Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About dataisbeautiful
dataisbeautiful
Communicator
Member since:
10-25-2023
03-10-2025
Community Statistics
| Posts | 48 |
| Solutions | 4 |
| Karma Given | 9 |
| Karma Received | 12 |
| Member Since | 10-25-2023 |
Activity Feed
- Got Karma for Notepad++ SPL syntax highlighting. 03-16-2025 03:10 PM
- Karma Re: Append number by value to results for gcusello. 03-10-2025 08:06 AM
- Posted Re: Append number by value to results on Splunk Search. 03-10-2025 06:17 AM
- Karma Re: Append number by value to results for ITWhisperer. 03-10-2025 06:16 AM
- Posted Re: Append number by value to results on Splunk Search. 03-10-2025 02:52 AM
- Posted Re: Append number by value to results on Splunk Search. 03-10-2025 02:38 AM
- Posted Append number by value to results on Splunk Search. 03-10-2025 02:05 AM
- Posted Re: Append lookup to results with where clause on Splunk Search. 02-28-2025 12:36 AM
- Posted Re: Append lookup to results with where clause on Splunk Search. 02-24-2025 09:10 AM
- Posted Append lookup to results with where clause on Splunk Search. 02-24-2025 07:03 AM
- Posted Re: search by Http code 500 is not working on Splunk Search. 02-11-2025 07:43 AM
- Posted Re: search by Http code 500 is not working on Splunk Search. 02-11-2025 01:05 AM
- Got Karma for Re: Splunk dataset for download. 02-10-2025 10:31 AM
- Posted Re: search by Http code 500 is not working on Splunk Search. 02-10-2025 05:34 AM
- Posted Re: Dashboard studio -Error while updating auto refresh value. [Error: Visualization is not present in lay on Dashboards & Visualizations. 02-10-2025 02:38 AM
- Posted Re: search by Http code 500 is not working on Splunk Search. 02-10-2025 01:32 AM
- Posted Re: Splunk dataset for download on Getting Data In. 02-10-2025 12:42 AM
- Posted Re: How to Re Run a schedule search when it is Failed on Reporting. 02-10-2025 12:26 AM
- Posted Re: Dashboard studio -Error while updating auto refresh value. [Error: Visualization is not present in lay on Dashboards & Visualizations. 02-10-2025 12:19 AM
- Posted Re: WIndows Events get \x00\ in agent Splunk Forwarder on Getting Data In. 02-10-2025 12:16 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 2 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-10-2025
06:17 AM
@ITWhisperer That's exactly what I was after, thank you. Thanks also @gcusello @meetmshah
... View more
03-10-2025
02:52 AM
Hi @gcusello Thanks for your suggestion, I've run this index=transactionlog sourcetype=transaction earliest=-1h@h latest=@h
| eval counter=1
| accum counter AS ID
| fields - counter
| table _time Item Count ID It gives the output _time Item Count ID ... Apple 8 1 ... Banana 2 2 ... Apple 5 3 ... Coconut 1 4 ... Banana 2 5 This isn't what I'm after as Apple doesn't have a single ID now. I'd like a single ID per unique value of Item, not a row counter ID. Hope that makes sence.
... View more
03-10-2025
02:38 AM
@gcuselloI've updated my post with the base search and raw data @meetmshahthe ID is not in the raw data, it is something I am adding only at time of search I'm not interested in maintaining an ID between times, it's going to be used in a visualisation on a deashboard.
