Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About umithchada
umithchada
Explorer
Member since:
03-18-2022
03-18-2024
Community Statistics
| Posts | 12 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 03-18-2022 |
Activity Feed
- Posted Re: How do i split a specific date format using rex field on All Apps and Add-ons. 12-06-2023 12:30 PM
- Karma Re: Understanding the LOOKUP command for elliotproebstel. 12-06-2023 11:23 AM
- Posted How do i split a specific date format using rex field on All Apps and Add-ons. 12-05-2023 11:15 AM
- Tagged How do i split a specific date format using rex field on All Apps and Add-ons. 12-05-2023 11:15 AM
- Tagged How do i split a specific date format using rex field on All Apps and Add-ons. 12-05-2023 11:15 AM
- Tagged How do i split a specific date format using rex field on All Apps and Add-ons. 12-05-2023 11:15 AM
- Posted Re: How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 07:50 PM
- Posted Re: How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 06:50 PM
- Posted How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Tagged How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Tagged How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Tagged How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Tagged How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Tagged How do i use if/case functions using lookup table search? on Splunk Search. 11-14-2023 01:35 PM
- Posted Re: How do i get the sum of data from the latest timestamp on All Apps and Add-ons. 10-30-2023 02:30 PM
- Tagged Re: How do i get the sum of data from the latest timestamp on All Apps and Add-ons. 10-30-2023 02:30 PM
- Posted Re: How do i get the sum of data from the latest timestamp on All Apps and Add-ons. 10-30-2023 08:37 AM
- Tagged Re: How do i get the sum of data from the latest timestamp on All Apps and Add-ons. 10-30-2023 08:37 AM
- Karma Re: How do i get the sum of data from the latest timestamp for enzomialich. 10-30-2023 08:36 AM
- Posted How do i get the sum of data from the latest timestamp on All Apps and Add-ons. 10-27-2023 02:42 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
12-06-2023
12:30 PM
Hello, Unfortunately this is giving me blank entries if the duration is under a day. We figured it out, and this logic seems to be working: | rex field=ELAPSED "((?<dd>\d*)-?)?((?<hh>\d+):?)?((?<mm>\d*):?)?(?<ss>\d+)$"
| rex field=ELAPSED "((?<hhh>\d+):?)?((?<mmm>\d*):?)?(?<sss>\d+)$"
| rex field=ELAPSED "((?<mmmm>\d*):?)?(?<ssss>\d+)$"
| eval dd=If(isnotnull(hh),dd,0)
| eval hhh=If('mm'='mmm',hhh,0)
| eval mm=If('ss'='ssss',mmmm,0)
| eval elapsed_secs = coalesce((if(isnotnull(dd),dd,0)*86400)+(if(isnotnull(hh),hh,0)*3600)+(if(isnotnull(mm),mm,0)*60)+if(isnotnull(ss),ss,0),0)
| table ELAPSED elapsed_secs
... View more
12-05-2023
11:15 AM
Hello Team, I have the specific data: 1-10:20:30 (This stands for 1 day 10 hours 20 minutes 30 seconds) 10:20:30 (This stands for 10 hours 20 minutes 30 seconds) 20:30 (This stands for 10 hours 20 minutes 30 seconds) I would like to create a table where I get the output in seconds ELAPSED | seconds_elapsed 1-10:20:30 | 123630 10:20:30 | 37230 20:30 | 1230 Below is the rex format i am using to get this data. But for the last entry (20:30), i am getting an empty output. Is there a way to fix this? | rex field=ELAPSED "((?<dd>\d+)\-?)((?<hh>\d+)\:?)((?<mm>\d+)\:)?(?<ss>\d+)$" | eval elapsed_secs=(dd * 86400) + (hh * 3600) + (mm * 60) + (ss*1) | table ELAPSED seconds_elapsed _time
... View more
Labels
- Labels:
-
search
11-14-2023
07:50 PM
So I have various alerts which have the system name somehow embedded in any place. I am looking for a query which says , " if system name is found anywhere in the alert (upper or lower case) it should output the appropriate"system name" in the "system_name" field.
