About Jouman

Jouman · ‎11-20-2023

Dear All, I have one index and I use this index to store messages and summary report as well. In report="report_b", it stores the running case name and the used device id(DEV_ID) in timestamp _time. ex. _time DEV_ID case_name case_action 01:00 111 ping111.py start 01:20 111 ping111.py end 02:00 222 ping222.py start 02:30 222 ping222.py end 02:40 111 ping222.py start 03:00 111 ping222.py end For Message_Name="event_a", it is stored in index=A as below: _time LOG_ID Message_Name 01:10 01 event_a 02:50 02 event_a I would like to associate the case that is running when the event_a is sent. So I use the code below: Firstly, to find out the device id(DEV_ID) associated with this log(LOG_ID) Secondly, to associate event_a and case_name by DEV_ID Finally, list those event_a only. (index=A Message_Name="event_a") OR (index=A report="report_b") | lookup table_A.csv LOG_ID OUTPUT DEV_ID | sort 0 + _time | streamstats current=false last(case_name) as last_case_name, , last(case_action) as last_case_action by DEV_ID | eval case_name=if(isnull(case_name) AND last_case_action="start",last_case_name,case_name) | where isnotnull(Message_Name) | table _time Message_Name LOG_ID DEV_ID case_name The output would be: _time Message_Name LOG_ID DEV_ID case_name 01:10 event_a 01 111 ping111.py 02:50 event_a 02 111 ping222.py The code works fine but the amount of data is huge so the lookup command takes a very long time. Furthermore, actually, it is no need to apply lookup command for report="report_b". (index=A Message_Name="event_a") : 150000 records in 24 hour (index=A report="report_b") : 700000 records in 24 hour Is there any way to rewrite the code to make lookup only apply on events belongs to (index=A Message_Name="event_a") ? try to use subsearch, append, appendpipe to restrict find associated DEV_ID first but not working. Thank you so much.

Jouman · ‎10-19-2023

Hi all, I have a panel with 4 columns and I configure the panel settings in "htmlPanel1A". <panel id="htmlPanel1A"> Due to different values in each columns, I sometimes found 3 columns look like left-aligned while the rest 1 column looks like right-aligned content. I think the problem comes from center-aligned in the default setting. I would like to change into right-aligned for all columns but remains the title of the panel is center-aligned. Is there any suggestion on my CSS configuration to fulfill the purpose? <panel depends="$alwaysHideCSS$"> <html> <div> <style> /* define some default colors */ .dashboard-row .dashboard-panel{ background-color:lightcyan !important; } .dashboard-panel h2{ background:cyan !important; color:FFFFFF !important; text-align: center !important; font-weight: bold !important; border-top-right-radius: 12px; border-top-left-radius: 12px; } /* override default colors by panel id */ #htmlPanel1 h2,#htmlPanel1A h2{ color:#3C444D !important; background-color:#FFFFFF !important; } ..... </style> </div> </html> </panel> Thank you so much.

Jouman · ‎09-15-2023

Dear all, I have a list of latitude and longitude pairs from my observed events and try to get the corresponding street/city from latitude and longitude. I found this website https://nominatim.org/release-docs/develop/api/Reverse/ and the URL it provides to map from latitude and longitude to street/building: https://nominatim.openstreetmap.org/reverse?format=xml&lat=<my_lat>&lon=<my_lon>&zoom=18 ex. https://nominatim.openstreetmap.org/reverse?format=xml&lat=39.982302&lon=116.484438&zoom=18 => output is: 360building, xx streat, xx road, xx village, xx district, Beijing, 100015, China However, here is my raw data, more than 1000 records so it's impossible to input to URL manually: log id Lat Lon 1 39.982302 116.484438 2 30.608684 114.418229 Does anyone know is there a way to treat the Lat and Lon as input parameter in the URL link by code ? Thank you.

