Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About manas
manas
Explorer
Member since:
01-24-2024
04-06-2026
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 01-24-2024 |
Activity Feed
- Posted Re: pars out dynamic number of request and response from a field on Splunk Search. 04-06-2026 10:17 PM
- Posted pars out dynamic number of request and response from a field on Splunk Search. 04-06-2026 09:49 PM
- Karma Re: Time comparison - Relative and Explict for ITWhisperer. 11-05-2025 09:30 AM
- Posted Re: Time comparison - Relative and Explict on Dashboards & Visualizations. 11-05-2025 07:08 AM
- Posted Time comparison - Relative and Explict on Dashboards & Visualizations. 11-04-2025 10:07 PM
- Posted Re: Is there a upper limit to dashboard dropdown value fetch from lookup file on Splunk Search. 02-05-2024 02:21 PM
- Posted Is there a upper limit to dashboard dropdown value fetch from lookup file on Splunk Search. 02-05-2024 02:12 PM
- Posted Re: Time difference between 2 events on Other Usage. 01-25-2024 09:00 AM
- Karma Re: Time difference between 2 events for richgalloway. 01-25-2024 08:59 AM
- Posted Time difference between 2 events on Other Usage. 01-24-2024 12:28 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-06-2026
10:17 PM
This is how it looks in the log event : 2026-04-06 XX:XX:XX.XXX, ID="<RECORD_ID>", DateCreated="2026-04-06 XX:XX:XX.XXX", ContactId="<CONTACT_ID>", DNIS="<TFN>", ANI="<CALLER_NUMBER>", ApiLogs="[ {\"request\":\"APINAME1\",\"statusCode\":\"200\"}, {\"request\":\"APINAME2\",\"statusCode\":\"200\"}, {\"request\":\"APINAME3\",\"statusCode\":\"200\"} ]" This is how current query looks : index=XXXX source=XXXX sourcetype=XXXX | rex field=_raw "ContactId=\"(?<ContactId>[^\"]+)\"" | rex field=_raw "DNIS=\"(?<DNIS>[^\"]+)\"" | rex field=_raw "ANI=\"(?<ANI>[^\"]+)\"" | rex field=_raw "ApiLogs=\"(?<ApiLogs>\[.*?\])\"" | eval ApiLogs=replace(ApiLogs, "\\\"", "\"") | spath input=ApiLogs path={} output=api_array | mvexpand api_array | spath input=api_array path=request output=request | spath input=api_array path=statusCode output=statusCode | streamstats count AS api_index BY ContactId | eval request_1=if(api_index==1, request, null()) | eval statusCode_1=if(api_index==1, statusCode, null()) | eval request_2=if(api_index==2, request, null()) | eval statusCode_2=if(api_index==2, statusCode, null()) | eval request_3=if(api_index==3, request, null()) | eval statusCode_3=if(api_index==3, statusCode, null()) | stats first(request_1) as request_1 first(statusCode_1) as statusCode_1 first(request_2) as request_2 first(statusCode_2) as statusCode_2 first(request_3) as request_3 first(statusCode_3) as statusCode_3 first(DNIS) as DNIS first(ANI) as ANI by ContactId | table ContactId, ApiLogs, request_1, statusCode_1, request_2 ,statusCode_2, request_3, statusCode_3 Want to make query dynamic so that it can fetch for each contactID every pair of request and response as separate field from the APIlogs field
... View more
04-06-2026
09:49 PM
Capture in a field from log message and it is in below format : [{"request":"ID1","statusCode":"200"},{"request":"ID2","statusCode":"200"},{"request":"ID3","statusCode":"404"},{"request":"ID4","statusCode":"503"},{"request":"ID5","statusCode":"200"}] The field captures all the request made and response received for a specific event and the number of request and response can be dynamic . Is there a way to capture following where it captures dynamically as many request response values occur for a specific eventID : eventID , field ,request1 ,response1 ,request2,response 2
... View more
Labels
- Labels:
-
field extraction
11-05-2025
07:08 AM
This works . Thanks . I have multiple time pickers in dashboard as it's a comparison dashboard as given each widget has it's own time picker ,it works regardless.
... View more
11-04-2025
10:07 PM
I have a field which gives when a particular event started. Depending on time period selected in dashboard , i want to fetch all records past that time period selected in time picker input of the dashboard. Problem is if time input is relative like "today" /"Yesterday" choice 1 below works and i get results. When time selected as input is explicit like "10/02/2025" ,choice 2 works and i get results. Relative time logic : |where timestamp2 >= relative_time(now(), "$field1.earliest$") Explicit time logic : |where timestamp2 >= tonumber("$field1.earliest$") How to enhance this ,so that irrespective of input ,will get results. Something like below does not work : | eval earliest_time=if(isnum("$field1.earliest$"), tonumber("$field1.earliest$"), relative_time(now(), "$field1.earliest$")) | where timestamp2 >= earliest_time
... View more
Labels
- Labels:
-
Classic dashboard
02-05-2024
02:21 PM
Or is it possible that issue is related to same lookup file being referenced for next input dropdown subsequently causing issue.
... View more
02-05-2024
02:12 PM
I have a lookup file . It has 2 columns : Service and Entity and 500+ rows. Service has 34 unique values and Entity has 164.
I have a dashboard where for search i want to use values from this lookup as input to search criteria. I have following logic .I get the dropdown values for "service" without any issues but not for "entity" when it's same lookup file ,same logic.
Any ideas ?
Snippet :
<input type="dropdown" token="Service" searchWhenChanged="true">
<label>Service</label>
<search>
<query>
|inputlookup metadata.csv | dedup service
| stats dc(service) by service
</query>
</search>
<choice value="*">*</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
<input type="dropdown" token="Entity" searchWhenChanged="true">
<label>Entity</label>
<search>
<query>
|inputlookup metadata.csv | dedup entity
| stats dc(entity) by entity
</query>
</search>
<choice value="*">*</choice>
<default>*</default>
<initialValue>*</initialValue>
</input>
... View more
Labels
- Labels:
-
lookup
01-24-2024
12:28 PM
I have 2 events : Event 1 : Timestamp A UserID:ABC startevent Event 2: Timestamp B ID:ABC endevent I want to find time difference between start event and end event . In first event field is named "UserID" and in second event field is named "ID" .These two fields holds the value of the user for which start and subsequent end event is generated. How can i get time difference here ? To use transaction i need a shared field .When i use transaction like below: | transaction userId startswith=(event="startevent") endswith=("endevent") maxevents=2 , i get very few results .
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-06-2026
09:43 PM
|
