About maayan

maayan · ‎01-14-2024

we don't have permission to install the app. i will try to ask the infra team again. is there an option to add the alert result to this query? | rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to"

maayan · ‎01-10-2024

i will do validations but i think that it works , thanks! 🙂

maayan · ‎01-10-2024

Hi, It's a very useful query! | rest splunk_server=local /servicesNS/-/-/saved/searches | where alert_type!="always" | table title,author,description,"eai:acl.owner","next_scheduled_time","action.email.to" I need the alerts results and the second query doesn't work for me. i have already created an alert and see in under the "Alerts" tab and scheduled in today. What i need to change in the second query to results? maybe something in the alert setting? or different index?

maayan · ‎01-10-2024

thanks! 🙂 i don't get all cells=0, no results when using the where clause (if i remove `where` i see that cells==0 exist) . i found a ticket: https://community.splunk.com/t5/Splunk-Search/How-to-show-only-fields-over-0/m-p/164589 maybe i can't do it with timechat? | eval _time=strptime(TimeStamp, "%F %T") | timechart span=12h count(Name) AS CountEvents by machine cont=t usenull=f useother=f | where CountEvents=0

maayan · ‎01-10-2024

thanks! i use TimeStamp and not _time. how do i use it in my query? | addinfo | fieldformat info_min_time=strftime(info_min_time,"%c") | fieldformat info_max_time=strftime(info_max_time,"%c") | where strptime(TimeStamp,"%F %T.%3N")>info_min_time AND strptime(TimeStamp,"%F %T.%3N")<info_max_time ```Divide the time to intervals ``` | eval TimeStamp_epoch = strptime(TimeStamp, "%F %T") | bin TimeStamp_epoch span=2d | eval interval_start = strftime(TimeStamp_epoch, "%F %T") | eval interval_end = strftime(relative_time(TimeStamp_epoch, "+2d"), "%F %T") | eval interval_end = if(strptime(interval_end, "%F %T") > now(), strftime(now(), "%F %T"), interval_end) | eval time_interval = interval_start . " to " . interval_end | chart count(Name) over machine by time_interval

maayan · ‎01-10-2024

Hi, Thanks! i will check. i dont have permission to install apps. i wonder if there is an internal query to get all alerts and their results

maayan · ‎01-10-2024

Hi, i need to find a way to present all alerts in a dashboard(Classic/Studio). users don't want to get mail for each alert, they prefer to see (maybe in a table ) all the alerts in one page + the alert's last result. and maybe to click on the alert and get the last search. is it possible to create an alerts dashboard? thanks, Maayan

maayan · ‎01-10-2024

Hi, I need to find all time_interval for each machine where there is no data (no row for Name) . (to goal is to create an alert if there was no data in a time interval for a machine) for example, if we look at one day and machine X. if there was data in time interval 8:00-10:00, 10:00-12:00. I need to return X and the rest of the interval (12:00-1:00,1:00-2:00,..) i wrote the following command: | chart count(Name) over machine by time_interval i get a table with all interval and machines. cell=0 if there is no data. i want to return all cell =0 (i need the interval and machine where cell=0) but i didn't succeed. i also tried to save the query and do left join but it doenst work. it's a very simple mission, some can help me with that? thanks, Maayan

maayan · ‎12-19-2023

Hi, I have a table of time, machine, and total errors. I need to count for each machine how many times 3 errors (or more) happened in 5 min. if in one bucket more than 3 error happened I sign this row as True. finally i will return the frequency of 3 errors in 5 min (Summarize all rows==True) i succeeded in doing that in Python, but not in Splunk. i wrote the following code : | table TimeStamp,machine,totalErrors | eval time = strptime(TimeStamp, "%Y-%m-%d %H:%M:%S.%3N") | eval threshold=3 | eval time_window="5m" | bucket span=5m time | sort 0 machine,time | streamstats sum(totalErrors) as cumulative_errors by machine,time | eval Occurrence = if(cumulative_errors >= 3, "True", "False") | table machine,TimeStamp,Occurrence It almost correct. row 5 supposed to be True. If we calculate the delta time between row 1 to 5 more than 5 min passed, but if we calculate the delta time between row 2 to 5 less than 5 min passed and number of errors >=3 errors. How to change it so it will find the delta time between each row (2 to 5 , 3 to 5,.. ) for each machine ? hope you understand. i need short and simple code because i will need to do that also for 1m,2m,.. 3,5,..errors row Machine TimeStamp Occurrence 1 machine1 12/14/2023 10:12:32 FALSE 2 machine1 12/14/2023 10:12:50 FALSE 3 machine1 12/14/2023 10:13:06 TRUE 4 machine1 12/14/2023 10:13:24 TRUE 5 machine1 12/14/2023 10:17:34 FALSE 6 machine1 12/16/2023 21:01:45 FALSE 7 machine2 12/18/2023 7:53:54 False thanks, Maayan