... View more
03-10-2025
02:05 AM
Hi Splunkers I'm looking for a way to append a column with an ID based on the value of another field. Base search gives this index=transactionlog sourcetype=transaction earliest=-1h@h latest=@h
| table _time Item Count datetime=2025-03-10T08:59:59 Item=Apple Count=8
datetime=2025-03-10T08:59:45 Item=Banana Count=2
datetime=2025-03-10T08:58:39 Item=Apple Count=5
datetime=2025-03-10T08:58:25 Item=Coconut Count=1
datetime=2025-03-10T08:57:36 Item=Banana Count=2 _time Item Count ... Apple 8 ... Banana 2 ... Apple 5 ... Coconut 1 ... Banana 2 I'd like something that gives this _time Item Count ID ... Apple 8 1 ... Banana 2 2 ... Apple 5 1 ... Coconut 1 3 ... Banana 2 2 The ID is local, based only on the results. Each unique item is numbered. I've tried streamstats count but this doesn't give the desired results. Thanks all
... View more
02-28-2025
12:36 AM
I figured it out | lookup batch.csv OUTPUT startTime finishTime
| eval startTime = max(mvmap(startTime, if(startTime <= _time, startTime, null())))
| eval finishTime = min(mvmap(finishTime, if(finishTime >= _time, finishTime, null())))
| lookup batch.csv startTime finishTime OUTPUT batchID
... View more
02-24-2025
09:10 AM
Hi @livehybrid thanks for the links. I'll add more details about the batches. They can be 1min in length to several hours. They are not regular in length unfortunately, it depends on the process and numbers etc. There may be several batches in a day too, up to 50 on some days. Looking at: https://docs.splunk.com/Documentation/Splunk/9.4.0/Knowledge/Defineatime-basedlookupinSplunkWeb If we pre-set a lookahear time, this could be too short and not give an ID or too big and give mutiple IDs? Looking at: https://community.splunk.com/t5/Splunk-Search/How-to-configure-a-time-based-lookup-Temporal-lookup/m-p/367273 I can do a search for a single result using | inputlookup and | addinfo, that works fine. It's doing this on a FOR loop for each result that I'm stuck with. I've tried this, but feels very inefficient Add a column with just the date Lookup all ID for the date Use mvexpand to split multiple IDs into single events Lookup for start and finish times for id Where to filter on _time between start and finish
... View more
02-24-2025
07:03 AM
Hi all I am trying to append data to results based on a file. Example temperature and pressure are stored at 1 sample per minute all the time. The times when a batch was in production is logged in a look up file. Batch IDs are generated and stored after logging of sensor values to Splunk. Base search: index=ndx sourcetype=srctp (sensor=temperature OR sensor=pressure) earliest=-1d@d latest=@d
| table _time sensor value Result: _time sensor value ... temperature 75 ... pressure 100 Look up file has 3 columns, the start and finish time for a batch and the ID startTime finishTime batchID ... ... b1 ... ... b2 ... ... b3 For each row in the result table of the base search, I want to append the batch ID to give _time sensor value batchID ... temperature 75 b2 ... pressure 100 b2 I have tried with | lookup batch.csv _time >= startTime, _time <= finishTime OUTPUTNEW batchID The lookup needs to find a batch where the value of _time >= startTime AND _time<=finishTime I can't see anything for lookup that works with this sort of conditions. Only where fields are a direct match. Any ideas would be appreciated, thanks in advance.
... View more
Labels
- Labels:
-
lookup
02-11-2025
07:43 AM
Not seeing the fields will stop your filter from working, but why is the question.
... View more
02-11-2025
01:05 AM
@BalajiRaju When wrapping your query in quotes, do you escape the ones contained inside? For example query=" index=\"name\" "
... View more
02-10-2025
05:34 AM
If the search without the filter returns all the data, then the filter is removing too much. When running in the Python are the data types being changed? In Splunk the httpcode might be an integer but Python sees it as a string? Can you validate the data from the Python to confirm the value of httpcode is what you're expecting?
... View more
02-10-2025
02:38 AM
Looks like you have some elements which are only partically removed from the code. Elements are defined in one array and the layout is in another array. You'll need to remove the erroneous references to continue. This error isn't about the refresh, but the dashboard code not being valid. Clone the dashboard, or make a back up Note down the element IDs Open code view Use Find (CTRL-F, or your browser/OS shortcut) and enter each ID Remove all instances of the ID, careful not to delete other bits of code Post again when you've cleared out the errrored elements.
