Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About asafd
asafd
Explorer
Member since:
09-24-2022
09-27-2022
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-24-2022 |
Activity Feed
- Posted Re: dashboard : timechart with base search and events limit on Splunk Search. 09-27-2022 02:08 AM
- Posted How to create a dashboard : timechart with base search and events limit? on Splunk Search. 09-27-2022 12:24 AM
- Posted Re: find and extract a json object from a json array based on other json field on Splunk Search. 09-25-2022 03:03 AM
- Karma Re: find and extract a json object from a json array based on other json field for kamlesh_vaghela. 09-25-2022 03:01 AM
- Posted Re: find and extract a json object from a json array based on other json field on Splunk Search. 09-25-2022 12:39 AM
- Posted How to find and extract a json object from a json array based on other json field? on Splunk Search. 09-24-2022 01:23 PM
- Posted Re: referencing a json element on Splunk Search. 09-24-2022 10:18 AM
- Karma Re: referencing a json element for chaker. 09-24-2022 10:18 AM
- Posted Referencing a json element- how do I convert "data" into a parsed json? on Splunk Search. 09-24-2022 08:00 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
09-27-2022
02:08 AM
I tried to create a saved search (time range: -1y - now) and use it like this: <search id="base ref="saved_search"> <earliest>$sinceTime.earliest$</earliest> <latest>$sinceTime.latest$</latest> </search> but it doesn't seem to solve the events limit issue when i use past 30 days. Also I would expect the chart to load immediately (since the base search is already saved), but it takes time to load.
... View more
09-27-2022
12:24 AM
Hi,
I have multiple panels that need to run timecharts like these:
something | table _time,A,B</query> | search A="1"| timechart B
something | table _time,A,B</query> | search A="2"| timechart B
something | table _time,A,B</query> | search A="3"| timechart B
I want to optimize my dashboard for performance by using a base search, so I tried this:
<search id="base> <query> something | table _time,A,B</query> </search> .... <panel> <chart> <search base="base"> <query>search A="1"|timechart count by B</query> </search> </chart> </panel> ... <panel> <chart> <search base="base"> <query>search A="2"|timechart count by B</query> </search> </chart> </panel> ... <panel> <chart> <search base="base"> <query>search A="3"|timechart count by B</query> </search> </chart> </panel>
It works great on short times (24h) but with wider ranges (30 days) I lose events because of the base search limit (probably the default, 500,000).
Is there a way I can use base search for this?
I'm using Splunk Enterprise version 8.1.3.
... View more
09-25-2022
03:03 AM
Thank you very much. This also worked for me eventually, but you solutions are nicer (I hate regex :-)). | makeresults | eval _raw="{\"message\":{\"res\":{\"body\":{\"embeddedObj\":{\"students\":[{\"id\":\"123\",\"name\":\"abc\"},{\"id\":\"456\",\"name\":\"def\"},{\"id\":\"789\",\"name\":\"hij\"}],\"student_id\":\"456\"}}}}}" | spath |rename message.res.body.embeddedObj.students{}.id as ids message.res.body.embeddedObj.students{}.name as names message.res.body.embeddedObj.student_id as student_id | eval student_zip = mvzip(ids, names)|mvexpand student_zip | rex field=student_zip "^(?<id>.*),(?<name>.*)" | where id = student_id| table id, name
... View more
09-25-2022
12:39 AM
Thanks @yuanliu . But I want to get a line that looks like this: student_id name 456 def (because the id of "def" is the student_id "456")
... View more
09-24-2022
01:23 PM
Hi,
I have rows that are json based. each row has a field that looks like this:
{ "students" : [ {"id":"123", "name":"abc"}, {"id":"456", "name":"def"}, {"id":"789", "name":"hij"} ], "student_id" : "456" }
each row can have multiple students and always just one student_id.
for each row I want to extract the name of the student who's id is equal to the student_id.
how can I do that?
I tried this,:
|spath path=students{} output=students|mvexpand students | spath input=students|multikv| table id, name, student_id
I do get 3 rows like this in the result:
id
name
student_id
123
abc
456
456
def
456
789
hij
456
but when I try to filter the matching row with:
| where id = student_id
I get 0 rows coming back.
TIA
Asaf
... View more
Labels
- Labels:
-
field extraction
09-24-2022
08:00 AM
Hi guys,
I'm trying to do something that I expected to be very simple, so I guess I'm missing something big.
This is my test SPL:
| makeresults | eval data=json_object("id", "123")| spath input=data| table data.id
I want to be able to refer to the data.id field, but I can't. how do I convert "data" into a parsed json?
TIA
Asaf
... View more
Labels
- Labels:
-
eval
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
09-27-2022
11:28 AM
|