maayan · ‎12-18-2023

thanks! good solution like always 🙂

maayan · ‎12-18-2023

Thanks!! works! If you succeed to do that in loop (something like loop for i in (1h,5m,2m,1m...) ) it will be great because the query is very long 🙂 Regarding the parameter - yes i can add drop down filter to my dashboard, i wonder if i can give the users option to insert the span number and not to provide them predefined list in the drop down filter

maayan · ‎12-17-2023

Hi, i want to create sensitive table. i want to show how many errors happen in average in each time interval i wrote the following code and it works ok: | eval time = strptime(TimeStamp, "%Y-%m-%d %H:%M:%S.%Q") | bin span=1d time | stats sum(SumTotalErrors) as sumErrors by time | eval readable_time = strftime(time, "%Y-%m-%d %H:%M:%S") | stats avg(sumErrors) now, i want: 1. add generic loop to calculate avg for span of 1m,2m,3m,5n,1h,... and present all in a table. i tried to replace 1d by parameter but i haven't succeed yet. 2. give option to user to insert his desired span in dashboard and calculate the avg errors for him. how can i do that? Thanks , Maayan

maayan · ‎12-12-2023

i added the command | add info and i think that it works i will do validations but thanks a lot! 🙂

maayan · ‎12-12-2023

thanks!! i used min, max because add_info didn't work for me. but it doesn't work, when i select a range (for example 4 hours) in the time filter the data that i get is not between this range. maybe i should do something with $field1.earliest$, $field1.latest$? my code: <search id="bla"> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <query> | loadjob savedsearch="mp:search:query name" | eventstats max(_time) as maxtime, min(_time) as mintime | where $pc$ AND $version$ AND strptime(TimeStamp,"%F %T.%3N")>mintime AND strptime(TimeStamp,"%F %T.%3N")<maxtime </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-1d@h</earliest> <latest>now</latest> </default> </input>

maayan · ‎12-12-2023

Can you write me from your experience how to parse my timestamp field to be able to be compared with earliest, latest parameters please?

maayan · ‎12-12-2023

thanks. I'm trying to do something like that but it doesn't work: (my TimeStamp field format is: 2023-11-07 16:43:05.227) <form version="1.1" theme="dark"> <label>time try</label> <search id="bla"> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> <query> | loadjob savedsearch="mp:search:query name" | where $pc$ AND $version$ AND TimeStamp>$field1.earliest$ AND TimeStamp<$field1.latest$ </query> </search> <fieldset submitButton="true" autoRun="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-1d@h</earliest> <latest>now</latest> </default> </input> <input type="multiselect" token="pc" searchWhenChanged="true"> <label>pc</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(pc like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>pc</fieldForLabel> <fieldForValue>pc</fieldForValue> <search base="bla"> <query> | where ( $version$) | dedup pc| fields pc </query> </search> </input> ........

maayan · ‎12-12-2023

Hi, I'm using: loadjob savedsearch because my query is big and it takes time to load. I have some multi-select filters and i want to add input time range filter. (| loadjob savedsearch="mp:search:queryName" | where $pc$ AND $Version$ ) I'm not sure how to do that because i need to use a field called: Timestamp (i get it in my query, this is the time the event is written to the json file ) and not the _time field. In addition, I don't know how to use loadjob savedsearch with time range filter Can you help me, please? Thank, Maayan

maayan · ‎12-11-2023

hi thanks. i finally decided to create a dashboard for each tab until Splunk will develop tabs in Dashboard studio.

