Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About TBH0
TBH0
Explorer
Member since:
08-20-2022
01-11-2023
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 08-20-2022 |
Activity Feed
- Posted Re: Using 'like' to find lookup fields which contain the current day of the week (%A) on Splunk Search. 01-11-2023 02:53 PM
- Posted Re: Using 'like' to find lookup fields which contain the current day of the week (%A) on Splunk Search. 01-11-2023 12:44 PM
- Posted Using 'like' to find lookup fields which contain the current day of the week (%A) on Splunk Search. 01-11-2023 11:13 AM
- Posted Re: How to utilize wildcards in time fields in lookup file on Splunk Search. 10-06-2022 05:14 PM
- Posted Re: How to utilize wildcards in time fields in lookup file on Splunk Search. 10-06-2022 08:02 AM
- Posted Re: How to utilize wildcards in time fields in lookup file on Splunk Search. 10-05-2022 04:25 PM
- Posted How to utilize wildcards in time fields in lookup file? on Splunk Search. 10-05-2022 10:49 AM
- Posted Re: How to display count of results based on time value in lookup file vs current time on Splunk Search. 08-23-2022 10:35 AM
- Posted Re: How to display count of results based on time value in lookup file vs current time on Splunk Search. 08-22-2022 09:04 AM
- Posted Re: How to display count of results based on time value in lookup file vs current time on Splunk Search. 08-21-2022 08:15 AM
- Posted How to display count of results based on time value in lookup file vs current time on Splunk Search. 08-20-2022 08:53 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
01-11-2023
02:53 PM
This is actually working perfectly after adding comma delimiters and using split(DOW, ","). Thank you!!
... View more
01-11-2023
12:44 PM
So when I search the lookup for mvcount(DOW) > 1, there are 0 results. When I have it show for >0, it shows all results, including those with multiple days. I'm beginning to suspect this is a delimiter issue or something similar. My excel sheet actually has the days listed with line breaks between them rather than just spaces, commas, etc.. I'm unsure how line breaks are actually seen within Excel or within Splunk but maybe this is the issue? I will try to modify that field to have spaces and/or commas delimiting the days and see if that helps.
... View more
01-11-2023
11:13 AM
Hey all, I'm attempting to compare a variable (we'll call it cDOW), which is set to (strftime(now(), "%A")), to a DOW field in a lookup file which contains 1 or more days of the week. Here is what I am using currently to include fields in the results which have a DOM or DOW field, or which have them filled with NA: | eval cDOM=strftime(now(), "%d")
| eval cDOW=strftime(now(), "%A")
| where (DOM like cDOM OR DOM="NA") AND (DOW like cDOW OR DOW="NA") This works fine for fields which match exactly (e.g. DOW=Wednesday, cDOW=Wednesday), but does not work if the DOW field contains multiple days of the week (as many will due to this lookup file being a schedule of jobs). the DOM field will only ever have the exact number day of the month, but the DOW field will often contain 1-5 days, and I'd like to have this 'where' statement return fields which contain the current day of week regardless of how many days are listed. I've tried utilizing wildcards, but can't syntactically figure this out since it's comparing an eval variable to a lookup field and there is no static values. Trying to append wildcards to a relative time in the where statement itself also does not work syntactically. Any ideas on how to easily accomplish this?
... View more
Labels
- Labels:
-
lookup
10-06-2022
05:14 PM
I appreciate that insight, I had not heard of the cron format and I think that's going to make this schedule a lot easier to work with. If I'm understanding correctly, I will try to convert the scheduled and late time columns to a cron format, then translate back to a readable format when displaying in a table. I'll do more research into this, but I appreciate you!
... View more
10-06-2022
08:02 AM
The cron format is something I had not known about, but may be the more efficient way of doing what I'm doing. The Job and Start_Time columns are essentially as you have it, just with supporting details about the job which is also shown in the dashboard (and is also joined to an alert subsearch for certain panels). The way I am utilizing this currently is actually even simpler than you had predicted: I'm just comparing the current time (or time range selected) to the HH:MM presented in the lookup, then showing all jobs which are <current time, >selected time, so it's been a fairly simplistic approach to it overall. I don't have any experience with making anything in the cron format, but would this support having multiple jobs in the same time slot? How would you handle that as far as a .csv goes, just multiple rows with the same cron values and different job names?
