×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
spoo
Explorer
Member since: ‎09-16-2022
‎06-05-2023
Community Statistics
Posts 8
Solutions 0
Karma Given 5
Karma Received 1
Member Since ‎09-16-2022
Activity Feed
View All

How to exclude dedup when there is a dropdown sele...

by in Dashboards & Visualizations
‎05-15-2023 11:59 AM
‎05-15-2023 11:59 AM
My dashboard has a dropdown "System" and few panels. Dropdown system has "A", "b", "c". If  i choose "A" from the dropdown, then panels should exclude these 2 lines - | dedup time_day, name | dedup ID from the base search and execute. Base : | pivot XYZ_dm ..... | dedup time_day, name | dedup ID | table * if I choose "b" or "c" from dropdown, base should execute as it is in all the panels. Please suggest ... View more

Re: How to optimize this query?

by in Splunk Dev
‎05-11-2023 10:04 PM
1 Karma
‎05-11-2023 10:04 PM
1 Karma
Thanks much.  This search has completed and has returned 5,225 results by scanning 29,868 events in 0.592 seconds. Where the older one's was 1.606 seconds which is great news |||   ... View more

How to optimize this query?

by in Splunk Dev
‎05-10-2023 11:53 PM
‎05-10-2023 11:53 PM
index="abcd" | eval _time = strptime(TS_Changed_At,"%d/%m/%Y %H:%M") | sort 0 ID _time | dedup ID _time | eventstats last(Status) as current_status by ID | where current_status="AAA" OR current_status="BBB" OR current_status="CCC" | streamstats current=f window=1 values(Status) as prev_status by ID | where NOT Status=prev_status | eval Cal= if(Status="CCC" AND (NOT prev_status="AAA " AND NOT prev_status="BBB"),substr(TS_Last_Status_Change,1,16),if(Status="BBB" AND NOT prev_status="AAA",substr(TS_Last_Status_Change,1,16),if(Status="AAA",substr(TS_Last_Status_Change,1,16),""))) | where NOT Cal="" | eventstats max(eval(strptime(Cal,"%d/%m/%Y %H:%M"))) as max_ by ID | where max_ = strptime(Cal,"%d/%m/%Y %H:%M") | table ID Cal ... View more

How to create a drilldown for a single value panel...

by in Splunk Dev
‎02-22-2023 06:01 AM
‎02-22-2023 06:01 AM
I'm trying to create a drilldown for a single value panel. I want my user to be able to click on the value, and it will load new panel with all details. I have set token but not sure where to pass in detailed panel so that drill down works. PFA : here is my single value panel query | eval A = if(DURATION>30, "Long Duration Jobs","Duration") | stats count by A | where A="Long Duration Jobs" ----  i have another panel which shows details of these long duration jobs: | eval Duration = if(DURATION>30, "Long Duration Jobs", "Duration") | search Duration = "Long Duration Jobs" | rename EXEC_DATE_TIME as Datetime SERVER_NAME as "System Name" JOB_NAME as "Job Name" STATUS_NAME as "Status" EXEC_DATETIME as "Execution Datetime" DURATION as "Duration(s)" DELAY as "Dealy(s)" JOB_COUNT as "Job Count" JBCREATED_BY as "Job Createdby " SDL_DATETIME as "SDL Datetime" | table Datetime "System Name" "Job Name" "Execution Datetime" "Status" Duration "Duration(s)" "Dealy(s)" "Job Count" "Job Createdby" "SDL Datetime" How to connect these 2 panles so that when i click on single value, the detailed panel should pop up. Please suggest         ... View more

Re: How to assign previous month's fetched result ...

by in Splunk Search
‎09-19-2022 11:59 PM
‎09-19-2022 11:59 PM
Thank you soo much, worked according to my initial requirement. ... View more

Re: How to assign previous month's fetched result ...

by in Splunk Search
‎09-19-2022 11:58 PM
‎09-19-2022 11:58 PM
Thank you so much @bowesmana and @richgalloway . This worked perfectly as intended. Great learning!! ... View more

Re: How to assign previous month's fetched result ...

by in Splunk Search
‎09-19-2022 11:07 PM
‎09-19-2022 11:07 PM
This worked fine but it is taking preceding value but I am expecting previous values of previous month.  Example : My values : team month prev greater_6_mon A 2022-07 0 26 B 2022-07 0 2 C 2022-07 0 1 D 2022-07 0 8   Expected : team month prev greater_6_mon A 2022-08 26 16 B 2022-08 2 22 C 2022-08 1 21 D 2022-08 8 18 Here my greater_6mon of 2022-07 has been assigned to prev of 2022-08. Thats my intention to achieve. Please suggest ... View more

How to assign previous month's fetched result to c...

by in Splunk Search
‎09-16-2022 01:31 AM
‎09-16-2022 01:31 AM
Considering 2022-06 as starting month,  If month is 2022-07, i should assign 2022-06's corresponding field values " greater_6_mon" to 2022-07's field "prev" , likewise to 2022-08 as well Here are my values : month            prev          greater_6_mon 2022-06                                    26 2022-07                                      2 2022-08                                      1 expected result: (please suggest) month            prev      greater_6_mon 2022-06            0             26 2022-07           26            2 2022-08            2              1 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2023 04:17 AM
Karma from
View All
Karma given to