Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Ste
Ste
Path Finder
Member since:
02-02-2023
a week ago
Community Statistics
| Posts | 27 |
| Solutions | 0 |
| Karma Given | 15 |
| Karma Received | 1 |
| Member Since | 02-02-2023 |
Activity Feed
- Posted Re: Dashboard studio: join data from basesearch on Splunk Search. 3 weeks ago
- Posted Dashboard studio: join data from basesearch on Splunk Search. 3 weeks ago
- Posted Re: How to stats count and still have all fields available afterwards? on Splunk Search. 01-23-2025 02:21 AM
- Karma Re: How to stats count and still have all fields available afterwards? for gcusello. 01-23-2025 02:17 AM
- Karma Re: How to stats count and still have all fields available afterwards? for PickleRick. 01-21-2025 10:06 PM
- Karma Re: How to stats count and still have all fields available afterwards? for isoutamo. 01-21-2025 05:23 AM
- Posted Re: How to stats count and still have all fields available afterwards? on Splunk Search. 01-21-2025 05:05 AM
- Posted How to stats count and still have all fields available afterwards? on Splunk Search. 01-20-2025 08:52 AM
- Got Karma for Re: where with empty subsearch result raises an error message. 01-09-2025 05:16 AM
- Posted Re: where with empty subsearch result raises an error message on Splunk Search. 01-08-2025 09:25 PM
- Karma Re: where with empty subsearch result raises an error message for richgalloway. 01-08-2025 09:24 PM
- Posted where with empty subsearch result raises an error message on Splunk Search. 01-08-2025 09:17 AM
- Posted Re: How do you parse two time formats in Splunk? on Splunk Search. 12-23-2024 04:01 AM
- Posted Re: Time comparison different results in search and dashboar on Splunk Search. 12-23-2024 03:54 AM
- Karma Re: Time comparison different results in search and dashboar for gcusello. 12-23-2024 03:54 AM
- Karma Re: Time comparison different results in search and dashboar for luizlimapg. 12-23-2024 03:54 AM
- Posted Re: Time comparison different results in search and dashboar on Splunk Search. 12-17-2024 06:00 AM
- Posted Time comparison different results in search and dashboar on Splunk Search. 12-17-2024 05:51 AM
- Karma Re: How do you parse two time formats in Splunk? for bowesmana. 12-17-2024 04:07 AM
- Posted Re: How do you parse two time formats in Splunk? on Splunk Search. 12-17-2024 04:06 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
3 weeks ago
Hey @livehybrid The result I'm looking for can maybe be built on your advice, but at the moment I don't see the final solution. In my case $Data_BaseSearch:result.d_id$ would give me all values from the field d_id. In there I would need to filter for specific values e.g. d_id IN ("DIAG_162", "DIAG_164", "DIAG_165", "DIAG_166") and from the resulting values I finally need the latest(_time) as last_ZP_Def by ocp fr el This means I would need d_id, _time, ocp, fr , el from the basesearch, and not only a single field. |fields ocp fr el last_ZP_Def I would have all data to be used by the join type=outer to be appended to my other data. Thank you for your help
... View more
3 weeks ago
Dear experts I'm trying to move old xml dashboards to Dashboard Studio. Now I'm running into issues with a join which uses a base search. I've created a basesearch Data_BaseSearch Datasource_id=ds_Zwp0QfAJ index="pm-azlm_internal_prod_events" sourcetype="azlmj"
d_id IN (DIAG_162, DIAG_164, DIAG_165, DIAG_166, DIAG_218, DIAG_219, DIAG_220, DIAG_221, DIAG_222, DIAG_224, DIAG_225, DIAG_226, DIAG_227, DIAG_228, DIAG_229, DIAG_234) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$)
[| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ] Afterwards I'm creating the table data with | stats count(eval(d_id IN ("DIAG_162", "DIAG_164", "DIAG_165", "DIAG_166"))) AS "ZP_Def"
count(eval(d_id IN ("DIAG_218", "DIAG_219"))) AS "UART"
count(eval(d_id IN ("DIAG_220", "DIAG_221", "DIAG_222"))) AS "DEF_W"
count(eval(d_id IN ("DIAG_224", "DIAG_225", "DIAG_226"))) AS "Drift_W"
count(eval(d_id IN ("DIAG_227", "DIAG_228", "DIAG_229"))) AS "WPoZ"
count(eval(d_id IN ("DIAG_234"))) AS "Versatz"
by ocp fr el
| table ocp fr el "ZP_Def" "UART" "DEF_W" "Drift_W" "WPoZ" "Versatz" Until here everything works. Now the challenge: for every counter I need to know date/time of the last event. My current draft for this is to do a join (per counter, below is only one prototype shown) in which I search the needed timestamp to be joined to the already existing data. The join should reuse the data generated by the basesearch, as there in is already a lot of (token based) filtering I don't won't to redo for every counter/ join again. | stats count(eval(d_id IN ("DIAG_162", "DIAG_164", "DIAG_165", "DIAG_166"))) AS "ZP_Def"