... View more
02-10-2025
01:32 AM
If you remove | search httpcode=500 from the python, does it return all the data as expected from the parent index?
... View more
02-10-2025
12:42 AM
1 Karma
Hi @splunk_user_99 You can get network/log data from Team Red/Blue exercises "Boss of the SOC" found at https://github.com/splunk/securitydatasets These come in Splunk ready format for you to add into your instance and work on.
... View more
02-10-2025
12:26 AM
Hi @harishsplunk7 I can't see that as an option so I don't think so. You could add an action to email you if the search fails so you can investigate.
... View more
02-10-2025
12:19 AM
Hi @sekarjegan93 When you add a visualisation, it's given an auto generated name such as "viz_XQInZkvE". The code snippet you shared does not include an element ID. Did you change the name of this element in the code? Maybe you deleted that element? Are you trying to refresh a single visualusation or the whole dashboard?
... View more
02-10-2025
12:16 AM
Hi @zksvc Looks like a binary file was read there. Have you followed the steps here https://docs.splunk.com/Documentation/Splunk/9.4.0/Data/MonitorWindowseventlogdata ?
... View more
02-10-2025
12:12 AM
hi @BalajiRaju Can you provide the base search you're using in Splunk and the Python code for us to see?
... View more
02-05-2025
12:39 AM
1 Karma
Unfortunately there's no way right now to do this. Seems to be a feature.
... View more
02-05-2025
12:29 AM
hi @z_diddy There doesn't seem to be a way to remove this dot. Even looking through the source code documentation there are no properties for it https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/DashStudio/dashDef There doesn't seem to be a constant CSS class either to override styles with. Perhaps you could suggest styling this dot at https://ideas.splunk.com/
... View more
10-21-2024
01:17 AM
1 Karma
I've been in touch with support, this is a known issue and there's no plan to fix. There is a workaround that can be used: | map [search index=_internal [| makeresults | eval earliest=$earliest$, latest=$latest$ | return earliest, latest] It's a bit longer and needs another subsearch, but can be easier than escaping everything. Thanks everyone for their input @PickleRick @richgalloway
... View more
09-02-2024
07:10 AM
2 Karma
Hi All I did a look around for a syntax definition for SPL in Notepad++ and didn't find one. Attached is my attempt. Feel free to use. if you have any suggestions, changes etc then post a reply. Thanks everyone
... View more
08-01-2024
08:03 AM
Some more digging, this seems to be the same issue: https://community.splunk.com/t5/Splunk-Search/Having-a-problem-substituting-value-for-earliest-in-a-map/m-p/33122
... View more
07-31-2024
07:58 AM
Agreed @PickleRick I've just done a test and epoch times work just fine with earliest and latest in a search. The formatting seems to be a red herring here.
... View more
07-31-2024
07:15 AM
Hmm, the documentation says map can use a subsearch 3. Use the map command with a subsearch For complex ad hoc searches, use a subsearch for your map search https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map#Basic_examples
... View more
07-31-2024
06:45 AM
Hi @richgalloway Thanks for the tip, I've updated my query index=event sourcetype=eventdat
| where like(details,"..."))
| eval earliest=strftime(floor(_time), "%m/%d/%Y:%H:%M:%S"), latest=strftime(ceil(_time+2), "%m/%d/%Y:%H:%M:%S")
| table _time details earliest latest
| map
[ search index=sys_stats sourcetype=statdat device="..." earliest=$earliest$ latest=$latest$
| stats count as counter
| eval details=$details$, earliest="$earliest$", latest="$latest$"
| table _time details counter earliest latest] maxsearches=10 It's still throwing the error Invalid value "$earliest$" for time term 'earliest'
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-10-2025
09:50 AM
|
Karma from
Karma given to
