About Lamar

Lamar · ‎06-27-2013

Additionally, if you're using a Saved Search, include the search as well. Thanks.

Lamar · ‎06-27-2013

Sorry, I don't see the HiddenSearch or HiddenSavedSearch that's driving the GoogleMaps module. Please include all of your code. Thank you.

Lamar · ‎06-27-2013

First things first, please include your actual code with your question. It will help tons, it could be as simple as you having a misspelled word or parameter (not likely, but it could be). I'll be glad to help once you provide that.

Lamar · ‎04-16-2013

Joe, Try using this: | tstats prestats=t count as count FROM my_ns groupby field1,field2,field3,_time | timechart avg(field1) as field1_avg by field2

Lamar · ‎09-25-2012

Try this: index=_internal source=*metrics.log group="per_index_thruput" | rex field=series "^(?<good>[a-z_]{2})$" | search good=*

Lamar · ‎08-02-2012

No problem, remember to flag this as your answer so that the next group of folks that run into this issue can easily figure out what to do. Take care.

Lamar · ‎08-01-2012

I would be curious why you decided to segment this data off from your syslog data. Again, just curious.

Lamar · ‎08-01-2012

Yeah, you'll probably want to enable this index 'baseline_search' to be searched by default by your user/role. http://docs.splunk.com/Documentation/Splunk/4.3.3/Admin/Addandeditroles In particular, these two parameters: srchIndexesDefault srchIndexesAllowed

Lamar · ‎07-31-2012

I would first, clean up your input for the processed files. There are a few issues with it -- First, the monitoring stanza won't pick up the data since the directory that you're monitoring is invalid (/data/logs) Additionally, I would define the fourth segment in your monitor. Lastly, I wouldn't put spaces in my sourcetype as Splunk doesn't respond well to spaces in sourcetypes. Fixes Below: [monitor:///data/splunk/rrsearch/*/] disabled = false index = baseline_search whitelist = .+processed.+gz$ sourcetype = Baseline_Search host_segment = 4 That should get you a little closer to where you want to be. Hope it helps.

Lamar · ‎07-12-2012

Very slick Ayn.

Lamar · ‎07-12-2012

It would because you're inspecting the raw events as opposed to the metadata of your events. The way that both Ayn and myself shows is just for practical timing purposes. Help us understand what problem you're trying to solve and we may be able to find a better way.

Lamar · ‎07-12-2012

If you're wanting to get the actual indexed 'event', that will be how you do it. If you just want to know when the last event occurred for a source you could do this: | metadata type=sources | search source="*prefix*" | convert ctime(lastTime) as timestamp | sort - lastTime

Lamar · ‎07-12-2012

Without being able to see your 'actual' input configuration I'll take a guess and say that you've got to make sure you're searching on index=baseline_search unless you've set your default indexes to include that one. Include your inputs.conf and we may be able to get a bit further.

Lamar · ‎07-12-2012

The module you're trying to use is an Advanced XML module. Therefore you'll need to write your dashboard in Advanced XML. The other stuff you've written ( dashboard and label ) is simple XML.

Lamar · ‎06-27-2012

Yeah, time_before_close may help some. But, if you don't have a meaningful timespan in which the [Times] occurs it will be hard to get that timing (read: parameter) right. I don't think it's a good idea to simply open it up to a largish number.

Lamar · ‎06-27-2012

Take a look at the "UseHistory" parameter. That may help you answer your question. Play around with it and see what works. It defaults to Auto, which means it looks for a cached version of your search first, if it finds one it uses it. If it doesn't then it will re-queue another search for you. http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/ModuleReference#HiddenSavedSearch I don't think there's really an elegant way to deal with this, but you could just truncate your dispatch directory for this saved search and then refresh your dashboard. Also, keep in mind that if you 'run' your search again from the Manager to have it queue up new results, ensure you've given it enough time to complete. Hope that helps.

Lamar · ‎06-27-2012

How long is the pause between writes to disk?

Lamar · ‎06-27-2012

Nik, I'm curious why you're not just sourcetyping these...ie: In props.conf. [source::.../XManager/.../GenericService.log] sourcetype = XManager [source::.../XTrader/.../GenericService.log] sourcetype = XTrader [source::.../XInterface/.../GenericService.log] sourcetype = XInterface That way, when you search on them you just type: sourcetype = XManager <rest of your search> You will get all of the files (regardless of which version they are) that have XManager in the directory structure and end with the filename of GenericService.log. Hope that helps.

Lamar · ‎06-20-2012

I didn't expect that it would. Like I said, transaction is very expensive to run.

Lamar · ‎06-19-2012

Is it possible to convert those binary bits to ascii before Splunk indexes it? If so, that would be the route I would go.

Lamar · ‎06-19-2012

Laura, You might be able to achieve that like this: ...<search>... startdaysago=7 | stats count by date_hour, date_wday This should return something like this: count date_hour date_wday 231445 15 monday 3343233 16 monday

Lamar · ‎06-19-2012

Try this: ...<your data search> | eval Type=if(RecLoc="Mumbai Corp", "LOCAL", "External") | stats count as Count by CusName, RecName, RecLoc | fields CustID, CusName, RecName, Count, RecLoc, Type Let me know if that gets you close.

Lamar · ‎06-18-2012

That's not an integer though. There are integers in that string you're creating, it might look something like this: 2012-10-10 10:10:10.100 What you want to feed it is an integer. try using: | convert ctime (ADate) as Initialtime ... That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.

Lamar · ‎06-15-2012

It's expecting an integer there, not a string. Are you stringifying your variable by double-quoting the value?

Lamar · ‎06-15-2012

Sorry Laura, how is it not working? Is the view not rendering or are your radio buttons not getting rendered correctly?

Posts	117
Solutions	14
Karma Given	2
Karma Received	32
Member Since	‎04-23-2010

Online Status	Offline
Date Last Visited	‎06-05-2020 02:02 AM

Re: Google Map not working in custom dashboard

Re: Google Map not working in custom dashboard

Re: Google Map not working in custom dashboard

Re: tstat and timechart

Re: Search _internal by Series

Re: Good Data Input .. No Indexing

Re: Good Data Input .. No Indexing

Re: Good Data Input .. No Indexing

Re: Good Data Input .. No Indexing

Re: Most recent event from each source?

Re: Most recent event from each source?

Re: Most recent event from each source?

Re: Good Data Input .. No Indexing

Re: refreshing the dashboard view of a saved searc...

Re: How can I force correct separation of events?

Re: refreshing the dashboard view of a saved searc...

Re: How can I force correct separation of events?

Re: Capturing logs using regex

Re: Reducing Time taken for Search in splunk query

Re: Splunk parsing issue

Re: Table : multi fields

Re: Parsing a Log File

Re: Use variable on bucketing option

Re: Use variable on bucketing option

Re: SearchRadioLister in a view

Are you a member of the Splunk Community?