Jouman · ‎08-30-2023

Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection?" https://community.splunk.com/t5/Dashboards-Visualizations/How-to-display-panels-dynamically-depends-on-selection/m-p/655457/highlight/false#M53927 The panels can be displayed dynamically by the user selection. However, I need to display the title or the description according to the dymical selection. That is, if the user select packet_size="32,40,128" from the filter. Three panels will be displayed and I wish to display the title = "Packet size=xx", where xx represent the analyzed packet_size value. ex. Table 1 with title = "Packet size=32", Table 2 with title = "Packet size=40", Table 3 with title = "Packet size=128" I refer to these history but I am unable to find a successful solution. How do I display _time on dashboard panel's title field? Dynamic value display in the Panel Title? How do you display the date in a dashboard title? Does anyone know how to display the title or description with a variable in code or a value in filter selection? Thank you so much.

Jouman · ‎08-30-2023

thank you so much. This works!

Jouman · ‎08-30-2023

Hi Pshangguan, After I modity time into $result.time$, the actual time still doesn't appear on the title. Do you succesfully make the actual time appear in your panel title ? Thanks.

Jouman · ‎08-23-2023

Hi All, Previously, I have asked a question titled as "How to display panels dynamically depends on selection ?" (link). I have a similar issue that I need to display panels dynamically depends on user selection in a filter. However, the user selection is no longer in categories, but from the packet_size in index="my index" within 24 hours. Therefore, the options in this filter becomes dynamic and what the user selects is dynamic as well. This is the search code in this filter: index="my_idx" "*PING DATA*" | stats count by ping_pkt_size and the output will be: ping_pkt_size Count 40 111 128 30 520 10 ... other ping_pkt_size are possible. Is it possible to display panels accordingly and dynamically depends on user selection? ex. if the user selects 40, then display the analysis table for packet_size=40. If the user selects 128 and 520, then display 2 analysis tables, one for packet_size=128 and one for packet_size=520. Do anyone have idea about how to implement this? Thank you.

Jouman · ‎08-22-2023

Hi all, I want to analyze the Round Trip Time and received count in Ping command for each ping packet size or for all packets. Therefore, I use stats() as below: <my basic search> `comment("generate ping_rtt_time for round trip time, ping_rcv_count for received packet count")` | stats min(ping_*) as min_ping_*, max(ping_*) as max_ping_*, avg(ping_*) as avg_ping_*, perc20(ping_ping_*) as pr20_ping_*, perc40(ping_*) as pr40_ping_*, stdev(ping_*) as stdev_ping_* by ping_packet_size Therefore if the user selects multi-ple packet size, ex, 40, 128 bytes, the related analysis can be provided. But if a user wants to read analysis for all packets, that means he want to analyze all packet size, ex, All, I can't use the same stats(). If there are 2 kinds of packet size, ex. 40 , 128 bytes, it is different between selecting 40 and 128 options in a scroll down bar with selecting "All" in the same scroll down bar. Does anyone know how to analyze for one or multi-ple packet size and for all kinds of packet size as well ? Thank you.

Jouman · ‎08-10-2023

Hi all, I have an table with the start time and stop time in each case as below. ID Case Name Start Time Stop Time user_1 Case_A 2023.08.10 13:26:37.867787 2023.08.10 13:29:42.159543 user_2 Case_B 2023.08.10 13:29:42.159545 2023.08.10 13:29:48.202143 Because I want to merge the duration of case execution with another event, I hope to transfer the above table into this kind of table. _time ID Case Name case_action 2023.08.10 13:26:37.867787 user_1 Case_A start 2023.08.10 13:29:42.159543 user_1 Case_A stop 2023.08.10 13:29:42.159545 user_2 Case_B start 2023.08.10 13:29:48.202143 user_2 Case_B stop I could transfer the start time into _time by |eval _time='Start Time' However, I can't think of a solution to record "Stop Time" into _time as well. Does any one have a idea about how to accomplish this? Thanks a lot.

Jouman · ‎08-10-2023

Thank you very much! My issue is resolved so that I can go on the next step.

