Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About rikinet
rikinet
Explorer
Member since:
04-18-2023
2 weeks ago
Community Statistics
| Posts | 13 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 04-18-2023 |
Activity Feed
- Posted Re: Superset of data fragments / Compress diagonal data with extra obstacles on Splunk Search. 2 weeks ago
- Posted Re: Superset of data fragments / Compress diagonal data with extra obstacles on Splunk Search. 3 weeks ago
- Posted Superset of data fragments / Compress diagonal data with extra obstacles on Splunk Search. 3 weeks ago
- Tagged Superset of data fragments / Compress diagonal data with extra obstacles on Splunk Search. 3 weeks ago
- Tagged Superset of data fragments / Compress diagonal data with extra obstacles on Splunk Search. 3 weeks ago
- Posted Chart with textual / string / enumerative Y axis tick labels (such as "off" / "on") instead of numbers on Splunk Search. 10-25-2023 05:45 AM
- Tagged Chart with textual / string / enumerative Y axis tick labels (such as "off" / "on") instead of numbers on Splunk Search. 10-25-2023 05:45 AM
- Tagged Chart with textual / string / enumerative Y axis tick labels (such as "off" / "on") instead of numbers on Splunk Search. 10-25-2023 05:45 AM
- Posted Re: Is it possible to make y-axis labels display "on" and "off" instead of numerical values on my ch on Splunk Search. 10-23-2023 07:15 AM
- Posted Re: Colorized bar graph with log scale overlay on Dashboards & Visualizations. 10-10-2023 03:55 PM
- Posted Re: Colorized bar graph with log scale overlay on Dashboards & Visualizations. 10-10-2023 12:43 PM
- Posted Colorized bar graph with log scale overlay on Dashboards & Visualizations. 10-09-2023 05:03 AM
- Karma Re: Flatten JSON associative array with variable key names that even containing dots for spavin. 07-14-2023 03:31 AM
- Posted Re: Flatten JSON associative array with variable key names that even contain dots on Splunk Search. 07-14-2023 03:30 AM
- Posted Flatten JSON associative array with variable key names that even containing dots on Splunk Search. 07-12-2023 09:13 AM
- Tagged Flatten JSON associative array with variable key names that even containing dots on Splunk Search. 07-12-2023 09:13 AM
- Tagged Flatten JSON associative array with variable key names that even containing dots on Splunk Search. 07-12-2023 09:13 AM
- Tagged Flatten JSON associative array with variable key names that even containing dots on Splunk Search. 07-12-2023 09:13 AM
- Posted Find path between nodes in a table representing a hierarchical tree? on Splunk Search. 06-01-2023 03:15 PM
- Tagged Find path between nodes in a table representing a hierarchical tree? on Splunk Search. 06-01-2023 03:15 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
2 weeks ago
@ITWhisperer thanks for your reply. You have definitely put me on the right path. My original data has more ID and attribute fields, so I needed to find a way to generalize your solution further. I had a bit of a struggle to understand why you chose these particular three eventstats lines with their respective values(...) and by ... clauses. I believe a more generic recipe would be like this: If you have n ID fields and k attribute fields, do one eventstats ... by ID for each of the n ID fields: | eventstats
values(ID_2) as ID_2, .., values(ID_n) as ID_n,
values(attr_1) as attr_1, .., values(attr_k) as attr_k
by ID_1
| eventstats
values(ID_1) as ID_1, values(ID_3) as ID_3, .., values(ID_n) as ID_n,
values(attr_1) as attr_1, .., values(attr_k) as attr_k
by ID_2
| eventstats .. by ID_3
| eventstats .. by ID_n-1
| eventstats
values(ID_1) as ID_1, .., values(ID_n-1) as ID_n-1,
values(attr_1) as attr_1, .., values(attr_k) as attr_k
by ID_n The subsequent mvexpand and streamtstats count ... where count==1 can be simplified as: | fillnull value="N/A" ```or stats by fieldlist ignores rows with at least one null value in fieldlist```
| stats count by ID_1, ..., ID_n, attr_1, ..., attr_k | fields - count
| foreach * [ | eval <<FIELD>>=if(<<FIELD>>=="N/A",null(),<<FIELD>>) ] ```undo the N/A replacement``` This stanza even expands possible multivalues in all of the n attributes - otherwise each attribute field with potential multivalues would need its own explicit mvexpand <attr> . It also avoids mvexpand's potential memory issue. For my own sample data, it would read: | makeresults