count(eval(d_id IN ("DIAG_218", "DIAG_219"))) AS "UART"
count(eval(d_id IN ("DIAG_220", "DIAG_221", "DIAG_222"))) AS "DEF_W"
count(eval(d_id IN ("DIAG_224", "DIAG_225", "DIAG_226"))) AS "Drift_W"
count(eval(d_id IN ("DIAG_227", "DIAG_228", "DIAG_229"))) AS "WPoZ"
count(eval(d_id IN ("DIAG_234"))) AS "Versatz"
by ocp fr el
| join ocp fr el
[ search base=ds_Zwp0QfAJ
| where d_id IN (DIAG_162, DIAG_164, DIAG_165, DIAG_166)
| stats latest(_time) as last_ZP_Def by ocp fr el
| eval last_ZP_Def=strftime(last_ZP_Def,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_ZP_Def]
| table ocp fr el "ZP_Def" last_ZP_Def "UART" "DEF_W" "Drift_W" "WPoZ" "Versatz" The question is: how to reference the basesearch in the join? Nor basesearch name or the datasource_id of the basesearch. Addon after the first feedback from different users First of all thank you for your help. @yuanliu : I don't think what I'm doing can be done as chain search. @livehybrid : just one field doesn't help The current (brute force) solution looks like: ```***** First get all the lines related to the error codes in question ```
index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_162, DIAG_164, DIAG_165, DIAG_166, DIAG_218, DIAG_219, DIAG_220, DIAG_221, DIAG_222, DIAG_224, DIAG_225, DIAG_226, DIAG_227, DIAG_228, DIAG_229, DIAG_234) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
```***** Multiple error codes do belong to the same error category```
```***** Count per category the number of errors received```
| stats count(eval(d_id IN ("DIAG_162", "DIAG_164", "DIAG_165", "DIAG_166"))) AS ZP_Def count(eval(d_id IN ("DIAG_218", "DIAG_219"))) AS UART count(eval(d_id IN ("DIAG_220", "DIAG_221", "DIAG_222"))) AS DEF_W count(eval(d_id IN ("DIAG_224", "DIAG_225", "DIAG_226"))) AS Drift_W count(eval(d_id IN ("DIAG_227", "DIAG_228", "DIAG_229"))) AS WPoZ count(eval(d_id IN ("DIAG_234"))) AS Versatz by ocp fr el
```***** Per error category we want to know when the last error was recorded```
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_162, DIAG_164, DIAG_165, DIAG_166) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_ZP_Def by ocp fr el
| eval last_ZP_Def=strftime(last_ZP_Def,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_ZP_Def]
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_218, DIAG_219) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_UART_Def by ocp fr el
| eval last_UART_Def=strftime(last_UART_Def,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_UART_Def]
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_220, DIAG_221, DIAG_222) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_DEF_W by ocp fr el
| eval last_DEF_W=strftime(last_DEF_W,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_DEF_W]
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_224, DIAG_225, DIAG_226) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_Drift_W by ocp fr el
| eval last_Drift_W=strftime(last_Drift_W,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_Drift_W]
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_227, DIAG_228, DIAG_229) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_WPoZ by ocp fr el
| eval last_WPoZ=strftime(last_WPoZ,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_WPoZ]
| join ocp fr el type=outer
[ search index="pm-azlm_internal_prod_events" sourcetype="azlmj" d_id IN (DIAG_234) ocp IN ($t_ocp$) fr IN ($t_fr$) el IN ($t_el$) [| inputlookup pm-azlm-reg-ocp-team | search team IN ($t_team$) | fields ocp ]
| stats latest(_time) as last_Versatz by ocp fr el
| eval last_Versatz=strftime(last_Versatz,"%Y-%m-%d %H:%M:%S")
| fields ocp fr el last_Versatz]
```***** Finally the table```
| table ocp fr el ZP_Def last_ZP_Def UART last_UART_Def DEF_W last_DEF_W Drift_W last_Drift_W WPoZ last_WPoZ Versatz last_Versatz There is a search at the top reads all the data in. In every join just a subset of the data is searched again, which is potentially already available from the search at the top. Therefore I came to the idea to reuse the search on the top as a base search with filtering the individual error codes in the joins. From my idea, this would reduce the number of searches executed, and therefore speed up dashboard loading. But to be honest, I might be wrong! @bowesmana : I'm not looking for the latest message at all, I'm Looking for the latest message of a group of specific error codes. Something like | eventstats max(_time) as last_ZP_Def by ocp fr el where d_id IN ("DIAG_162", "DIAG_164", "DIAG_165", "DIAG_166") would in fact replace one of my joins, but I haven't found a way to properly implement this in SPL.
