert_threshold != "")) AND (alert_type != "always")),1,0), has_report_action=if((actions != ""),1,0) | fields + app_name, description_short, user, splunk_server, title, search_title, "eai:acl.sharing", "eai:acl.owner", is_scheduled, cron_schedule, max_concurrent, dispatchAs, "dispatch.earliest_time", "dispatch.latest_time", actions, search, si_tgt_index, ol_tgt_filename, is_alert, has_report_action | eval object_type=case((has_report_action == 1),"report_action",(is_alert == 1),"alert",true(),"savedsearch") | where is_alert==1 | eval splunk_default_app = if((app_name=="splunk_archiver" OR app_name=="splunk_monitoring_console" OR app_name="splunk_instrumentation"),1,0) | where splunk_default_app=0 | fields - splunk_server, splunk_default_app | search title=*kafka* | table actions title user
... View more
11-19-2024
09:55 AM
1 Karma
Thanks, I used a similar configuration and now it works. I had to use the == rather than the =
index=websphere websphere_logEventType=*
| stats count(websphere_logEventType) BY websphere_logEventType
| eval websphere_logEventType=case(websphere_logEventType=="I", "INFO",websphere_logEventType=="E", "ERROR", websphere_logEventType=="W", "WARNING", websphere_logEventType=="D", DEBUG, true(),"Not Known" )
| dedup websphere_logEventType
... View more
11-19-2024
09:02 AM
This is my search. I brings back Not Known for every field instead of the correct case name: index=websphere websphere_logEventType=* | stats count(websphere_logEventType) BY websphere_logEventType | eval websphere_logEventType=case(websphere_logEventType=I, "INFO",websphere_logEventType=E, "ERROR", websphere_logEventType=W, "WARNING", websphere_logEventType=D, DEBUG, true(),"Not Known" ) What am I missing that will bring the count and the case that the count is for instead of always the Not Known case?
... View more
- Tags:
- case
11-13-2024
11:16 AM
index=replicate category=* action=* Message=*
[search index=replicate
| eval Msg=substr(Message,1,30)]
| stats count by action category Msg
| dedup action
This is what I'm trying to do. The Message field is very large and I only need the first sentence of the Message. How can I do this? We want it in a sub-search to show the sub-search function for our users.
This is Splunk Cloud implementation.
... View more
07-30-2024
09:11 AM
Well, I did find another line which has the date and time, but it's over 15 lines into the log file. We need to start with the first line which is the beginning of the stanza, but get the timestamp which is 15th line showing after the opening line shown below C:\Program Files\Universal\UAGSrv\xxxl_p01.nam>set StartDate=Tue 07/23/2024 This is the actual timestamp which I think would work since it has both date and time (hoping that's what the _80514 is the time?? Files\Universal\UAGSrv\xxx_p01.nam>set timestamp=20240723_80514
... View more
07-29-2024
12:33 PM
It is one of several blocks of lines inside the log file. Each starts with the little snippet I put above and then has any number of lines after it. While the file is a .txt, the look to me would be a xml document that pushes out the log file. I've not seen one like it before. I was thinking I'd need a props or transform or both to set this date/time, but it's my first experience with it.
... View more
07-29-2024
11:59 AM
I am trying to create a sourcetype for a new client: Note StartDate=xxxx is where the log begins. However the StartTime=*** is not with it, but I need both int he logs. How do I create this sourcetype? C:\Program Files\Universal\UAGSrv\xxx>set StartDate=Mon 07/29/2024 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set sdy=2024 C:\Program Files\Universal\UAGSrv\xxx>set sdm=07 C:\Program Files\Universal\UAGSrv\xxx>set sdd=29 C:\Program Files\Universal\UAGSrv\xxx>set StartTime=14:45:09.56 any assistance would be very helpful and appreciated.
... View more
Labels
- Labels:
-
sourcetype
-
time
07-17-2024
07:22 AM
Hope someone can assist. My client needs to be able to read word and other binary files from a dashboard without importing them into Splunk. He has a fileshare where they store the documents and would like to read the share and have the list show in the dashboard and be able to click on a document from the file share and view the file in it's native application. Is there a way to do this with Splunk?
... View more
Labels
- Labels:
-
Classic dashboard
06-24-2024
08:31 AM
It's hard to see, but what is need is for the "Message": line to be the breaking line and for the "TimeStamp': line to be the first line of the whole event. "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 14-Jun-24 07:54:50, End: 14-Jun-24 07:56:20, Mode: 5, Status: [-11059] No Good Data For Calculation",-------event break here "TimeStamp": "\/Date(1718366180157)\/", ----event start here In the example I sent it's hard to see the break after message and before Timestamp clearly because they look like one big line.
... View more
06-21-2024
06:46 AM
What I need is for the line that starts with Start: to be the break after line. Start: 14-Jun-24 07:55:05, End: 14-Jun-24 07:56:35, Mode: 5, Status: [-11059] No Good Data For Calculation", Break after the ", but since there are a few ", and not only the ", how do I get it to break at that last comma?
... View more
06-20-2024
10:12 AM
Unfortunately, as you can see, it's still splitting the two lines.
... View more
06-19-2024
07:45 AM
unfortunately it still breaks into two events and I wanted to receive only 1 event: Time Event 1 6/14/24 7:56:39.168 AM "TimeStamp": "\/Date(1718366199168)\/", "ID": 7082, "Parameters": null, { }, Show all 6 lines ------------------------------------------------ 2 6/14/24 7:56:39.013 AM "SplunkTime": "1718366199.01303", "Source3": null, "Source2": null, "Source1": null, "ProcessPIUser": null, Show all 15 lines
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
2 weeks ago
|