| eval _raw="ID_A;ID_B;X1;X2
A1;B1;X1_1;X2_1
A2;B2;X1_2A;X2_2
A2;B2;X1_2B;X2_2
A3;B3;X1_3;X2_3
"
| multikv forceheader=1
| table ID_A, ID_B, X1, X2
| append [
| makeresults
| eval _raw="ID_A;ID_B;Y1;Y2
A2;B2;Y1_2;
A2;B2;;Y2_2
A3;B3;;Y2_3A
A3;B3;;Y2_3B
A4;B4;Y1_4;Y2_4
"
| multikv forceheader=1
| table ID_A, ID_B, Y1, Y2
]
| append [
| makeresults
| eval _raw="ID_B;ID_C;Z1
B1;C1;Z1_1
B3;C3;Z1_3
B5;C5;Z1_5
"
| multikv forceheader=1
| table ID_B, ID_C, Z1
]
| table ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1
```--- relevant code starts here ---```
| eventstats
values(ID_B) as ID_B, values(ID_C) as ID_C,
values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1
by ID_A
| eventstats
values(ID_A) as ID_A, values(ID_C) as ID_C,
values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1
by ID_B
| eventstats
values(ID_A) as ID_A, values(ID_B) as ID_B,
values(X1) as X1, values(X2) as X2, values(Y1) as Y1, values(Y2) as Y2, values(Z1) as Z1
by ID_C
| fillnull value="N/A" ```or stats by fieldlist ignores rows with at least one null value in fieldlist```
| stats count by ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1 | fields - count
| foreach * [ | eval <<FIELD>>=if(<<FIELD>>=="N/A",null(),<<FIELD>>) ] ```undo the N/A replacement``` Please let me know if I have overlooked something.
... View more
3 weeks ago
Small correction: In the result table, rows 4 and 5, ID_C should be "C3" (from table Z).
... View more
3 weeks ago
I have three tables. Each has one or more ID fields (out of ID_A, ID_B, ID_C) and assigns values Xn, Yn, Zn to these IDs. In effect, the tables each contain a fragment of information from a set of objects 1...5. Table X: ID_A ID_B X1 X2 A1 B1 X1_1 X2_1 A2 B2 X1_2a X2_2 A2 B2 X1_2b X2_2 A3 B3 X1_3 X2_3 Table Y: ID_A ID_B Y1 Y2 A2 B2 Y1_2 A2 B2 Y2_2 A3 B3 Y2_3a A3 B3 Y2_3b A4 B4 Y1_4 Y2_4 Table Z: ID_B ID_C Z1 B1 C1 Z1_1 B3 C3 Z1_3 B5 C5 Z1_5 How can I create the superset of all three tables, i.e. reconstruct the "full picture" about obects 1..5 as good as possible? I tried with union and join in various ways, but I keep tripping over the following obstacles: The 1:n relation between ID and values (which should remain expanded as individual rows) Empty fields in between (bad for stats list(...) or stats values(...) because of different-sized MV results) There is no single table that has references to all objects (e.g. object 5 only present in table Z). Desired result: ID_A ID_B ID_C X1 X2 Y1 Y2 Z1 A1 B1 C1 X1_1 X2_1 Z1_1 A2 B2 X1_2a X2_2 Y1_2 Y2_2 A2 B2 X1_2b X2_2 Y1_2 Y2_2 A3 B3 X1_3 X2_3 Y2_3a Z1_3 A3 B3 X1_3 X2_3 Y2_3b Z1_3 A4 B4 Y1_4 Y2_4 B5 C5 Z1_5 Sample data: | makeresults
| eval _raw="ID_A;ID_B;X1;X2
A1;B1;X1_1;X2_1
A2;B2;X1_2A;X2_2
A2;B2;X1_2B;X2_2
A3;B3;X1_3;X2_3
"
| multikv forceheader=1
| table ID_A, ID_B, X1, X2
| append [
| makeresults
| eval _raw="ID_A;ID_B;Y1;Y2
A2;B2;Y1_2;
A2;B2;;Y2_2
A3;B3;Y1_3;Y2_3A
A3;B3;Y1_3;Y2_3B
A4;B4;Y1_4;Y2_4
"
| multikv forceheader=1
| table ID_A, ID_B, Y1, Y2
]
| append [
| makeresults
| eval _raw="ID_B;ID_C;Z1
B1;C1;Z1_1
B3;C3;Z1_3
B5;C5;Z1_5
"
| multikv forceheader=1
| table ID_B, ID_C, Z1
]
| table ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1
... View more
10-25-2023
05:45 AM
Is it possible to display textual (string) values instead of numbers on the Y axis? I have a time series with a field called "state", which contains an integer number. Each number represents a certain state. Examples: 0="off", 1="on" 0="off", 1="degraded", 2="standby", 3="normal", 4="boost" Now I would like to have a line or bar chart showing the respective words on the Y axis ticks instead of 0, 1, 2, 3, 4. Note: This was already asked but not answered satisfactorily: https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-make-y-axis-labels-display-quot-on-quot-and/m-p/222217
... View more
- Tags:
- axis
- formatting
Labels
- Labels:
-
chart
10-23-2023
07:15 AM
Above Link (https://answers.splunk.com/answers/52850/plotting-text-values-on-y-axis.html) does not work for me. Has this question ever been answered? I am also looking for a way to show words (enumerations) on the Y-axis ticks. Such as state descriptors "-1=unknown, 0=off, 1=reduced_mode, 2=on" etc.