... View more
Labels
- Labels:
-
join
01-23-2025
02:21 AM
I've tried to test this, but it did not work for me. The whole search was blocked and did not return any data. No need to dig in further here, as I had anyway to turn upside down the whole dashboard to solve performance issues. This turning upside down has also solved the issue discussed in here.
... View more
01-21-2025
05:05 AM
Here's what I want to achieve: We have several hundreds of boxes sending messages. The boxes are identified by the name in zbpIdentifier. I want to know the Top ten of the boxes, depending on the number of messages they have sent over a given period of time. For this Top ten, I want then to display some more data details, that is why I try to "recover" all the data no more available after stats count.
... View more
01-20-2025
08:52 AM
Dear experts According to the documentation after stats, I have only the fields left used during stats. | table importZeit_uF zbpIdentifier bpKurzName zbpIdentifier_bp status stoerCode
| where stoerCode IN ("K02")
| stats count as periodCount by zbpIdentifier
| sort -periodCount
| head 10
| fields zbpIdentifier zbpIdentifier_bp periodCount importZeit_uF To explain in detail: After table the following fields are available: importZeit_uF zbpIdentifier bpKurzName zbpIdentifier_bp status stoerCode After stats count there are only zbpIdentifier periodCount left. Question: How to change the code above to get the count, and have all fields available as before? Thank you for your support.
... View more
01-08-2025
09:25 PM
1 Karma
@richgalloway The perfect solution, exactly what I was looking for. Thank you
... View more
01-08-2025
09:17 AM
Dear experts Based on the following search: <search id="subsearch_results">
<query>
search index="iii" search_name="nnn" Umgebung="uuu"
isbName="isb"
status IN ("ALREADY*", "NO_NOTIF*", "UNCONF*", "NOTIF*")
zbpIdentifier NOT 453-8888
stoerCodeGruppe NOT ("GUT*")
| eval importZeit_unixF = strptime(importZeit, "%Y-%m-%dT%H:%M:%S.%N%Z")
| eval importZeit_humanF = strftime(importZeit_unixF, "%Y-%m-%d %H:%M:%S")
| table importZeit_humanF importZeit_unixF zbpIdentifier status stoerCode stoerCodeGruppe
</query>
<earliest>$t_time.earliest$</earliest>
<latest>$t_time.latest$@d</latest>
<done>
<condition>
<set token="stoermeldungen_sid">$job.sid$</set>
</condition>
</done>
</search> I try to load some data with: <query>
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| where [
| loadjob $stoermeldungen_sid$
| where stoerCode IN ("S00")
| addinfo
| where importZeit_unixF >= relative_time(info_max_time,"-d@d") AND importZeit_unixF <= relative_time(info_max_time,"@d")
| stats count as dayCount by zbpIdentifier
| sort -dayCount
| head 10
| table zbpIdentifier ]
| addinfo
| where .... Basic idea: the subsearch first derives the top 10 of the elements based on the number of yesterdays error messages. based on the subsearch result then the 7 day history is read and displayed (not fully shown in the example above) All works fine except if there are no messages found by the subsearch. If yesterday no error messages of the given type were recorded, the subsearch returns a result which causes the following error message in the dashboard: Error in ´where´command: The expression is malformed. An unexpected character is reached at ´)´. The where command is the one which should take the result of the subsearch (3rd line of code). The error message is just not nice for the end user, better would be to get just an empty chart if no data is found. The question is: How to fix the result of the subsearch in a way, that also the main search runs and gets the proper empty result, and therefore the empty graph instead of the "not nice" error message? Thank you for your help.