Jouman · ‎08-10-2023

Hi all, I am in a trouble to extract values from a structure. Here is the structure of a event: Event{ ID: user_1 data: { c:[ { Case Name: case_A Start Time: 2023.08.10 13:26:37.867787 Stop Time: 2023.08.10 13:29:42.159543 } { Case Name: case_B Start Time: 2023.08.10 13:29:42.159543 Stop Time: 2023.08.10 13:29:48.202143 } { Case Name: case_C Start Time: 2023.08.10 13:29:48.202143 Stop Time: 2023.08.10 13:29:51.193276 } ] } } I tried to compose a table for lookup as below ID case_name case_start_time case_stop_time user_1 case_A 2023.08.10 13:26:37.867787 2023.08.10 13:29:42.159543 user_1 case_B 2023.08.10 13:29:42.159543 2023.08.10 13:29:48.202143 user_1 case_C 2023.08.10 13:29:48.202143 2023.08.10 13:29:51.193276 but I fail to comose as my expectation, I can only compose a table like this: ID case_name case_start_time case_stop_time user_1 case_A case_B case_C 2023.08.10 13:26:37.867787 2023.08.10 13:29:42.159543 2023.08.10 13:29:48.202143 2023.08.10 13:29:42.159543 2023.08.10 13:29:48.202143 2023.08.10 13:29:51.193276 Here is my code: index="my_index" | rename "data.c{}.Case Name" as case_name, "data.c{}.Start Time" as case_start_time, "data.c{}.Stop Time" as case_stop_time | table ID case_name case_start_time case_stop_time Can anyone help to compose the output table I need? I hope to seperate each case_name with its own case_start_time and case_stop_time. Thank you so much.

Jouman · ‎05-12-2023

Hi @gcusello , Thank you very much for all the suggestion. I find the way to fix my problem. I can't find the solution without your help, and I am truly grateful. Thanks.

Jouman · ‎05-12-2023

Hi @gcusello , Thanks for the several correction. I didn't know it is bad to use dot in the token, thanks for the comments. I really appreciate the solution you provided and I have one question about it. The ItemID from the filter may not be located under the FolderName from the other filter. Is there any way to allow the ItemID from arbitrary folder and the ItemID included under the specified folder name as well in the main search ? <query> | inputlookup table.csv.gz WHERE $tkn_foldername$ | fields ItemID | sort ItemID | table ItemID </query> Thanks for all the advice.

Jouman · ‎05-10-2023

Hi @gcusello , Thank you for the suggestion. I rewrite my requests as below with xml code. Here is the panel contained a filter to select FolderName. <panel> <title>Find Items in one folder</title> <input type="text" token="tkn.foldername$" searchWhenChanged="true"> <label>Step 1: Input your folder</label> <prefix>FolderName like "</prefix> <suffix>"</suffix> <default>FOLDER_ONE</default> <initialValue>FOLDER_ONE</initialValue> </input> <table> <search> <query> my search... </query> </panel> Here is the panel included included another token to restrict ItemID and the main search. I hope to restrict the input ItemID in main search and the source will be (1) input ItemID (2) input FolderName then know what's the ItemID included. However, by below code, if the ItemID from user input is not under FolderName, the will be no results. Is there any way to accept both (1) input ItemID under arbitrary folder , and (2) input FolderName as the input for my main search ? <panel> <title>Test_Case_1</title> <input type="text" token="tkn.itemid" searchWhenChanged="true"> <label>Step 2: Input the ItemID</label> <default>503</default> </input> <table> <title>Test_Case_1_part1</title> <search> <query>(ItemID=$tkn.itemid$) AND (index=my_item_name_index item_name="ABC" OR item_name="XYZ") [| search index=my_item_id_index _index_earliest="01/01/2023:00:00:00" _index_latest=now() | lookup table.csv.gz ItemID OUTPUT FolderName | where ($tkn.foldername$) | fields + ItemID ] | eval stage=case(item_name="ABC", "stage_1", item_name="XYZ", "stage_2", true(), NULL) | eval stage_index=case(isnotnull(stage), item_index) | eval start_index=if(match(stage,"stage_1"), item_index, NULL) | sort 0 + ItemID item_index | streamstats reset_before="("stage=\"stage_1\"")" first(start_index) as session_index by ItemID | eval Session_ID = ItemID+"-"+session_index | chart limit=0 sep=_ list(item_index) as Stage_Index, first(_time) as Stage_Time over Session_ID by stage Thank you so much.

