Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About duesser
duesser
Path Finder
Member since:
07-10-2023
04-12-2026
Community Statistics
| Posts | 32 |
| Solutions | 0 |
| Karma Given | 35 |
| Karma Received | 1 |
| Member Since | 07-10-2023 |
Activity Feed
- Posted Re: Numerical Precision in Metrics on Getting Data In. 04-12-2026 11:14 PM
- Posted Re: Numerical Precision in Metrics on Getting Data In. 04-08-2026 11:08 PM
- Posted Re: Numerical Precision in Metrics on Getting Data In. 04-08-2026 10:47 PM
- Posted Numerical Precision in Metrics on Getting Data In. 04-08-2026 07:02 AM
- Tagged Numerical Precision in Metrics on Getting Data In. 04-08-2026 07:02 AM
- Tagged Numerical Precision in Metrics on Getting Data In. 04-08-2026 07:02 AM
- Tagged Numerical Precision in Metrics on Getting Data In. 04-08-2026 07:02 AM
- Karma Re: Howto use _time to compare with field with time for woodcock. 02-08-2024 06:35 AM
- Karma Is a Javascript event called when a SearchManager search returns no data? for jmurdza. 12-19-2023 11:50 PM
- Karma Re: Is a Javascript event called when a SearchManager search returns no data? for dgladkikh_splun. 12-19-2023 11:50 PM
- Karma Re: Mutlivalue Field Problem for ITWhisperer. 12-19-2023 08:51 AM
- Posted Re: Extracting data from the search result model on Dashboards & Visualizations. 12-18-2023 06:50 AM
- Karma Extracting data from the search result model for mikdman. 12-18-2023 06:50 AM
- Karma Uncaught Error: Already have instance with id: in splunk for sumangala. 12-18-2023 01:31 AM
- Karma Re: Uncaught Error: Already have instance with id: in splunk for pbalbasm. 12-18-2023 01:31 AM
- Karma Re: Button to run splunk query for chrisyounger. 12-18-2023 01:21 AM
- Karma Re: Expand multivalue field into individual fields WITHOUT mvexpand for ITWhisperer. 12-14-2023 12:11 AM
- Posted Re: Expand multivalue field into individual fields WITHOUT mvexpand on Splunk Search. 12-14-2023 12:10 AM
- Karma Re: Expand multivalue field into individual fields WITHOUT mvexpand for dtburrows3. 12-14-2023 12:01 AM
- Posted Expand multivalue field into individual fields WITHOUT mvexpand on Splunk Search. 12-13-2023 07:32 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-12-2026
11:14 PM
Thanks for the reply, this is a very helpful response. Unfortunately, the data is coming in as a metric, so the first command will have to be mstats, where we will loose the precission. I will accept as the correct solution anyways, since i guess this would be the only way to actually handle numbers of such precission.
... View more
04-08-2026
11:08 PM
Researching the other answer i played around with different length numbers and was able to get data with higher precission into splunk. Also i did search through the logs and did not find any serialization issues. Thank you for the input though 🙂
... View more
04-08-2026
10:47 PM
I can reproduce the finding by running your query on my instance. I can also confirm, that if i force my data to be "shorter" I do observe higher floating point precission. Do you also happen to know the root cause and a solution?
... View more
04-08-2026
07:02 AM
I have data of the following structure in Kafka. {"id": "ABC", "name": "lukas", "timestamp": 1775567475, "payload": 372998479107735.188677, "status": "ok"} I get it into Splunk using the log2metric_json sourcetype and a HEC Connector via Splunk Connect for Kafka. When reading the docs about metrices i read about metric indices that it supports precision between 15 and 17 decimal digits. I only seem to be getting 2 however and I can not find anything in props or limits.conf regarding this. Even using "| mpreview" I can verify this.
... View more
Labels
- Labels:
-
HTTP Event Collector
-
JSON
-
sourcetype
12-18-2023
06:50 AM
I have the same issue.. Is there a way? I tried writing into submitted token model inside "on" call but cannot "get" the token on the higher level. On the console I can see that it was indeed writen into the token though.