... View more
10-10-2023
03:55 PM
Yes, I also had that idea: So, calculate log(analog_value) and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log). But the illegibility of the true values still bothers me, which is why I was hoping for an even more perfect solution, somehow... Maybe there is none.
... View more
10-10-2023
12:43 PM
Thank you @bowesmana for your comprehensive reply and example! It works fine - but unfortunately it still doesn't get the logarithmic scale on the overlay right. While setting <option name="charting.axisY2.scale">log</option> does not yield any validation error, it simply doesn't work as expected. Your example image also shows a linear secondary Y axis. When editing this dashboard in the graphical editor, I get an error when I try to change the Y axis to logarithmic. Maybe there is just no possible way in Splunk to do what I want to do?
... View more
10-09-2023
05:03 AM
I have time series data like this: _time digital_value: can be either 0.1 or 1 (see Note) analog_value: can be 0, 100, 500, 1000, 5000, 10000 Note) It's actually 0 or 1, but 0 doesn't show in a bar graph. I want to plot this data in a diagram like this: X axis = _time digital_value=0.1 as a red bar digital_value=1 as a green bar analog_value as an overlaid line graph, with log scale Y axis To colorize digital_value, I understand I must split it into two series, like this: | digital_value_red = if(digital_value=0.1, 0.1, null())
| digital_value_green = if(digital_value=1, 1, null())
| fields -digital_value However, this creates two bars per data point, where only the non-null one is shown and the other one leaves a gap. That way, I don't have equally spaced bars along the X axis any more. See this example: So, stacked bars? Yes, but that doesn't work with log scale Y axis for the overlaid line graph. So, calculate log(analog_value) and plot that a linear Y axis? While that produces a proper visual, you can't read the value of analog_value any more (only it's log). Any ideas how I can achieve a colorized bar graph + log scale overlay?
... View more
Labels
- Labels:
-
chart
-
simple XML
07-14-2023
03:30 AM
Hi @spavin , thank you very much - that works! Great help! Just a small addition: I think we can even skip the 'foreach' command and simply write | eval values = json_extract_exact(ips, keys) ...because at this point after the 'mvexpand', 'keys' only contains a single key.
... View more
07-12-2023
09:13 AM
I have JSON event data like this (it is shown as a collapsable tree structure in the event view): {
"data": {
"192.168.1.1": {
"ip": "192.168.1.1",
"number": 0,
"list": [
{
"msg": "msg1",
"time": "2023-07-01T01:00:00",
},
{
"msg": "msg2",
"time": "2023-07-01T02:00:00",
},
{
"msg": "msg3",
"time": "2023-07-01T03:00:00",
}
]
},
"192.168.1.2": {
"ip": "192.168.1.2",
"number": 2,
"list": [
{
"msg": "msg1",
"time": "2023-07-02T01:00:00",
},
{
"msg": "msg2",
"time": "2023-07-02T02:00:00",
}
]
}
}
} Please note: The key names under "data" are not known beforehand, but they are guaranteed to be IP addresses. That means they contain dots, which makes direct addressing such as "data.192.168.1.1.ip" difficult. The number of entries in "data.X.list" is variable. "data.X.number" is just any number, it does not contain the length of the list or so. I want to flatten the structure into a tabular form, like this: ip number msg time "192.168.1.1" 0 "msg1" "2023-07-01T01:00:00" "192.168.1.1" 0 "msg2" "2023-07-01T02:00:00" "192.168.1.1" 0 "msg3" "2023-07-01T03:00:00" "192.168.1.2" 2 "msg1" "2023-07-02T01:00:00" "192.168.1.2" 2 "msg1" "2023-07-02T02:00:00" My strategy so far was: In the raw data (_raw), replace all dots in IP addresses by underscores, to avoid the dot notation hassle Then use foreach to generate "iterator variables" for each ip entry Then iterate over all "iterator variables", use <<MATCHSTR>> as a placeholder for all spath operations within each IP address's sub-tree. Something along the lines of | rex field=_raw mode=sed "s/192.168.([0-9]{1,3}).([0-9]{1,3})/192_168_\1_\2/g"
| foreach data.*.ip [ eval iterator_<<MATCHSTR>>='<<FIELD>>']
| foreach iterator_* [
spath path=data.<<MATCHSTR>>.list{} output=<<MATCHSTR>>_json
| eval <<MATCHSTR>>_json=mvmap(<<MATCHSTR>>_json, <<MATCHSTR>>_json."##<<MATCHSTR>>")
| eval messages=mvappend(messages, <<MATCHSTR>>_json)
| fields - <<MATCHSTR>>_json ] But the problems start with the fact that rex applied to _raw does not seem to have the desired effect. The closest I get are iterator variables still containing dotted IP addresses, such as "iterator_192.168.1.1". (This behaviour might be difficult to reproduce with makeresults sample data!) What am I missing here?