Jouman · ‎05-10-2023

Hi all, I need to provide 2 fitlers, one for item_id and the other one for item_folder_name. The user will enter item_folder_name for filter_1 first. If the items under item_folder_name aren't suitable to analyze, once the user know it and he will input item_id as well. The 2 filters can restrict the item that I need to analyze. Currently, I write as below. However, I need to allow the item_id that is not under the filtered item_folder_name. The code can't allow a item_id which is not under the specified item_folder_name. Is there any way to allow the filter for item_id seperated from the filter for item_folder_name ? I want to allow the user to enter item_id filter, and provide the filter of item_folder_name to search the item_id inside within 6 months as well. (item_id=$tkn.item_id$) [ | search index=my_index sourcetype="md:sv:master" _index_earliest="01/01/2023:00:00:00" _index_latest=now() | inputlookup item_table.csv item_id OUTPUT item_folder_name | where ($tkn.item_folder_name$) | fields + item_id] Thank you.

Jouman · ‎05-06-2023

Hi @yuanliu , Sorry for misunderstanding your reply at first. I saw mvexpand and I thought mvexpand() is part of the solution. Thank you to introduce mvmap(). This command solves the issue indeed. Thank you very much!

Jouman · ‎05-05-2023

Hi Yuan, Thank you for the reply. The key issue in my code is, if the items or the item description become very long, there will be warning messages for mvexpand due to too many memory usage. Is there any other method to avoid using mvexpand while converting decimal values into text array? Thank you.

Jouman · ‎05-05-2023

Hi all, I have a field named as item_description which is an array of decimal value, which represents the description of each item. I hope to transfer each value in item_description into text string for each item. Original data: | makeresults | eval item_name = "Name_1,Name_2,Name_3,Name_4,Name_5", item_description = "65_66_67,68_69_70,71_72_73,74_75_76,77_78_79" | makemv delim="," item_name | makemv delim="," item_description | eval mv_zipped=mvzip(item_name,item_description) | mvexpand mv_zipped | rex field=mv_zipped "(?P<ITEM_NAME>.*),(?P<ITEM_DESP>.*)" | makemv delim="_" ITEM_DESP | table _time ITEM_NAME ITEM_DESP Although the purpose can be fulfilled by the following code. | mvexpand ITEM_DESP | eval ITEM_DESP_char=printf("%c",ITEM_DESP) | eventstats list(ITEM_DESP_char) as ITEM_DESP_char by ITEM_NAME | eval ITEM_DESP_join=mvjoin(ITEM_DESP_char,"") | dedup ITEM_NAME _time | table _time ITEM_NAME ITEM_DESP_join Output: _time ITEM_NAME ITEM_DESP_join XXX Name_1 ABC YYY Name_2 DEF ZZZ Name_3 GHI 000 Name_4 JKL 111 Name_5 MNO If the item_description becomes very long(ex. lengh=50) and lots of items (ex. 50 items), the mvexpand command can't work properly with the output message below. Error message: command.mvexpand: output will be truncated at 28200 results due to excessive memory usage. Memory threshold of 500MB as configured in limits.conf / [mvexpand] / max_mem_usage_mb has been reached. Is there any other way to transfer decimal value into ASCII and make the output as a string without using mvexpand command? Thank you very much.

Jouman · ‎05-03-2023

Hi all, One of the panels in my dashboard will display events based on input token (tkn.folder), I called this panel as panel_A. In panel_A, token setting is Token=tkn.folder Token Prefix=Folder like " Token Suffix=" I hope to use this token value which is the input for panel_A into another panel, named as panel_B in the same dashboard as a subsearch. However, it didn't work. I use these code in panel_B as subsearch to restrict the LOG_ID I need to analyze. [| search index=my_index | lookup folder_list.csv LOG_ID OUTPUT Folder | where ($tkn.folder$) | fields + LOG_ID] After I input a string for that token in panel_A, although panel_A works normally and can generate its output based on the input. The panel_B keeps displaying Searching is waiting for input.. Is there any way to make panel_B or more panels to capture the input for panel_A? Thank you very much.

Jouman · ‎04-28-2023

@yeahnah Thank you very much. I tried and the code works well. This really helps me a lot.