... View more
Labels
- Labels:
-
subsearch
12-23-2024
04:01 AM
Gentlemen Thanks for the follow-up about when to fix such issues. As a pure user, I have no influence on everything that happens during indexing. I can just take the data which is there and work with what I get.
... View more
12-23-2024
03:54 AM
Gentlemen you're right Search code: | where my_time>=relative_time(now(),"-1d@d") AND _time<=relative_time(now(),"@d") updated to | where my_time >=relative_time(now(),"-1d@d") AND _time <=relative_time(now(),"@d") will work in a dashboard. I started from scratch with all my trials and were not able to reproduce my issues with the html tags. This must be a classic PIBCAK (Problem Is Between Chair and Keyboard)
... View more
12-17-2024
06:00 AM
Using the html tags from your proposal would lead into the error message "Error in Line 100: Invalid character entity"
... View more
12-17-2024
05:51 AM
Dear experts Why is the following line | where my_time>=relative_time(now(),"-1d@d") AND my_time<=relative_time(now(),"@d") Accepted as a valid statement in a search window, but as soon I want to use exactly this code in a dashboard, I get the error message: "Error in line 100: Unencoded <" ? The dashboard code validator somehow fails with the <= comparison. >= works, as well = but not <= We're on splunkcloud.
... View more
12-16-2024
06:13 AM
By accident I ran into the same problem. The brute force solution looks like: | eval my_time1=strptime(genZeit, "%Y-%m-%dT%H:%M:%S%:z")
| eval my_time2=strptime(genZeit, "%Y-%m-%dT%H:%M:%S.%3N%:z")
| eval my_time=if(isnotnull(my_time1),my_time1,my_time2) Try to convert the time with both of the possible time formats (be careful: my example will not reflect the time format of the original question), take the result which is not null.
... View more
12-16-2024
01:25 AM
@yuanliu $t_time.latest$ comes from an input selector. As I wanted to have always the @d timestamp your proposal must be changed slightly. Below is my untested proposal how a solution could look like based on a if evaluation: index="abc" search_name="def"
[| makeresults
| eval earliest=relative_time($t_time.latest$,"-1d@d")
| eval latest=if("t_time.latest$" == "now", relative_time(now(), "@d")
relative_time($t_time.latest$,"@d"))
| fields earliest latest
| format]
| table _time zbpIdentifier However, for me the @bowesmana proposal is better understandable.
... View more
12-13-2024
05:19 AM
Dear experts In my dashboard I have a time picker providing the token t_time. My search index="abc" search_name="def" [| makeresults
| eval earliest=relative_time($t_time.latest$,"-1d@d")
| eval latest=relative_time($t_time.latest$,"@d")
| fields earliest latest
| format]
| table _time zbpIdentifier Should pick up that token and make sure only data is displayed from the last full day before t_time.latest. 2024-12-12 13:13 should be converted to earliest = 2024-12-11 00:00 latest = 2024-12-11 23:59:59 (or 2024-12-12 00:00) As long really two dates are selected in the time picker, all works as expected. If e.g. last 7 days is selected the search fails, no data is returned. I'm guessing that in relative mode $t_time.latest$ is represented with something like "now", which causes problems for the relative_date function. So the question is: how to detect this "now" and turn it into a date understood by relative_date?
... View more
Labels
- Labels:
-
subsearch
12-11-2024
11:28 PM
@ITWhisperer Cool, your proposal does exactly what I was looking for. Thank you.
... View more
12-11-2024
06:29 AM
Dear experts My search index="abc" search_name="xyz" Umgebung="prod" earliest=-7d@d latest=@d zbpIdentifier IN (454-594, 256-14455, 453-12232)
| bin span=1d _time aligntime=@d
| stats count as myCount by _time, zbpIdentifier
| eval _time=strftime(_time,"%Y %m %d")
| chart values(myCount) over zbpIdentifier by _time limit=0 useother=f produces the following chart: For each zbpIdentifier I have a group within the graph showing the number of messages during several days. How to change the order of the day values within the group? Green (yesterday) should be the most left, followed by pink (the day before yesterday) and orange, ..... | reverse will change the order of the whole groups, that's not what I need. All kind of time sorting like | sort +"_time"
or
| sort -"_time" before and after | chart ... does not change anything.