... View more
11-14-2023
06:50 PM
Hello, You are correct, the alert name is in the data. It is under a single field called "Subject" in a form of a string. But the data in the lookup table is like this, with a single field " System_name",example: AAA BBB CCC DDD The main data is has just a single field as well called "Subject" ( each row a string): File system alert on AAA File system alert on server serveraaaname File system alert on BBB I just want the output to be like in 2 fields: Subject || system_name Fils system alert on AAA || AAA File system alert on serveraaaname || AAA File system alert on BBB || BBB Hopefully this makes sense.
... View more
11-14-2023
01:35 PM
Hello, I have a use case where I have a bunch of email alerts that I need to determine the system name for. Examples, lets say i have the alerts: 1. File system alert on AAA 2. File system alert on server servernameaaaendservername 3. File system alert on server BBB I have the list of these system names in a lookup table (Around 100 unique names), so adding 100 lines of field_name LIKE "%systemname1%","systemname1" doesn't seem efficient. Is there a way to use the conditional statement with the lookup table to match the statments? Trying to get the below output by using the system names found in the lookup table If systemname is found in the lookup table that matches on what is found in the alert, output systemname Alert Name || System Name File system alert on AAA || AAA File system alert on server servernameaaaendservername || AAA File system alert on server BBB || BBB
... View more
Labels
- Labels:
-
lookup
10-30-2023
02:30 PM
I did look into the bin command a bit further and It did help, thanks again! Needed to timechart my data for the latest data of that day as it kept growing and data points were just snapshots of the storage of that day. Final code: | bin _time span=12h | stats latest(<storage size>) as <storage size> by _time data_storage | timechart span=12h sum(<storage size>) by data_storage For the requirement I needed, I just needed to do bin = 1d and span=1d to get daily data trend for the past year of data.
... View more
- Tags:
- search
10-30-2023
08:37 AM
So I think i got what i needed:
| stats sum(Size of data storage) by _time, "data storage name"
Adding Bin added a layer of unnecessary sum of the values. I tried a | bin span=12h _time .
Also, I was not able to get the visual correctly with the differentiated colors, had to use the trellis option, and that helped split my graph into 2 different graphs. For now, i can make due with that.
But in theory, it should've split it in to different colors on the column chart, one for each data storage.
... View more
- Tags:
- search
10-27-2023
02:42 PM
Hello, I have a peculiar question: Below is sample data: _time data storage name Size of data storage 2023-04-30T00:31:00.000 data_storage_1 10 2023-04-30T00:31:00.000 data_storage_2 15 2023-04-30T12:31:00.000 data_storage_1 15 2023-04-30T12:31:00.000 data_storage_2 20 2023-05-01T00:31:00.000 data_storage_1 20 2023-05-01T00:31:00.000 data_storage_2 30 2023-05-01T12:31:00.000 data_storage_1 30 2023-05-01T12:31:00.000 data_storage_2 40 2023-05-02T00:31:00.000 data_storage_1 40 2023-05-02T00:31:00.000 data_storage_2 50 2023-05-02T12:31:00.000 data_storage_1 50 2023-05-02T12:31:00.000 data_storage_2 50 How do i go about getting the the sum of all storages per time frame? Example of output: Time Total Storage 04/30 00:31 -> 25 04/30 12:31 -> 35 05/01 00:31 -> 50 05/01 12:31 -> 70
... View more
Labels
- Labels:
-
search
03-18-2022
11:44 AM
The value was of ELAPSED was like "05:00:00" .
... View more
03-18-2022
11:42 AM
Thanks, this worked for me, Looks like for data sets below 1 day, we will have to convert to seconds to get accurate filtering.
... View more
03-18-2022
09:55 AM
Hello, I am trying to find the list of elapsed time over a specific time using our os process sourcetype. Looks something like this index=os sourcetype=ps host=* COMMAND=* | where ELAPSED > "12:59:59" | table COMMAND ELAPSED _time But for some reason, the ELAPSED time is still displaying values under this time. If the ELAPSED Time goes over a day, I am able to filter that out with the where command. Example: | where ELAPSED > "60-12:59:59" | table COMMAND ELAPSED _time -> Output will give me the results which are older than 60 days, 12:59:59 hours.
... View more
Labels
- Labels:
-
table
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-18-2024
02:29 PM
|