Jouman · ‎04-27-2023

@yeahnah Thanks for the suggestion. I rewrite my question and hope that would be clear. Thank you!

Jouman · ‎04-27-2023

@yeahnah Really thanks for your help. This works for me perfectly.

Jouman · ‎04-26-2023

Hi all, I want to analyze several events and the fields in them. Origianally, I use case() to capture one field(Causse) in A_EVENT, and 2 fields(Type, Scenario) in B_event. (index="idx_message" Name="A_EVENT" OR Name="B_Event") | rename "Data.Cause" as A_cause `comment("belong to A_Event")` | rename "Data.Type" as B_type `comment("belong to B_Event")` | rename "Data.Scenario" as B_scenario `comment("belong to B_Event")` | eval Scenario_name=case( Name="A_EVENT" AND A_cause=0, "A Cause: X reason", Name="A_EVENT" AND A_cause=1, "A Cause: Y reason", Name="B_Event" AND B_type=0, "B Type: a category", Name="B_Event" AND B_type=1, "B Type: b category", Name="B_Event" AND B_scenario=0, "B Scenario: description 1", Name="B_Event" AND B_scenario=1, "B Scenario: description 2", true(), null) | where isnotnull(Scenario_name) | chart limit=0 count by Scenario_name However, while I check the output, the output will be Scenario_name count A Cause: X reason 1 A Cause: Y reason 2 B Type: a category 3 B Type: b category 4 The scenario "B Scenario: description 1" and "B Scenario: description 2" are missing. I found the reason comes from "B Scenario" and "B Type" is used to verdict the same event, if I use case(), I am unable to get any "B Scenario" because all the events will be verdicted as "B Type" already. Is there any way to generate such output? Scenario_name count A Cause: X reason 1 A Cause: Y reason 2 B Type: a category 3 B Type: b category 4 B Scenario: description 1 2 B Scenario: description 2 5 Thanks.

Jouman · ‎04-26-2023

Hi all, There is a panel contain a table as below. I would like to color Scenario_1 fields in red because the both Success or Failure field in this row contains values = 0. Is there any way to implement such functionality ? Event name Success Failure Scenario_1 0 0 Scenario_2 4 3 Scenario_3 0 1 Thank you very much.

Jouman · ‎04-22-2023

@yeahnah Thank you so much! This resolve my problem. However, if I want to make two panels into the same color format and use same panel id in both panels. html. html will report fail, is there anything to make 2 panels into the same background color and font color? <panel id="htmlPanel1"> Thank you so much.

Posts	55
Solutions	1
Karma Given	15
Karma Received	0
Member Since	‎07-31-2022

Online Status	Offline
Date Last Visited	‎02-17-2024 02:45 PM

How to associate two data set when one set need to...

How can I make the column content align to right w...

How to use a list of output as the input parameter...

How to display dynamic values in the panel title?

How to display panels dynamically depends on selec...

How to use stats() by one value, "all" and stats()...

How to assign the 2 start_time and stop_time of on...

How to extract the element from a structure?

How to use two related tokens to create as two con...

How to transfer decimal value into ASCII code in t...

How to associate two data set when one set need to...

How can I make the column content align to right w...

How to use a list of output as the input parameter...

How to display dynamic values in the panel title?

Re: How to display panels dynamically depends on s...

Re: How do I display _time on dashboard panel's ti...

How to display panels dynamically depends on selec...

How to use stats() by one value, "all" and stats()...

How to assign the 2 start_time and stop_time of on...

Re: Extract the element from a structure

How to extract the element from a structure?

Re: Use 2 related tokens to create as 2 conditions

Re: Use 2 related tokens to create as 2 conditions

Re: Use 2 related tokens to create as 2 conditions

How to use two related tokens to create as two con...

Re: Transfer decimal value into ASCII code in text...

Re: Transfer decimal value into ASCII code in text...

How to transfer decimal value into ASCII code in t...

How a token from one panel can be applied into mul...

Re: How to calculate on one event into different c...

Re: How to calculate on one event into different c...

Re: How to set different background colors to diff...

How to calculate on one event into different categ...

How to set a row in certain color if the row is li...

Re: How to set different background colors to diff...