... View more
Labels
- Labels:
-
chart
12-02-2024
11:01 PM
@PickleRick Thanks for highlighting the limitation of the amount of rows be returned by a sub search. This explains why one of my other Dashboards won't provide trustful values at the moment. Looks like I need to review and update some of my searches.....
... View more
11-28-2024
11:08 PM
@PickleRick : Thank you for the explanations, now I understand what is going on. About inclusion/ exclusion and search efficiency: I was not aware about this; this is something I would need to take care of as well....
... View more
11-28-2024
11:02 PM
@ITWhisperer : Thank you for this, based on your input I was able to find a working answer for my 3rd question.
... View more
11-28-2024
07:06 AM
Dear experts Basic idea of what I try to do: the results of a search should be filtered in a way, that only data points are displayed which are not part of a "Blacklist" maintained as lookup table. The challenging thing is, there are 3 columns at the same time to be taken into account for filtering. After a lot of trials, I ended up in creating a key from the 3 columns (which is unique) and then filter on the key. It is working, I just don't understand why :-(. Question: Has anybody an idea why the Version 1 filter works, and why Version 2 filter fails? Question: What needs to be changed to get Version 2 also to work? index="pm-azlm_internal_prod_events" sourcetype="azlmj"
| strcat ocp "_" fr "_" el unique_id
| table _time ocp fr el unique_id d_1
| search d_1="DEF ges AZ*"
``` VERSION 1: the working one ```
``` As long the subsearch returns a table with the column unique_id ```
``` which is exactly the name of the column I want to filter on, all works great.```
| search NOT [| inputlookup pm-azlm-aufschneidmelder-j
| strcat ocp "_" fr "_" sec unique_id
| table unique_id]
``` VERSION 2: NOT working ```
``` As soon I change the name of the column in the subsearch, the filte won't work anymore```
| search NOT [| inputlookup pm-azlm-aufschneidmelder-j
| strcat ocp "_" fr "_" sec ignore
| table ignore]```
| timechart span=1d limit=0 count by unique_id And the final question: is there a way for such filtering without going through the key creation? Thank you in advance.
... View more
Labels
- Labels:
-
subsearch
08-01-2024
11:38 PM
The problem was definitely in the multisearch. My original one was: <prefix>(</prefix>
<suffix>)</suffix>
<valuePrefix>opc="</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>OR</delimiter> Based on the feedback of @bowesmana and @marnall I changed it to: <prefix>IN (</prefix>
<suffix>)</suffix>
<valuePrefix>"</valuePrefix>
<valueSuffix>"</valueSuffix>
<delimiter>, </delimiter> And further down the search: index="pm-azlm_internal_prod_events" sourcetype="azlm" opc $opc_t$
...
| append
[search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp $opc_t$
... All is now working as expected, thank you for your support.
... View more
07-30-2024
03:14 AM
Hi Based on a Multiselect reading from index="pm-azlm_internal_prod_events" sourcetype="azlm" I define a token with the name opc_t This token can be used without any problems to filter further down in the dashboard data read from the same index (top 3 lines in the code below). <query>index="pm-azlm_internal_prod_events" sourcetype="azlm" $opc_t$ $framenum$
| strcat opc "_" frame_num UNIQUE_ID
| dedup _time UNIQUE_ID
| append
[ search index="pm-azlm_internal_dev_events" sourcetype="azlm-dev" ocp=$opc_t|s$
| strcat ocp "-j_" fr as UNIQUE_ID
| dedup UNIQUE_ID]
| timechart span=12h aligntime=@d limit=0 count by UNIQUE_ID
| sort by _time DESC
</query> BUT and here's my problem: using the same token on a different index (used in the append above) will provide no results at all. One (nasty) detail, the field names in both Indexes are slightly different. In index="pm-azlm_internal_prod_events" the field name I need to filter on ist called opc In the second index pm-azlm_internal_dev_events the field name is ocp Dear Experts: what do I need to change on the 2nd query, to be able to use the same token for filtering?
... View more
Labels
- Labels:
-
subsearch
02-02-2023
06:33 AM
Most probably I got it: index="..." sourcetype="..."
| strcat opc "_" frame_num "_" elem_id uniqueID
| search status_1="DRW 1*"
| bin _time span=20m as interval
| eval interval = strftime(interval,"%H.%M")
| stats count as warning by interval, uniqueID
| table uniqueID interval warning Changing the format string from "%H:%M" to "%H.%M" seems to do the trick
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a week ago
|
Karma given to