... View more
10-05-2022
04:25 PM
Sorry for the confusion, in this query I am only looking at the lookup file to read out details about a schedule onto the dashboard. The difficulty I have is that the schedule contains jobs with irregular schedules (hourly, weekly, biweekly, monthly, etc.) and those are a bit more difficult to show in a 'scheduled to run today' panel on a dashboard as they aren't just 'XX:XX' daily. So for the ones which are every hour, I need a way to present those to Splunk in such a way that shows the jobs in every hour regardless of which timeframe I select.
... View more
10-05-2022
10:49 AM
I have a lookup which has a field with time values (in 24 hr time; i.e. 00:30, 13:45, 23:15), which tells my dashboard the scheduled start time of jobs. I have a number of jobs which are set to run hourly, and as such need to have every hour as their start time (XX:00). I've tried adding wildcard functionality to the desired fields in the lookup definition like this: WILDCARD(Field_Name_1),WILDCARD(Field_Name_2) This has unfortunately not worked as I'd hoped, though, and it does not allow the wildcards to be every number when searching for all jobs which are set to run this hour.
Any ideas on how I can best implement this within the lookup?
... View more
Labels
- Labels:
-
lookup
08-23-2022
10:35 AM
I've just tried it again and it works out of nowhere. Thank you yuanliu! Not sure why it wasn't working yesterday but all seems well today, so I appreciate your help. In case anyone stumbles upon this in the future, I wanted to include another way to accomplish this as well: | inputlookup lookup-file.csv
| eval fields=split(scheduled_time_attribute,":")
| eval DHour=mvindex(fields,0)
| eval curHour=strftime(now(),"%H")
| where curHour=DHour
| stats count
... View more
08-22-2022
09:04 AM
I believe I've nearly got this figured out. These two work separately, but not when paired via AND or placed on separate lines. The first finds all rows relative to the top of the current hour (>=XX:00), and the second works to find all rows relative to the top of the next hour (X=X+1; <XX:00). Top of hour: | inputlookup lookup-file.csv
| where scheduled_time_attribute >= strftime(relative_time(now(), "@h"), "%H:00") Top of next hour: | inputlookup lookup-file.csv
| where scheduled_time_attribute < strftime(relative_time(now(), "+h@h"), "%H:00") Any idea why these will not work when paired? It should show all from XX:00-XX:59, I believe, as they work fine separately.
... View more
08-21-2022
08:15 AM
Thank you for that info - that helps a lot. Is it better practice, given this scenario, to have the corresponding epoc time available in the lookup file, or is it sufficient to use rex sort of definitions with HH:MM formats, ensuring there are two digits in the hour section (I'm assuming having 8:00, instead of 08:00, is what you're referring to in your second point)? The only issue I can see is that a new lookup would need to be uploaded each day to adjust the date to current for the epoc conversion, which isn't the biggest deal in the world. Edit: I've modified the available times in the lookup, but your second code block still doesn't return any results. Do you have any comment on what would be the most efficient way to retrieve the count of results that occur during the current hour? I've tried this after updating the hours to always include HH:MM to no avail: | inputlookup lookup-file.csv
| where scheduled_time_attribute > relative_time(now(),"@h") AND scheduled_time_attribute < relative_time(now(),"@h+h")
... View more
08-20-2022
08:53 PM
I have a situation where I'm attempting to display a count on a dashboard of the amount of items in a lookup file whose scheduled_time_attribute is equal to or greater than the top of the current hour (XX:00-XX:59). I've attempted to utilize inputlookup with 'where' to filter by lookup file time, tried to utilize an eval function with a greater-than-or-equal-to operator and relative_time(now(),"@h")), etc. and can't figure out how I should be doing this. I've also noted that, when working with a simple greater-than operator as shown below, it behaves unpredictably, showing times that are numerically below 21:59. Any help on this would be appreciated. Thank you! | inputlookup lookup-file.csv where (scheduled_time_attribute)>21:59)
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
01-11-2023
06:13 PM
|