... View more
12-14-2023
12:10 AM
Yes for real! That was my first idea. I think for static field length one could use something along this line of thought (does not work as is but should be doable): | makeresults
| eval
mv_field=split("a|b|c|d|e|f|aa", "|")
| fields ```other fields of interest``` mv_field [| makeresults count=7
| streamstats count
| eval temp="mv_field_",
fieldname=temp.count
| stats values(fieldname) AS fieldname
| return $fieldname]
| foreach mode=multifield mv_field_*
[ eval "<<FIELD>>"=mvindex(mv_field,tonumber(<<MATCHSTR>>),tonumber(<<MATCHSTR>>))] but seing this solution it is more elegant and general
... View more
12-13-2023
07:32 AM
I have a multivalue field, which I would like to expand to individual fields, like so: | makeresults count=1
| eval a=mvappend("1","7")
| eval a_0=mvindex(a,0,0)
| eval a_1=mvindex(a,1,1) However, the length might be >2 and I would like to have a generic solution to do this. I know I can create a MV field with an index and use mvexpand and then stats to get all back into a single event, but I run into memory issues with this in my own data. In short: not use mvexpand and solve the issue in a generic fashion.
... View more
Labels
- Labels:
-
fields
12-07-2023
02:28 AM
When does it not work? For my intends and purposes it is sufficient! Thank you alot!
... View more
12-07-2023
02:19 AM
This does not work for me. It evaluates to "NaN". I guess the issue beeing, that $timepicker.xxx$ is filled with "-24h@h" for example, rather than UNIX time. Maybe it would make sense to post this as a seperate question. "how to convert "-24h@h" or so into UNIX time"?
... View more
12-06-2023
12:25 AM
I am loading the search from a datamodel, so I can not do | datamodel earliest=$<time_token>$-1h
... View more
12-05-2023
10:31 PM
I am aware of this, which is why I linked the question where this was answered already. I need to change the token within the XML dashboard.
... View more
12-05-2023
10:30 PM
I am aware of this, however I was not able to accomplish this. Could you specify HOW EXACTLY you would accomplish this - e.g. shift earliest to earliest-1h within the input part of XML?
... View more
12-05-2023
01:00 AM
I basically have the exact same question as https://community.splunk.com/t5/Dashboards-Visualizations/How-to-have-a-panel-use-an-offset-from-a-time-picker/m-p/351003. BUT I need to actually change the value in the timerange picker token. E.G. if i select a timerange of "last 4 hour" and my modification is to add an hour, than the $token_time.earliest$ should not be "-4h" but "-5h".
... View more
Labels
- Labels:
-
dashboard
-
panel
-
simple XML
-
token
11-30-2023
03:43 AM
I have some data where I want to write the values of "test_n" (n in 1,2,...20) into a multivalue field and keep the numeric order. My attempt is to create the fields in a subsearch and pass to "mvapend()". This does not work. | makeresults count=20
| streamstats count
| eval test_{count}=count
| stats first(test*) AS test*
| eval x=mvappend([| makeresults count=20
| streamstats count AS count
| eval field_names="test".count
| stats list(field_names) AS field_names
| nomv field_names
| eval field_names=replace(field_names," ",", ")
|return $field_names]) Is there any alternative to spelling out: | eval x=mvappend(test_1,...test_20) by hand?
... View more
11-28-2023
04:34 AM
I have this query, where I want to build a dataset from a variable and its 4 previous values. I can solve this like so: | makeresults
| eval id=split("a,b,c,d,e,f,g",",")
| eval a=split("1,2,3,4,5,6,7",",")
| eval temp=mvzip(id,a,"|")
| mvexpand temp
| rex field=temp "(?P<id>[^|]+)\|(?P<a>[^|]+)"
| fields - temp
| streamstats current=false last(a) AS a_lag1
| streamstats current=false last(a_lag1) AS a_lag2
| streamstats current=false last(a_lag2) AS a_lag3
| streamstats current=false last(a_lag3) AS a_lag4
| where isnotnull(a_lag4)
| table id a* However, if I want to extend this to say 100 previous values, this code would become convoluted and slow. I imagine there must be a better way to accomplish this goal, however my research has not produced any alternative. Any ideas are appreciated.
... View more
11-15-2023
02:03 AM
Great solution - I did not know about mvindex and mvrange! They seem like a usefull couple. instead of list -> mvdedup you can just use values.