maayan · ‎11-21-2023

Hi, I agree. I moved to studio because someone recommended me:https://community.splunk.com/t5/Dashboards-Visualizations/How-to-improve-the-filter-input/m-p/668513#M54700 I have already converted the dashboard and created a much more impressive visualization so i prefer to stay with the studio version but i have a problem because tabs are not supported. Do you know about a workaround solution? thanks

maayan · ‎11-20-2023

Hi, I found 2 previous tickets about this cases (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-create-multiple-tabs-in-splunk-dashboard-studio/td-p/598020) I need to convert my dashboard to studio dashboard from classic (because customers weren't satisfied with the filters in the classic version), i need to add tabs to my dashboard because i can't insert all charts in one page (too much charts and different topics) How can I implement tabs? or maybe a workaround solution? I don't want to create each tab as a different dashboard. Thanks, Maayan

maayan · ‎11-20-2023

i also want to know how to increase all labels and title in bar chart (dashboard studio)

maayan · ‎11-14-2023

nice idea the conversation doesn't really works but it's a nice direction! Anyway, the filter doesn't work. the error (studio) :"Cannot convert undefined or null to object" code: { "options": { "items": [ { "label": "All", "value": "*" } ], "defaultValue": "*", "token": "WinTimeStamp" }, "title": "Multiselect Input Title", "type": "input.multiselect", "dataSources": { "primary": "ds_ICA_General" } } classic studio code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search base="ICA_General"> <query> | stats values(WinTimeStamp) as WinTimeStamp_ | sort WinTimeStamp_</query> </search> </input>

maayan · ‎11-14-2023

how can i convert classic dashboard type to studio?

maayan · ‎11-14-2023

how to change my code to something like the filter in the image? https://docs.splunk.com/Documentation/Splunk/9.1.1/DashStudio/inputMulti

maayan · ‎11-14-2023

Hi, I implemented an input filter, but i want to improve it. Customers want to select multiple values from the filter and then select more values. in the current situation they need to select 'All ' and then select the values again (each time they want to add values they need to select All-->select values-->remove All) in addition, they want to select all values except one value, which currently takes time to do. Is there a smarter filter input in Splunk? my code: <input type="multiselect" token="WinTimeStamp" searchWhenChanged="true"> <label>Time</label> <choice value="%">All</choice> <default>%</default> <prefix>(</prefix> <suffix>)</suffix> <valuePrefix>(WinTimeStamp like("</valuePrefix> <valueSuffix>"))</valueSuffix> <delimiter> OR </delimiter> <fieldForLabel>WinTimeStamp</fieldForLabel> <fieldForValue>WinTimeStamp</fieldForValue> <search> <query> | where $Name$ | dedup WinTimeStamp | sort WinTimeStamp</query> </search> </input> Thanks, Maayan

Posts	61
Solutions	1
Karma Given	15
Karma Received	0
Member Since	‎04-30-2023

Online Status	Offline
Date Last Visited	‎01-14-2024 04:43 AM

Alerts Dashboard

Chart- return all cell==0

Delta time between each row - calculate frequency ...

How to create a sensitive table?

Add time range filter based on specific column whe...

How to add tabs to studio dashboard?

How to improve the filter input?

How to show both values and percentages bar chart?

What am i doing wrong in summary index?

Why sistats doesn't work after lookup?

Re: Alerts Dashboard

Re: Chart- return all cell==0

Re: Alerts Dashboard

Re: Chart- return all cell==0

Re: Chart- return all cell==0

Re: Alerts Dashboard

Alerts Dashboard

Chart- return all cell==0

Delta time between each row - calculate frequency ...

Re: How to create a sensitive table?

Re: How to create a sensitive table?

How to create a sensitive table?

Re: Add time range filter based on specific column...

Re: Add time range filter based on specific column...

Re: Add time range filter based on specific column...

Re: Add time range filter based on specific column...

Add time range filter based on specific column whe...

Re: How to add tabs to studio dashboard?

Re: How to add tabs to studio dashboard?

How to add tabs to studio dashboard?

Re: How to Change the font of a table on Dashboard...

Re: How to improve the filter input?

Re: How to improve the filter input?

Re: How to improve the filter input?

How to improve the filter input?