... View more
Labels
- Labels:
-
field extraction
06-01-2023
03:15 PM
I have a table with columns "from" and "to", in which each row represents an edge between "from" and "to" nodes within a hierarchical tree. In this tree, any node can have any number of children, and arbitrary depth. The table rows are in no specific order. In my case, the tree contains ~50 nodes at max. We define P(X) as the path between the root node and node X, where X doesn't have to be a leaf node. Question: Using SPL language, how can I determine P(X) from the tabular data? The result would preferably be represented in the same tabular format, but containing only the edges on P(X). Any other representation is also fine, such as a string, mv field, table containing the nodes on the path, etc. Example: This tree with 12 edges...
A
+--B
| +--E
| +--F
| | +--K
| | +--L
| +--G
+--C
| +--H
+--D
+--I
+--J
+--M
... would be represented by the table:
from
to
A
B
A
C
A
D
B
E
B
F
B
G
F
K
F
L
C
H
D
I
D
J
J
M
(Note that the rows can be in any order) If we are looking for P(F), the resulting path would be "A-B-F", i.e. the following subset of above table:
from
to
B
F
A
B
(Again, the order of the rows doesn't matter.) I would normally consider recursive tree searches (DFS, BFS) or at least loops, but these are not SPL-like approaches.
... View more
Labels
- Labels:
-
other
04-19-2023
01:01 PM
@VatsalJagani Thanks, it works now. I must have made some stupid typo before, but the idea was there at least... However: This solution only works if the value (for nodes) and linkText follow distinct patterns, which makes them somehow distinguishable, e.g. using regex. Is there a solution that works for any value and linkText values?
... View more
04-18-2023
02:20 PM
I want to use drilldowns on a "Network Diagram Viz" custom visualization in a dashboard. I want to show / hide panels depending on whether a node or a link has been clicked in the graph. So I finally need two tokens, $is_node$ and $is_link$, to drive my <panel depends=...> clauses. I tried various ideas with no success so far, and most of them seem rather clumsy for the small task. Attempt 1: Splunk Drilldowns -> $row.<fieldname>$: "Available fields depend on whether a node or link was double clicked: Double clicking nodes: row.from, row.value, row.type, row.color Double clicking links: row.from, row.to, row.linkColor, row.linkText, row.linkWidth" Problem: When clicking first a link and then a node, the link-related variables are not reset, so testing for isnull(row.to) does not help much. Attempt 2: Same approach, but using the visualization's own token, $nd_to_node_token$ "Node (to): The 'to' field of the selected link. Defaults to $nd_to_node_token$" Same problem as above. When clicking a node, it retains the value of a previously clicked link. Attempt 3: Using $click.value$ or $nd_value_token$ "Node or link text: The label value of the selected node, or the linktext of the selected link. Defaults to $nd_value_token$." Luckily, the "value" of my nodes is always a MAC address and "linktext" of my links is always a 1- or 2-digit number (datatype string). So I can use regular expressions to determine what is clicked. I tried: <drilldown>
<eval token="click_type">if(match($nd_value_token$, "^[0-9]{1,2}$"), "is_link", "is_node")</eval>
</drilldown> ... It works, but this only gives me one token ($click_type$) with two possible values, but I need above mentioned two separate tokens. I also tried (following this question😞 <panel>
<viz type="network-diagram-viz.network-diagram-viz">
<search>...</search>
<drilldown>
<condition match="match($click.value$, "^\d{1,2}$")">
<set token="is_link">true</set>
<unset token="is_node"></unset>
</condition>
<condition match="WHAT_TO_PUT_HERE?">
<unset token="is_link"></unset>
<set token="is_node">true</set>
</condition>
</drilldown>
</viz>
</panel> ... but I wouldn't know how to specify the match=... clause in the else branch. And I doubt that using match() in the match=... clause works at all. If I try this, clicking anywhere in the Network Diagram Viz takes me to a Splunk Search page - obviously something's wrong. Any ideas?
... View more
Labels
- Labels:
-
using Splunk Enterprise