... View more
11-14-2023
11:44 PM
| makeresults
| eval _raw="id;x;y;z;k
a;1;;;
a;;1;;
a;;;1;
a;2;;;
a;;2;;
a;;;;1
b;1;;;
b;;1;;
b;;;1;
b;2;;;
b;;2;;
b;;;;1
a;;1;;
a;;;1;
a;2;;;
a;;2;;
a;;;;1
b;1;;;
b;;1;;
b;;;1;
b;2;;;
b;;2;;
b;;;;1"
| multikv forceheader=1
| fields id x y z k
| table id x y z k
| stats first(*) AS * BY id I have date of the following form, where the usual variables Z and K (might) have multiple measurements that are not unique, so I use "| stats first()" to aggregate them to the ID. However there are variables X and Y that do contain multiple unique values (which might also repeat). In the end I would like to obtain a table like so: id x1 x2 y1 y2 z k
a 1 2 1 2 1 1
b 1 2 1 2 1 1 Where (ideally) the fields of X and Y are numbered for each unique value (NOT the value in the field) so that if 3 unique values are in the data it would yield X1,2,3.
... View more
11-09-2023
01:39 AM
I am basically faced with this problem: | makeresults count=3
| streamstats count
| eval a.1 = case(count=1, 1, count=2, null(), count=3, "null")
| eval a.2 = case(count=1, "null", count=2, 2, count=3, null())
| eval a3 = case(count=1, null(), count=2, "null", count=3, 3)
| table a*
| foreach mode=multifield * [eval <<FIELD>>=if(<<FIELD>>="null",null(),'<<FIELD>>')] I have fields that contain a `.`. This screws up the `foreach` command. Is there a way to work around this? I have tried using `"<<FIELD>>"` but to no avail. I think it would work to rename all "bad" names, loop trough them and rename them back, but if possible I would like to avoid doing this.
... View more
11-02-2023
04:15 AM
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank you anyhow!
... View more
11-02-2023
03:25 AM
Yes - this works the same! BUT it yields the exact performance as "| dedup" for my real data example while the "| head 1" approach is roughly 15x faster.
... View more
11-02-2023
03:06 AM
I basically have the opposite question as can be seen here: https://community.splunk.com/t5/Splunk-Search/How-to-use-the-head-command-with-group-by/m-p/444439 I am looking for an increase in performance while keeping the search generic. As a minimal example I created this: | makeresults
| eval data=split("1;1,1;2,2;1,2;2",",")
| mvexpand data
| eval data=split(data,";")
| eval a=mvindex(data,0), b=mvindex(data,1)
| table a b
| dedup a I know that I can tremendously speed up the search if I use a template like so, using "| head 1" on each group of a: | makeresults
| append
[| makeresults
| eval data=split("1;1,1;2,2;1,2;2",",")
| mvexpand data
| eval data=split(data,";")
| eval a=mvindex(data,0), b=mvindex(data,1)
| table a b
| search a=1
| head 1
]
| append
[| makeresults
| eval data=split("1;1,1;2,2;1,2;2",",")
| mvexpand data
| eval data=split(data,";")
| eval a=mvindex(data,0), b=mvindex(data,1)
| table a b
| search a=2
| head 1
]
| search a=*
| table a b However, this way the search is no longer generic and I have to know what groups "a" can take (1,2 in this example) Question: Is there a way to increase performance on dedup while also keeping the search generic?
... View more
Labels
- Labels:
-
fields
11-01-2023
08:05 AM
While this is possible, there are a lot of b's in the real search and I am looking for a way to not have to write those out individually. - I would like a negative formulation if possible
... View more
11-01-2023
07:30 AM
Basically I have a search with a lot of fields, similar to this example: | makeresults
| eval aa1=1, aa2=2, aa1x=3, aa2x=4, b=5 from this I would basically like to keep everything except for aa* that does not contain the suffix x. I tried | fields -aa* aa*x as well as similar approaches, but they do not work: 1) either deleting all aa* (including aa*x) 2) not keeping b or 3)not deleting aa* at all. I would know how to solve this with regex: "aa.+(?<!x)$" as can be seen here: https://regex101.com/r/JfVHCJ/latest Is there any SPL equivalent?
... View more
Labels
- Labels:
-
fields
10-26-2023
02:35 AM
Yes I have seen this exactly. But is it possible to work around this in any way?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-12-2026
11:12 PM
|
Karma given to
